diff options
| author | Filippo Valsorda <filippo@golang.org> | 2019-08-27 17:27:45 -0400 |
|---|---|---|
| committer | Filippo Valsorda <filippo@golang.org> | 2019-08-27 22:24:05 +0000 |
| commit | ffcb678f47bfd30de182320b6d057ca4428e976d (patch) | |
| tree | e2b372a8d718ba9d1211c3fdfa1286a938342027 /src/crypto/tls/handshake_server.go | |
| parent | 52ae04fdfc66664b327a4cb4057e339f132de8f9 (diff) | |
| download | go-ffcb678f47bfd30de182320b6d057ca4428e976d.tar.xz | |
crypto/tls: remove SSLv3 support
SSLv3 has been irreparably broken since the POODLE attack 5 years ago
and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use
in no uncertain terms.
As announced in the Go 1.13 release notes, remove support for it
entirely in Go 1.14.
Updates #32716
Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf
Reviewed-on: https://go-review.googlesource.com/c/go/+/191976
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src/crypto/tls/handshake_server.go')
| -rw-r--r-- | src/crypto/tls/handshake_server.go | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index a3d8848caf..c6c40b360a 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -157,7 +157,7 @@ func (c *Conn) readClientHello() (*clientHelloMsg, error) { if len(clientHello.supportedVersions) == 0 { clientVersions = supportedVersionsFromMax(clientHello.vers) } - c.vers, ok = c.config.mutualVersion(false, clientVersions) + c.vers, ok = c.config.mutualVersion(clientVersions) if !ok { c.sendAlert(alertProtocolVersion) return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions) @@ -213,7 +213,7 @@ Curves: hs.hello.random = make([]byte, 32) serverRandom := hs.hello.random // Downgrade protection canaries. See RFC 8446, Section 4.1.3. - maxVers := c.config.maxSupportedVersion(false) + maxVers := c.config.maxSupportedVersion() if maxVers >= VersionTLS12 && c.vers < maxVers { if c.vers == VersionTLS12 { copy(serverRandom[24:], downgradeCanaryTLS12) @@ -316,7 +316,7 @@ func (hs *serverHandshakeState) pickCipherSuite() error { for _, id := range hs.clientHello.cipherSuites { if id == TLS_FALLBACK_SCSV { // The client is doing a fallback connection. See RFC 7507. - if hs.clientHello.vers < c.config.maxSupportedVersion(false) { + if hs.clientHello.vers < c.config.maxSupportedVersion() { c.sendAlert(alertInappropriateFallback) return errors.New("tls: client using inappropriate protocol fallback") } |