diff options
| author | Filippo Valsorda <filippo@golang.org> | 2025-03-15 15:12:39 +0100 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2025-05-21 15:09:29 -0700 |
| commit | 59211acb5dbde14647e025eb7379675debcf3930 (patch) | |
| tree | db98ad31b32d59f381e701cadda32590233d096c /src/internal | |
| parent | 4158ca8d7c521aee5cc48f285f559e74845e973c (diff) | |
| download | go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz | |
crypto/tls: disable SHA-1 signature algorithms in TLS 1.2
This implements RFC 9155 by removing support for SHA-1 algorithms:
- we don't advertise them in ClientHello and CertificateRequest
(where supportedSignatureAlgorithms is used directly)
- we don't select them in our ServerKeyExchange and CertificateVerify
(where supportedSignatureAlgorithms filters signatureSchemesForCertificate)
- we reject them in the peer's ServerKeyExchange and CertificateVerify
(where we check against the algorithms we advertised in ClientHello
and CertificateRequest)
Fixes #72883
Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818
Reviewed-on: https://go-review.googlesource.com/c/go/+/658216
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Diffstat (limited to 'src/internal')
| -rw-r--r-- | src/internal/godebugs/godebugs_test.go | 3 | ||||
| -rw-r--r-- | src/internal/godebugs/table.go | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/src/internal/godebugs/godebugs_test.go b/src/internal/godebugs/godebugs_test.go index 046193b5c6..168acc134a 100644 --- a/src/internal/godebugs/godebugs_test.go +++ b/src/internal/godebugs/godebugs_test.go @@ -46,7 +46,8 @@ func TestAll(t *testing.T) { if info.Old != "" && info.Changed == 0 { t.Errorf("Name=%s has Old, missing Changed", info.Name) } - if !strings.Contains(doc, "`"+info.Name+"`") { + if !strings.Contains(doc, "`"+info.Name+"`") && + !strings.Contains(doc, "`"+info.Name+"=") { t.Errorf("Name=%s not documented in doc/godebug.md", info.Name) } if !info.Opaque && !incs[info.Name] { diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go index d7d3f430cd..29539b2f38 100644 --- a/src/internal/godebugs/table.go +++ b/src/internal/godebugs/table.go @@ -62,6 +62,7 @@ var All = []Info{ {Name: "tlsmaxrsasize", Package: "crypto/tls"}, {Name: "tlsmlkem", Package: "crypto/tls", Changed: 24, Old: "0", Opaque: true}, {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"}, + {Name: "tlssha1", Package: "crypto/tls", Changed: 25, Old: "1"}, {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, {Name: "updatemaxprocs", Package: "runtime", Changed: 25, Old: "0"}, {Name: "winreadlinkvolume", Package: "os", Changed: 23, Old: "0"}, |