From 59211acb5dbde14647e025eb7379675debcf3930 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Sat, 15 Mar 2025 15:12:39 +0100 Subject: crypto/tls: disable SHA-1 signature algorithms in TLS 1.2 This implements RFC 9155 by removing support for SHA-1 algorithms: - we don't advertise them in ClientHello and CertificateRequest (where supportedSignatureAlgorithms is used directly) - we don't select them in our ServerKeyExchange and CertificateVerify (where supportedSignatureAlgorithms filters signatureSchemesForCertificate) - we reject them in the peer's ServerKeyExchange and CertificateVerify (where we check against the algorithms we advertised in ClientHello and CertificateRequest) Fixes #72883 Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818 Reviewed-on: https://go-review.googlesource.com/c/go/+/658216 LUCI-TryBot-Result: Go LUCI Auto-Submit: Filippo Valsorda Reviewed-by: David Chase Reviewed-by: Roland Shoemaker Reviewed-by: Daniel McCarney --- src/runtime/metrics/doc.go | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/runtime') diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go index 8204e87fd1..7ef09be2fc 100644 --- a/src/runtime/metrics/doc.go +++ b/src/runtime/metrics/doc.go @@ -350,6 +350,10 @@ Below is the full list of supported metrics, ordered lexicographically. The number of non-default behaviors executed by the crypto/tls package due to a non-default GODEBUG=tlsrsakex=... setting. + /godebug/non-default-behavior/tlssha1:events + The number of non-default behaviors executed by the crypto/tls + package due to a non-default GODEBUG=tlssha1=... setting. + /godebug/non-default-behavior/tlsunsafeekm:events The number of non-default behaviors executed by the crypto/tls package due to a non-default GODEBUG=tlsunsafeekm=... setting. -- cgit v1.3