This is an insecure fork of golang's crypto/tls library.
It is motivated by ongoing efforts to deprecate and eventually remove weak or broken protocols and ciphers from the standard library (e.g. issues 32716, 45428, 63413), and by the need for driftnet to maintain support for those protocols and ciphers.
This fork aims for minimal deviation from the official crypto/tls, whilst supporting protocols and cipher suites which have either already been removed from the standard library, will be removed in an upcoming release, or which were never included in the first place.
The current version is based on go1.21.4.
This library is inherently insecure and should not be used in any situation where security is a requirement.
It might be suitable in the rare case where
- you must connect to a client or server which only supports a broken version of TLS, and
- you cannot upgrade that client or server to a non-broken version, and
- you are willing to completely give up the confidentiality, integrity and authentication that TLS provides.
In all other cases, stick to crypto/tls.
Instead of
import "crypto/tls"
simply
import tls "github.com/driftnet-io/insecure-tls"
As a convenience, the fork re-uses (crypto/tls).ConnectionState as-is, and makes it accessible as (github.com/driftnet-io/insecure-tls).ConnectionState.ConnectionState.
Server-side SSLv3 support is re-introduced, and enabled by default.
SSLv3 client support is introduced, and enabled by default.
The following additional cipher suites are added to InsecureCipherSuites():
TLS_RSA_WITH_RC4_128_MD5(protocol versions SSLv3 to TLS 1.2),TLS_RSA_WITH_AES_256_CBC_SHA256(TLS 1.2 only),TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(SSLv3 to TLS1.2),TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(TLS 1.2 only), andTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(TLS 1.2 only).
This is usually configurable by setting GODEBUG=tlsmaxrsasize=n. However, as GODEBUG internals are not available to us outside the standard library, this is set to a fixed value of 16384 bytes.