Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: TLS_FALLBACK_SCSV only if MaxVersion is set #11047

Closed
jansauer opened this issue Jun 3, 2015 · 1 comment
Closed

crypto/tls: TLS_FALLBACK_SCSV only if MaxVersion is set #11047

jansauer opened this issue Jun 3, 2015 · 1 comment
Milestone

Comments

@jansauer
Copy link

@jansauer jansauer commented Jun 3, 2015

Based on my tests with ssllabs.com I only get downgrade attack prevention with TLS_FALLBACK_SCSV if I set MaxVersion in my tls.Config.

I tried it with TLS_FALLBACK_SCSV as first and as the last entry of my cipher suites but without any luck.

Here my server code

    config := &tls.Config{
        MinVersion: tls.VersionTLS11,
        MaxVersion: tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
            tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
        },
        PreferServerCipherSuites: true,
        ClientSessionCache:       tls.NewLRUClientSessionCache(128),
    }

    server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
    http2.ConfigureServer(server, nil)

    log.Printf("Staring webserver ...")
    go http.ListenAndServe(":3000", nil)
    server.ListenAndServeTLS(TLS_PUBLIC_KEY, TLS_PRIVATE_KEY)
@titanous

This comment has been minimized.

Copy link
Member

@titanous titanous commented Jun 5, 2015

This was fixed in 1965b03 which will be included in the 1.5 release.

@mikioh mikioh added this to the Go1.5 milestone Jun 6, 2015
@mikioh mikioh closed this Jun 6, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.