Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: Add support for SHA256 CBC ciphers #15487

Closed
fatmcgav opened this issue Apr 29, 2016 · 3 comments
Closed

crypto/tls: Add support for SHA256 CBC ciphers #15487

fatmcgav opened this issue Apr 29, 2016 · 3 comments
Assignees
Milestone

Comments

@fatmcgav
Copy link

@fatmcgav fatmcgav commented Apr 29, 2016

I am currently attempting to use Golang v1.6 to interact with a 3rd party WS API.

Currently, they have a very limited set of supported ciphers:

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256

Unfortunately none of these overlap with supported Go's supported ciphers. Therefore I just get an 'EOF' response currently.

Putting it out on the golang-nuts mailing list, I got a response from Phus Lu which included a commit that adds the following ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256

Is there appetite to add support for these cipher suites to core?

@bradfitz bradfitz added this to the Unplanned milestone Apr 29, 2016
@phuslu

This comment has been minimized.

Copy link

@phuslu phuslu commented Apr 30, 2016

There're more and more TLSv1.2-only servers in these days.
Hopefully go could have full TLSv1.2 ciphers support in future releases.

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Aug 18, 2016

CL https://golang.org/cl/27315 mentions this issue.

@gopherbot gopherbot closed this in 8741504 Aug 18, 2016
fatmcgav added a commit to fatmcgav/go that referenced this issue Oct 10, 2016
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes golang#15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 17, 2017

CL https://golang.org/cl/35290 mentions this issue.

gopherbot pushed a commit that referenced this issue Jan 17, 2017
As is, they were fully vulnerable to the Lucky13 attack. The SHA1
variants implement limited countermeasures (see f28cf83) but the
SHA256 ones are apparently used rarely enough (see 8741504) that
it's not worth the extra code.

Instead, disable them by default and update the warning.

Updates #13385
Updates #15487

Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2
Reviewed-on: https://go-review.googlesource.com/35290
Reviewed-by: Adam Langley <alangley@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Matt Layher <mdlayher@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Jan 17, 2018
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes golang#15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes golang#15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.