Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Please answer these questions before submitting your issue. Thanks!
Our security team requires TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite. Is there any plan to add it in Go?
1.8.3 and 1.9
The text was updated successfully, but these errors were encountered:
/cc @agl @FiloSottile and other crypto folks
Sorry, something went wrong.
We added the AES_128/SHA256 variant in #15487. Off by default because #13385.
This would be the only suite with a SHA384 MAC.
Not a fan of enabling CBC to keep going on in this world (as opposed to AEAD modes) except as a backwards compatibility crutch. But based on what @agl decides, happy to implement it.
@weinong, is that really the only suite allowed by your security team? If not, what other ones are allowed? If so, do you know the rationale? It sounds like we might not want to allow this one by default, but maybe another is available?
I added the CBC + SHA-256 cipher suites in a moment of weakness and regret it. I would prefer not to compound that error.
No response to why. Declining.
Some outbound outlook.com SMTP relays try to use this cipher suite. There is no other suite in the Go tls package that matches, so those connections cannot use STARTTLS.
This is not a particularly compelling argument for adding support, rather than Microsoft fixing their servers, but it offers at least some explanation.
No branches or pull requests