Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/tls: add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 support #21633

Closed
weinong opened this issue Aug 25, 2017 · 6 comments
Closed

proposal: crypto/tls: add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 support #21633

weinong opened this issue Aug 25, 2017 · 6 comments

Comments

@weinong
Copy link

@weinong weinong commented Aug 25, 2017

Please answer these questions before submitting your issue. Thanks!

Our security team requires TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite. Is there any plan to add it in Go?

What version of Go are you using (go version)?

1.8.3 and 1.9

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

@odeke-em odeke-em changed the title crypto/tls: add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 support? proposal: crypto/tls: add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 support Aug 26, 2017
@gopherbot gopherbot added this to the Proposal milestone Aug 26, 2017
@gopherbot gopherbot added the Proposal label Aug 26, 2017
@odeke-em

This comment has been minimized.

Copy link
Member

@odeke-em odeke-em commented Aug 26, 2017

/cc @agl @FiloSottile and other crypto folks

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Aug 26, 2017

We added the AES_128/SHA256 variant in #15487. Off by default because #13385.

This would be the only suite with a SHA384 MAC.

Not a fan of enabling CBC to keep going on in this world (as opposed to AEAD modes) except as a backwards compatibility crutch. But based on what @agl decides, happy to implement it.

@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Aug 28, 2017

@weinong, is that really the only suite allowed by your security team? If not, what other ones are allowed? If so, do you know the rationale? It sounds like we might not want to allow this one by default, but maybe another is available?

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Aug 29, 2017

I added the CBC + SHA-256 cipher suites in a moment of weakness and regret it. I would prefer not to compound that error.

@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Oct 9, 2017

No response to why. Declining.

@rsc rsc closed this Oct 9, 2017
@crawshaw

This comment has been minimized.

Copy link
Contributor

@crawshaw crawshaw commented Jun 26, 2018

Some outbound outlook.com SMTP relays try to use this cipher suite. There is no other suite in the Go tls package that matches, so those connections cannot use STARTTLS.

This is not a particularly compelling argument for adding support, rather than Microsoft fixing their servers, but it offers at least some explanation.

@golang golang locked and limited conversation to collaborators Jun 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.