Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: add support for additional TLS ciphers #26652

Closed
shlormz opened this issue Jul 27, 2018 · 3 comments
Closed

crypto/tls: add support for additional TLS ciphers #26652

shlormz opened this issue Jul 27, 2018 · 3 comments

Comments

@shlormz
Copy link

@shlormz shlormz commented Jul 27, 2018

I'm working on a project that requires connecting to a myriad of servers running a wide variety of software using HTTPS. Because I have no real influence over their configuration, I'm forced to use the ciphers they allow. There's a few that aren't included in Go, and I'm curious as to why or if you're open to supporting them:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256

I've found a few other issues mentioning not using CBC where it can be avoided, but it can't in this case. Is there a reason these wouldn't be supported, but the same variants with other SHA versions would? For example, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 isn't defined, but TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is. All three of those are like this, where just the SHA version is different and not necessarily better.

Thanks!

@dgryski

This comment has been minimized.

Copy link
Contributor

@dgryski dgryski commented Jul 27, 2018

@odeke-em

This comment has been minimized.

Copy link
Member

@odeke-em odeke-em commented Jul 28, 2018

/cc @agl @titanous too

@odeke-em odeke-em changed the title tls/crypto support additional ciphers for TLS crypto/tls: add support for additional TLS ciphers Jul 28, 2018
@andybons andybons added this to the Unplanned milestone Jul 30, 2018
@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Jul 30, 2018

crypto/tls aims to support a limited safe subset of TLS, such that most use cases are supported, but it's not intended to be compatible with all possible configurations.

CBC modes are extremely hard to implement securely due to their flawed MtE design, so we only retain the existing ones for legacy compatibility, and won't be adding any new ones.

Moreover, the SHA-1 implementation had to be modified to be usable securely with CBC modes, so other hashes are not trivial to add.

@golang golang locked and limited conversation to collaborators Jul 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.