Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
proposal: crypto/tls: allow configurability of supported Signature Hash Algorithms #28660
Go up to and including the current version (at this writing, 1.11.2) hardcodes the list of supported algorithms for the TLS 1.2 Signature Algorithms extension. Concurrently,
One real-world example of this is a custom signer for a TLS client that uses a hardware backend such as a Trusted Platform Module. TPM 1.2 modules can only support SHA1, and while TPM 2.0 modules can support SHA512, they are only required under the current spec to support SHA1 and SHA256. Depending on the list of algorithms provided by the remote party, the Go implementation may choose a 384-bit or 512-bit algorithm that is not supported by the backing hardware module, causing the handshake to fail.
In order to address this, I propose adding a configuration option to
changed the title
crypto/tls: allow configurability of supported Signature Hash Algorithms
Nov 8, 2018
This sounds like it would be more cleanly addressed by an interface upgrade on
Happy to consider this for Go 1.13. Go 1.12 is now in feature freeze.
While I understand the line of thinking, I'm not sure tying this directly to
In order to query the
Given these points, I believe it makes the most sense to define this selection in the