-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: remove SSLv3 support #32716
Comments
Out of curiosity, this is the diffstat of a very straightforward removal of SSLv3, without touching tests or refactoring.
|
I'm certainly in favor of doing this but it would be nice to know more about the impact. It seems clear from the links in the top message above that SSLv3 has not been a concern for HTTPS since 2014-2015. What's less clear is whether there are other SSL servers (especially on company-internal networks) that have not yet migrated to TLS. That seems very unlikely, but we simply don't know. Marking it deprecated in Go 1.13 sounds like a reasonable tentative plan. I suggest we:
|
Change https://golang.org/cl/184102 mentions this issue: |
Updates #32716 Change-Id: Ia0c03918e8f2da4d9824c49c6d4cfca1b0787b0a Reviewed-on: https://go-review.googlesource.com/c/go/+/184102 Reviewed-by: Andrew Bonventre <andybons@golang.org>
Change https://golang.org/cl/191976 mentions this issue: |
This has now landed. We'll keep this open to collect feedback until the freeze, at which point we'll make a final decision. |
SSLv3 has been irreparably broken since the POODLE attack 5 years ago and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms. As announced in the Go 1.13 release notes, remove support for it entirely in Go 1.14. Updates #32716 Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf Reviewed-on: https://go-review.googlesource.com/c/go/+/191976 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
SSLv3 has been irreparably broken since the POODLE attack 5 years ago and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms. As announced in the Go 1.13 release notes, remove support for it entirely in Go 1.14. Updates golang#32716 Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf Reviewed-on: https://go-review.googlesource.com/c/go/+/191976 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
SSLv3 has been irreparably broken since the POODLE attack 5 years ago and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms. As announced in the Go 1.13 release notes, remove support for it entirely in Go 1.14. Updates golang#32716 Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf Reviewed-on: https://go-review.googlesource.com/c/go/+/191976 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@FiloSottile Time for a final decision. |
We didn't see any breakage and hear any complaints. I think we should accept this. Let's give it a round on the proposal review minutes as a likely accept? |
This was tentatively accepted in June - see #32716 (comment). Leaving open for a week for final comments. |
No final comments, so accepting. |
This was implemented by CL 191976. Closing. |
Golang library (golang/go#32716) don't support unsecure protocol which fallback to openssl which Cention snapshot at openssl old version 0.9.8(l or zg?). Make use of this openssl to use SSLv3 talk to insecure server.
SSLv3 has been irreparably broken since the POODLE attack 5 years ago.
RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms, and proceeds to list everything that's broken with it.
Major CDNs dropped support immediately upon the disclosure of POODLE. Google frontends followed in 2015. Mozilla called the end of SSL 3.0 in 2014.
In
crypto/tls
, SSLv3 is only supported on the server side, and is disabled by default. It's time we remove it entirely, as it's not just obsolete, but insecure.I would like to mark it as deprecated in Go 1.13 and announce it in the release notes, also to get feedback on the impact, and then remove it in Go 1.14.
/cc @rsc @agl
The text was updated successfully, but these errors were encountered: