crypto/tls: TLS 1.0 is not min version by default in HTTP server #33837
Description
What version of Go are you using (go version)?
$ go version go version go1.12.9 darwin/amd64
Does this issue reproduce with the latest release?
Yes. 1.12.9 is the latest release now.
What did you do? - Test code
Here is very simple HTTPS server code. You can choose &tls.Config{} or &tls.Config{MinVersion: tls.VersionTLS10} by the comment.
// main.go
package main
import (
"crypto/tls"
"fmt"
"log"
"net/http"
)
func main() {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
_, _ = fmt.Fprintln(w, "<h1>hello, world</h1>")
})
// Start HTTP server
fmt.Println("Listening...")
// TLS config
// NOTE: Switch by comment
tlsConfig := &tls.Config{}
//tlsConfig := &tls.Config{MinVersion: tls.VersionTLS10}
server := &http.Server{Addr: ":8443", Handler: handler, TLSConfig: tlsConfig}
// Start HTTPS server
if err := server.ListenAndServeTLS("./ssl_certs/server.crt", "./ssl_certs/server.key"); err != nil {
log.Fatal(err.Error())
}
}Run
go run main.goWhat did you expect to see? & What did you see instead?
Testing
I use the following command to confirm whether SSLv3 is supported or not.
openssl s_client -connect localhost:8443 -ssl3When using &tls.Config{}, SSLv3 is NOT rejected.
When using &tls.Config{MinVersion: tls.VersionTLS10}, SSLv3 is rejected and the server emits "http: TLS handshake error from 127.0.0.1:65528: tls: client offered only unsupported versions: [300]", which is my expectation.
I expect both &tls.Config{} and &tls.Config{MinVersion: tls.VersionTLS10} cases reject SSLv3, but that was not true. The official document says "If zero, then TLS 1.0 is taken as the minimum" like the following.
Document
// MinVersion contains the minimum SSL/TLS version that is acceptable.
// If zero, then TLS 1.0 is taken as the minimum.
MinVersion uint16from: tls - The Go Programming Language
In the document, MinVersion should be TLS 1.0, so I think it rejects SSLv3. However, the server allows SSLv3.