Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC 8446, Section 4.1.3 mandates strict downgrade checks in TLS 1.3. crypto/tls currently sends the downgrade canaries but doesn't check them, because the ecosystem had some off-spec implementations that had to be flushed out.
We should switch the detection on for Go 1.15, on a similar schedule as Chrome. https://groups.google.com/a/chromium.org/d/msg/blink-dev/CK0Xxdz-4Mg/KIOaBAXmBQAJ
This is arguably a risky change, so it should be flagged appropriately.
The text was updated successfully, but these errors were encountered:
Just throwing ideas, but IMHO that change should be around a flag of sorts in case someone's server has to deal with broken clients.
Sorry, something went wrong.
Change https://golang.org/cl/231038 mentions this issue: crypto/tls: enforce TLS 1.3 (and TLS 1.2) downgrade protection checks
crypto/tls: enforce TLS 1.3 (and TLS 1.2) downgrade protection checks
a6c6e59
dbe3390
Fixes golang#37763 Change-Id: Ic6bcc9af0d164966f4ae31087998e5b546540038 Reviewed-on: https://go-review.googlesource.com/c/go/+/231038 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
No branches or pull requests
RFC 8446, Section 4.1.3 mandates strict downgrade checks in TLS 1.3. crypto/tls currently sends the downgrade canaries but doesn't check them, because the ecosystem had some off-spec implementations that had to be flushed out.
We should switch the detection on for Go 1.15, on a similar schedule as Chrome. https://groups.google.com/a/chromium.org/d/msg/blink-dev/CK0Xxdz-4Mg/KIOaBAXmBQAJ
This is arguably a risky change, so it should be flagged appropriately.
The text was updated successfully, but these errors were encountered: