Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/tls: implement strict TLS 1.3 downgrade protections #37763
RFC 8446, Section 4.1.3 mandates strict downgrade checks in TLS 1.3. crypto/tls currently sends the downgrade canaries but doesn't check them, because the ecosystem had some off-spec implementations that had to be flushed out.
We should switch the detection on for Go 1.15, on a similar schedule as Chrome. https://groups.google.com/a/chromium.org/d/msg/blink-dev/CK0Xxdz-4Mg/KIOaBAXmBQAJ
This is arguably a risky change, so it should be flagged appropriately.