crypto/tls: ClientHello offers a long list of old cipher suites even though MinVersion is set to TLS 1.3

[marten-seemann]

What version of Go are you using (go version)?

$ go version
1.20.2

Does this issue reproduce with the latest release?

Yes

What did you do?

I set tls.Config.MinVersion to tls.VersionTLS13 and started a TLS handshake. I recorded a pcap using Wireshark and inspected the TLS ClientHello.

What did you expect to see?

Since RFC 8446 only defines 3 cipher suites for the use with TLS 1.3, I expected the ClientHello to only contain those 3 cipher suites.

While TLS 1.3-only might not be common on TCP so far (although people in the IETF TLS working group have started thinking about what it would take to deprecate TLS 1.2 at some point), it is the only mode that's valid for the use with QUIC (as defined in RFC 9001).

What did you see instead?

A long list of 25 cipher suites was offered, with the TLS 1.3 cipher suites appended at the end. Sending cipher suites that aren't valid for TLS 1.3 is wasteful if only TLS 1.3 is supported anyway.

[gopherbot]

Change https://go.dev/cl/480535 mentions this issue: crypto/tls: only offer TLS 1.3 cipher suites if minimum version is TLS 1.3

[mateusz834]

Duplicate: #57771?

[marten-seemann]

Duplicate: #57771?

Yes, I didn't see that one. The title is a bit misleading, as these cipher suites are not incorrect (as long as they're not selected), they're just wasteful.
The fix submitted for that issue is less efficient than my fix, as it causes an extra allocation. I've commented on that CL.

[seankhliao]

let's use the older issue

[seankhliao]

Duplicate of #57771