-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/tls: support for openssl ciphers symbols, keywords in tls config #60878
Comments
I have placed an example here as well, It's breaking change, Instead breaking one adding new property something like // For example I don't write entire list supported ciphers into config rather I just use keywords and symbol to produce entire list, For example I took this example form
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
w.Write([]byte("This is an example server.\n"))
})
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
srv := &http.Server{
Addr: ":443",
Handler: mux,
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
}
// and just rewritten list this
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
w.Write([]byte("This is an example server.\n"))
})
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuiteString: []string{
'RSA+ECHDE'
},
}
srv := &http.Server{
Addr: ":443",
Handler: mux,
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
} |
CC @golang/security |
OpenSSL supports so many cipher suites it needs a little grammar to handle them. We don't. We also don't let the application change TLS 1.3 cipher suites, and I don't expect we'll ever add new TLS 1.2 cipher suites, so it's not even a matter of supporting future suites. Finally, we select the order automatically and don't support completely broken ones, so there is little harm in enabling too many. I don't think this is a good fit for Go. |
I see this issue about the ordering #45430. I don't understand the complexity behind and fit for GO? I have seen lot of load balancers and security orgs are still supporting flexibility for example
IMHO and Finally the source raw shouldn't limited particular things, then end user will select what (s)he need. It doesn't mean the end user don't know anything about security. |
My overall point here, the flexibility the other libs are providing, I through it's good to have in GO as well |
Currently openssl ciphers https://www.openssl.org/docs/man1.1.1/man1/ciphers.html does support all keyword based such as DEFAULT, ALL, NULL and symbols '+' and '-' to get
Currently the API returns only https://pkg.go.dev/crypto/tls#CipherSuiteName CipherSuites returns string based on input constants https://pkg.go.dev/crypto/tls#pkg-constants instead if we have support for all Keywords and symbols accept strings and reruns array of strings.
This how openssl return the cipher suites based on keywords
The text was updated successfully, but these errors were encountered: