crypto/tls: TLS 1.2 connection fails to be established with `insufficient security level` after TLS 1.3 fixes

[arnovanliere]

Go version

go version go1.25.1 linux/amd64

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/arno/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/home/arno/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4245395172=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/home/arno/go/pkg/mod'
GOOS='linux'
GOPATH='/home/arno/go'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='off'
GOTELEMETRYDIR='/home/arno/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.25.1'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

Since I've upgraded to Go 1.25 I have issues with a TLS connection which I use for MQTT. Testing the SSL connection works fine (openssl s_client -connect delta.swycs.services:8443 -servername delta.swycs.services -alpn mqtt -tls1_2 -brief </dev/null). But in Go I get tls: insufficient security level.

What did you see happen?

When I implement this minimal openssl example in Go, I get handshake failed: remote error: tls: insufficient security level.

package main

import (
    "crypto/tls"
    "crypto/x509"
    "fmt"
)

func main() {
    pool, _ := x509.SystemCertPool()
    cfg := &tls.Config{
        ServerName: "delta.swycs.services",
        RootCAs:    pool,
        MinVersion: tls.VersionTLS12,
        MaxVersion: tls.VersionTLS12,
        NextProtos: []string{"mqtt"},
    }
    conn, err := tls.Dial("tcp", "delta.swycs.services:8443", cfg)
    if err != nil {
        log.Fatalf("handshake failed: %v", err)
    }
    defer conn.Close()
    st := conn.ConnectionState()
    fmt.Println("Version:", tls.VersionName(st.Version))
    fmt.Println("Cipher :", tls.CipherSuiteName(st.CipherSuite))
    fmt.Println("ALPN   :", st.NegotiatedProtocol)
}

I've also tried adding specific CurvePreferences and CipherSuites like the following, but to no avail.

    cfg := &tls.Config{
        ...
        CurvePreferences: []tls.CurveID{tls.X25519, tls.CurveP256},
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        },
    }

Thanks to some helpful people in the Go Discord server, we have found commit e90acc8 to be the issue. Before this commit this program runs fine, after this commit not anymore. Which is curious as the commit message seems to indicate that it only affects TLS1.3, but this is TLS1.2.

What did you expect to see?

I expect the TLS connection to be setup correctly, as it did in Go 1.24.7.

[gabyhelp]

Related Issues

• crypto/tls: Can't create a request using just one cipher suite with TLS v1.3 #68854 (closed)
• crypto/tls: TLS13 handshake does not fail if no cipherSuites overlap between server and client #30109 (closed)
• crypto/tls: remote error: tls: handshake failure #46270 (closed)
• crypto/tls: don't include supported_versions extension if MaxVersion < 1.3 #53384
• crypto/tls: after switching to TLSv1.3+ Connect no longer returns errors #42656 (closed)
• crypto/tls: client did not fail when lack of a certificate and server requires one #59012 (closed)
• crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode #57771 (closed)
• crypto/tls: unable to update some crypto/tls recorded tests #31809 (closed)
• dev.boringcrypto: Unable to connect to a server using the `tls.TLS_RSA_WITH_AES_256_CBC_SHA` CipherSuite #44050
• crypto/tls: https request, tls handshake failure in go1.22 #66512 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[arnovanliere]

@gabyhelp none of these issues seem relevant, except maybe #53384, but this is also still open. And also probably not relevant as I have no issues on Go 1.24.7 or earlier. The issue I have was introduced in this commit e90acc8

[prattmic]

cc @golang/security

[CarsonHoffman]

The main difference in handshakes between the versions appears to be the addition of the signature_algorithms_cert extension, which was not sent previously. See e90acc8#diff-ab85793b9432fb5bea1142f2582e0c8bba9bec59a90913f95baf35560fdb9d7dR127, which applies to TLS 1.2.