Skip to content

crypto/tls: missing check for versions offered in ClientHello when using QUIC #63723

New issue
New issue
Closed
Closed
crypto/tls: missing check for versions offered in ClientHello when using QUIC#63723
Labels
FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
@marten-seemann

Description

@marten-seemann
marten-seemann
opened on Oct 25, 2023

What version of Go are you using (go version)?

$ go version
go version go1.21.0 darwin/arm64

Does this issue reproduce with the latest release?

Yes

What did you do?

RFC 9001 Section 4.2 requires the server to check the client's offered TLS versions:

Clients MUST NOT offer TLS versions older than 1.3.

What did you expect to see?

I expected crypto/tls to perform this required check.

What did you see instead?

It didn't.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions