Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Building certigo with Go tip can cause panics with 'certigo connect' in certigo/lib.explainCipher #184
The illustration and reproduction:
The problem is that explainCipher() has a hard-coded list of ciphers and it assumes that this list covers all ciphers that Go's TLS code can ever use. In Go tip, the list of supported TLS ciphers has expanded (to include TLS 1.3 ciphers, such as TLS_AES_128_GCM_SHA256, which is what I believe is being negociated here), but the cipher is not in the list and so explainCipher winds up trying to slice up a null string and creating a bad index.
One fix would be to add the new Go supported ciphers to the list. This is a bit tricky, since their tls. values are not defined in current released Go versions, so they would have to be added by explicit hex value with comments. Another would be to make explainCipher cope (somehow) with ciphers not in the cipherSuites map.
(I believe that there is probably a similar issue with the tlsVersions map, which currently doesn't include TLS 1.3.)
The build issue might be dealt with by pulling both tlsVersions and cipherSuites out into multiple separate files, each built only on Go versions with the necessary constants defined.
(It is a real pity that crypto/tls does not export any name mapping information in its public API, because it sticks programs and code like this with a tough job and a tough set of tradeoffs. But I assume that the Go authors have their reasons.)