-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: make TLS 1.3 opt-out for Go 1.13 #30055
Comments
That's fine as long as there's also a way to enable it in code. Via |
Should this apply to RSA-PSS as well? |
A perhaps less specific version could be |
How about |
MaxVersion = 0xFFFF would be my vote. Or some other unused constant to mean MaxBeta. |
But users likely wouldn't be able to reach all such configs so the environment way probably best if Setenv works. |
Change https://golang.org/cl/160998 mentions this issue: |
Change https://golang.org/cl/160997 mentions this issue: |
CL 160997 just uses |
Updates #30055 Change-Id: If68615c8e9daa4226125dcc6a6866f29f3cfeef1 Reviewed-on: https://go-review.googlesource.com/c/160997 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Russ Cox <[email protected]>
Most of the issues that led to the decision on #30055 were related to incompatibility with or faulty support for RSA-PSS (#29831, #29779, v1.5 signatures). RSA-PSS is required by TLS 1.3, but is also available to be negotiated in TLS 1.2. Altering TLS 1.2 behavior based on GODEBUG=tls13=1 feels surprising, so just disable RSA-PSS entirely in TLS 1.2 until TLS 1.3 is on by default, so breakage happens all at once. Updates #30055 Change-Id: Iee90454a20ded8895e5302e8bcbcd32e4e3031c2 Reviewed-on: https://go-review.googlesource.com/c/160998 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
Done for Go 1.12, milestoned to Go 1.13 to switch to opt-out. |
I think it is worth to document how to use I guess this might work os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1") But If some other goroutines are also setting Alternately, maybe using another env is better. And |
According to #13611 |
Updates golang#30055 Change-Id: If68615c8e9daa4226125dcc6a6866f29f3cfeef1 Reviewed-on: https://go-review.googlesource.com/c/160997 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Russ Cox <[email protected]>
Most of the issues that led to the decision on golang#30055 were related to incompatibility with or faulty support for RSA-PSS (golang#29831, golang#29779, v1.5 signatures). RSA-PSS is required by TLS 1.3, but is also available to be negotiated in TLS 1.2. Altering TLS 1.2 behavior based on GODEBUG=tls13=1 feels surprising, so just disable RSA-PSS entirely in TLS 1.2 until TLS 1.3 is on by default, so breakage happens all at once. Updates golang#30055 Change-Id: Iee90454a20ded8895e5302e8bcbcd32e4e3031c2 Reviewed-on: https://go-review.googlesource.com/c/160998 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
Change https://golang.org/cl/163039 mentions this issue: |
Updates golang#30055 Change-Id: If68615c8e9daa4226125dcc6a6866f29f3cfeef1 Reviewed-on: https://go-review.googlesource.com/c/160997 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Russ Cox <[email protected]>
Most of the issues that led to the decision on golang#30055 were related to incompatibility with or faulty support for RSA-PSS (golang#29831, golang#29779, v1.5 signatures). RSA-PSS is required by TLS 1.3, but is also available to be negotiated in TLS 1.2. Altering TLS 1.2 behavior based on GODEBUG=tls13=1 feels surprising, so just disable RSA-PSS entirely in TLS 1.2 until TLS 1.3 is on by default, so breakage happens all at once. Updates golang#30055 Change-Id: Iee90454a20ded8895e5302e8bcbcd32e4e3031c2 Reviewed-on: https://go-review.googlesource.com/c/160998 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
Change https://golang.org/cl/163080 mentions this issue: |
Change https://golang.org/cl/163081 mentions this issue: |
…ertificates in TLS 1.2 In https://golang.org/cl/160998, RSA-PSS was disabled for (most of) TLS 1.2. One place where we can't disable it is in a Client Hello which offers both TLS 1.2 and 1.3: RSA-PSS is required by TLS 1.3, so to offer TLS 1.3 we need to offer RSA-PSS, even if the server might select TLS 1.2. The good news is that we want to disable RSA-PSS mostly when we are the signing side, as that's where broken crypto.Signer implementations will bite us. So we can announce RSA-PSS in the Client Hello, tolerate the server picking TLS 1.2 and RSA-PSS for their signatures, but still not do RSA-PSS on our side if asked to provide a client certificate. Client-TLSv12-ClientCert-RSA-PSS-Disabled changed because it was indeed actually using RSA-PSS. Updates #30055 Change-Id: I5ecade744b666433b37847abf55e1f08089b21d4 Reviewed-on: https://go-review.googlesource.com/c/163039 Reviewed-by: Andrew Bonventre <[email protected]> Reviewed-by: Adam Langley <[email protected]>
In Go 1.13 we will enable RSA-PSS in TLS 1.2 at the same time as we make TLS 1.3 enabled by default. This reverts commit 7ccd358. Updates #30055 Change-Id: I6f2ddf7652d1172a6b29f4e335ff3a71a89974bc Reviewed-on: https://go-review.googlesource.com/c/163080 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
Updates #30055 Change-Id: I3e79dd7592673c5d76568b0bcded6c391c3be6b3 Reviewed-on: https://go-review.googlesource.com/c/163081 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
…ertificates in TLS 1.2 In https://golang.org/cl/160998, RSA-PSS was disabled for (most of) TLS 1.2. One place where we can't disable it is in a Client Hello which offers both TLS 1.2 and 1.3: RSA-PSS is required by TLS 1.3, so to offer TLS 1.3 we need to offer RSA-PSS, even if the server might select TLS 1.2. The good news is that we want to disable RSA-PSS mostly when we are the signing side, as that's where broken crypto.Signer implementations will bite us. So we can announce RSA-PSS in the Client Hello, tolerate the server picking TLS 1.2 and RSA-PSS for their signatures, but still not do RSA-PSS on our side if asked to provide a client certificate. Client-TLSv12-ClientCert-RSA-PSS-Disabled changed because it was indeed actually using RSA-PSS. Updates golang#30055 Change-Id: I5ecade744b666433b37847abf55e1f08089b21d4 Reviewed-on: https://go-review.googlesource.com/c/163039 Reviewed-by: Andrew Bonventre <[email protected]> Reviewed-by: Adam Langley <[email protected]>
Milestoned to 1.14 to remove the opt-out. |
Change https://golang.org/cl/191999 mentions this issue: |
Fixes golang#30055 Change-Id: If757c43b52fc7bf62b0afb1c720615329fb5569d Reviewed-on: https://go-review.googlesource.com/c/go/+/191999 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]>
Fixes golang#30055 Change-Id: If757c43b52fc7bf62b0afb1c720615329fb5569d Reviewed-on: https://go-review.googlesource.com/c/go/+/191999 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]>
It seems clear from the history of filed issues that some users will experience minor disruptions when switching to TLS 1.3. For disruptive changes like that, we typically do one or more releases in which the new feature is opt-in, with a prominent announcement about when it will turn on by default. Then we do at least one release with the feature opt-out. (Past examples include HTTP/2, vendor directories, and modules.)
Especially given how central TLS is to so many Go users (any HTTPS client or server!), it seems like we should do that for TLS 1.3 too:
Following the HTTP/2 example my suggestion would be to use
GODEBUG=tls13=1
for opt-in now, andGODEBUG=tls13=0
for opt-out later./cc @FiloSottile
The text was updated successfully, but these errors were encountered: