-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: mitigate "Sweet32" #41476
Comments
testssl.sh reports this in the section |
3DES ciphers are picked as the last fallback by peers that can't do anything better, and the only vulnerability they have is the birthday bound inherent to the block size. The attack is impractical, but I had already planned to drop a counter in there to mitigate it. |
Thanks for your response.
So you're going to make some changes to the algorithm but keep the ciphers enabled ? A note in the godoc would be good here. It's easy to drop these ciphers If you know that you have to. |
Since we can implement these ciphers securely, we're not going to break old clients that can still establish a secure connection only to appease security scanners. You should probably open an issue with the scanner if possible. |
Ok that's good to know. So for secure implementation you "restrict the number of blocks in a key bundle" ? I trust your words but maybe dropping a note in the godoc about this would be a good thing. This is just for the records:
|
Shall I update the documentation and send you a pull request ? |
@rolandshoemaker, can you check if any other implementation added record limits to connections? I tried doing the math for staying under the NIST recommendation of 2^20 blocks but that worked out to a tiny size. I am curious what others are doing here. |
NSS implemented record limits for all ciphers after which they terminate the connection (https://bugzilla.mozilla.org/show_bug.cgi?id=1268745 contains some description of their thought process, and https://hg.mozilla.org/projects/nss/file/tip/lib/ssl/sslspec.c contains the current per cipher limit defs), with different limits depending on the ciphers security level. As far as I can tell no other TLS implementation added record limits, most seem to have just disabled 3DES by default. |
/cc |
Kindly pinging @rolandshoemaker @katiehockman @FiloSottile, shall we punt this to Go1.17? |
Punted to Go1.17. |
Change https://golang.org/cl/314609 mentions this issue: |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
The godoc for https://golang.org/pkg/crypto/tls/#CipherSuites states
https://play.golang.org/p/1RmZ0n-CKbT
What did you expect to see?
No insecure ciphers listed.
What did you see instead?
The text was updated successfully, but these errors were encountered: