mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
go/doc/next/6-stdlib/99-minor/crypto/tls
History
Filippo Valsorda 59211acb5d crypto/tls: disable SHA-1 signature algorithms in TLS 1.2 
This implements RFC 9155 by removing support for SHA-1 algorithms:

  - we don't advertise them in ClientHello and CertificateRequest
    (where supportedSignatureAlgorithms is used directly)

  - we don't select them in our ServerKeyExchange and CertificateVerify
    (where supportedSignatureAlgorithms filters signatureSchemesForCertificate)

  - we reject them in the peer's ServerKeyExchange and CertificateVerify
    (where we check against the algorithms we advertised in ClientHello
    and CertificateRequest)
  
Fixes #72883

Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818
Reviewed-on: https://go-review.googlesource.com/c/go/+/658216
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
 		2025-05-21 15:09:29 -07:00
..
67516.md crypto/tls: add ConnectionState.CurveID 2025-03-13 08:19:32 -07:00
71920.md crypto/tls: add GetEncryptedClientHelloKeys 2025-05-21 12:15:37 -07:00
72883.md crypto/tls: disable SHA-1 signature algorithms in TLS 1.2 2025-05-21 15:09:29 -07:00
fips.md crypto/tls: relax native FIPS 140-3 mode 2025-03-13 13:33:22 -07:00
version_pref.md crypto/tls: have servers prefer TLS 1.3 when supported 2025-05-21 12:17:01 -07:00