crypto/tls: remove SSLv3 support

SSLv3 has been irreparably broken since the POODLE attack 5 years ago and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms. As announced in the Go 1.13 release notes, remove support for it entirely in Go 1.14. Updates #32716 Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf Reviewed-on: https://go-review.googlesource.com/c/go/+/191976 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2025-04-03 20:17:36 +03:00 · 2019-08-27 17:27:45 -04:00 · 2019-08-27 17:27:45 -04:00 · 018f13d1a3
commit 018f13d1a3
parent 63a961538b
16 changed files with 34 additions and 474 deletions
--- a/auth_test.go
+++ b/auth_test.go
@ -32,7 +32,6 @@ func TestSignatureSelection(t *testing.T) {
 		// https://tools.ietf.org/html/rfc4346#page-44
 		{rsaCert, nil, nil, VersionTLS11, 0, signaturePKCS1v15, crypto.MD5SHA1},
 		{rsaCert, nil, nil, VersionTLS10, 0, signaturePKCS1v15, crypto.MD5SHA1},
-		{rsaCert, nil, nil, VersionSSL30, 0, signaturePKCS1v15, crypto.MD5SHA1},

 		// Before TLS 1.2, there is no signature_algorithms extension
 		// nor field in CertificateRequest and digitally-signed and thus
@ -95,13 +94,6 @@ func TestSignatureSelection(t *testing.T) {
 		{ecdsaCert, []SignatureScheme{Ed25519}, []SignatureScheme{Ed25519}, VersionTLS12},
 		{ed25519Cert, nil, nil, VersionTLS11},
 		{ed25519Cert, nil, nil, VersionTLS10},
-		{ed25519Cert, nil, nil, VersionSSL30},
-
-		// ECDSA is unspecified for SSL 3.0 in RFC 4492.
-		// TODO a SSL 3.0 client cannot advertise signature_algorithms,
-		// but if an application feeds an ECDSA certificate anyway, it
-		// will be accepted rather than trigger a handshake failure. Ok?
-		//{ecdsaCert, nil, nil, VersionSSL30},
 	}

 	for testNo, test := range badTests {