crypto/tls: remove SSLv3 support

SSLv3 has been irreparably broken since the POODLE attack 5 years ago and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms. As announced in the Go 1.13 release notes, remove support for it entirely in Go 1.14. Updates #32716 Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf Reviewed-on: https://go-review.googlesource.com/c/go/+/191976 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2025-04-03 20:17:36 +03:00 · 2019-08-27 17:27:45 -04:00 · 2019-08-27 17:27:45 -04:00 · 018f13d1a3
commit 018f13d1a3
parent 63a961538b
16 changed files with 34 additions and 474 deletions
--- a/handshake_server_test.go
+++ b/handshake_server_test.go
@ -61,36 +61,24 @@ func TestSimpleError(t *testing.T) {
 	testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
 }

-var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205}
+var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30}

 func TestRejectBadProtocolVersion(t *testing.T) {
+	config := testConfig.Clone()
+	config.MinVersion = VersionSSL30
 	for _, v := range badProtocolVersions {
-		testClientHelloFailure(t, testConfig, &clientHelloMsg{
+		testClientHelloFailure(t, config, &clientHelloMsg{
 			vers:   v,
 			random: make([]byte, 32),
 		}, "unsupported versions")
 	}
-	testClientHelloFailure(t, testConfig, &clientHelloMsg{
+	testClientHelloFailure(t, config, &clientHelloMsg{
 		vers:              VersionTLS12,
 		supportedVersions: badProtocolVersions,
 		random:            make([]byte, 32),
 	}, "unsupported versions")
 }

-func TestSSLv3OptIn(t *testing.T) {
-	config := testConfig.Clone()
-	config.MinVersion = 0
-	testClientHelloFailure(t, config, &clientHelloMsg{
-		vers:   VersionSSL30,
-		random: make([]byte, 32),
-	}, "unsupported versions")
-	testClientHelloFailure(t, config, &clientHelloMsg{
-		vers:              VersionTLS12,
-		supportedVersions: []uint16{VersionSSL30},
-		random:            make([]byte, 32),
-	}, "unsupported versions")
-}
-
 func TestNoSuiteOverlap(t *testing.T) {
 	clientHello := &clientHelloMsg{
 		vers:               VersionTLS10,
@ -689,10 +677,6 @@ func runServerTestForVersion(t *testing.T, template *serverTest, version, option
 	})
 }

-func runServerTestSSLv3(t *testing.T, template *serverTest) {
-	runServerTestForVersion(t, template, "SSLv3", "-ssl3")
-}
-
 func runServerTestTLS10(t *testing.T, template *serverTest) {
 	runServerTestForVersion(t, template, "TLSv10", "-tls1")
 }
@ -714,7 +698,6 @@ func TestHandshakeServerRSARC4(t *testing.T) {
 		name:    "RSA-RC4",
 		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
 	}
-	runServerTestSSLv3(t, test)
 	runServerTestTLS10(t, test)
 	runServerTestTLS11(t, test)
 	runServerTestTLS12(t, test)
@ -725,7 +708,6 @@ func TestHandshakeServerRSA3DES(t *testing.T) {
 		name:    "RSA-3DES",
 		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
 	}
-	runServerTestSSLv3(t, test)
 	runServerTestTLS10(t, test)
 	runServerTestTLS12(t, test)
 }
@ -735,7 +717,6 @@ func TestHandshakeServerRSAAES(t *testing.T) {
 		name:    "RSA-AES",
 		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
 	}
-	runServerTestSSLv3(t, test)
 	runServerTestTLS10(t, test)
 	runServerTestTLS12(t, test)
 }