crypto/tls: mark RSA KEX cipher suites insecure

Updates #63413 Change-Id: I31fc2f9728582524cac5d101d0011093dbd05ed3 Reviewed-on: https://go-review.googlesource.com/c/go/+/544336 Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-04-03 20:17:36 +03:00 · 2023-11-21 23:25:51 +01:00 · 2023-11-21 23:25:51 +01:00 · 1be719a625
commit 1be719a625
parent fef99935ac
2 changed files with 17 additions and 13 deletions
--- a/tls_test.go
+++ b/tls_test.go
@ -1490,16 +1490,21 @@ func TestCipherSuites(t *testing.T) {
 	if len(cipherSuitesPreferenceOrderNoAES) != len(cipherSuitesPreferenceOrder) {
 		t.Errorf("cipherSuitesPreferenceOrderNoAES is not the same size as cipherSuitesPreferenceOrder")
 	}
+	if len(defaultCipherSuites) >= len(defaultCipherSuitesWithRSAKex) {
+		t.Errorf("defaultCipherSuitesWithRSAKex should be longer than defaultCipherSuites")
+	}

 	// Check that disabled suites are marked insecure.
-	for id := range disabledCipherSuites {
-		c := CipherSuiteByID(id)
-		if c == nil {
-			t.Errorf("%#04x: no CipherSuite entry", id)
-			continue
-		}
-		if !c.Insecure {
-			t.Errorf("%#04x: disabled by default but not marked insecure", id)
+	for _, badSuites := range []map[uint16]bool{disabledCipherSuites, rsaKexCiphers} {
+		for id := range badSuites {
+			c := CipherSuiteByID(id)
+			if c == nil {
+				t.Errorf("%#04x: no CipherSuite entry", id)
+				continue
+			}
+			if !c.Insecure {
+				t.Errorf("%#04x: disabled by default but not marked insecure", id)
+			}
 		}
 	}