crypto/tls: disable 3-DES by default

Fixes #66214

Change-Id: Iba8006a17fc7cd33c7485ab1a1ef8f56531c0ed1
Reviewed-on: https://go-review.googlesource.com/c/go/+/587295
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Filippo Valsorda 2024-05-22 11:39:41 +02:00 committed by Gopher Robot
parent bbd7da73e1
commit 470b5f1f9d
5 changed files with 41 additions and 24 deletions

View file

@ -687,7 +687,9 @@ type Config struct {
// If CipherSuites is nil, a safe default list is used. The default cipher
// suites might change over time. In Go 1.22 RSA key exchange based cipher
// suites were removed from the default list, but can be re-added with the
// GODEBUG setting tlsrsakex=1.
// GODEBUG setting tlsrsakex=1. In Go 1.23 3DES cipher suites were removed
// from the default list, but can be re-added with the GODEBUG setting
// tls3des=1.
CipherSuites []uint16
// PreferServerCipherSuites is a legacy field and has no effect.
@ -1025,8 +1027,6 @@ func (c *Config) time() time.Time {
return t()
}
var tlsrsakex = godebug.New("tlsrsakex")
func (c *Config) cipherSuites() []uint16 {
if needFIPS() {
return fipsCipherSuites(c)
@ -1034,10 +1034,7 @@ func (c *Config) cipherSuites() []uint16 {
if c.CipherSuites != nil {
return c.CipherSuites
}
if tlsrsakex.Value() == "1" {
return defaultCipherSuitesWithRSAKex
}
return defaultCipherSuites
return defaultCipherSuites()
}
var supportedVersions = []uint16{