crypto/tls: disable 3-DES by default

Fixes #66214 Change-Id: Iba8006a17fc7cd33c7485ab1a1ef8f56531c0ed1 Reviewed-on: https://go-review.googlesource.com/c/go/+/587295 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2025-04-04 04:27:36 +03:00 · 2024-05-22 11:39:41 +02:00 · 2024-05-22 11:39:41 +02:00 · 470b5f1f9d
commit 470b5f1f9d
parent bbd7da73e1
5 changed files with 41 additions and 24 deletions
--- a/tls_test.go
+++ b/tls_test.go
@ -1458,6 +1458,16 @@ func TestCipherSuites(t *testing.T) {
 			t.Errorf("%#04x: suite TLS 1.0-1.2, but SupportedVersions is %v", c.id, cc.SupportedVersions)
 		}

+		if cc.Insecure {
+			if slices.Contains(defaultCipherSuites(), c.id) {
+				t.Errorf("%#04x: insecure suite in default list", c.id)
+			}
+		} else {
+			if !slices.Contains(defaultCipherSuites(), c.id) {
+				t.Errorf("%#04x: secure suite not in default list", c.id)
+			}
+		}
+
 		if got := CipherSuiteName(c.id); got != cc.Name {
 			t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name)
 		}
@ -1491,9 +1501,6 @@ func TestCipherSuites(t *testing.T) {
 	if len(cipherSuitesPreferenceOrderNoAES) != len(cipherSuitesPreferenceOrder) {
 		t.Errorf("cipherSuitesPreferenceOrderNoAES is not the same size as cipherSuitesPreferenceOrder")
 	}
-	if len(defaultCipherSuites) >= len(defaultCipherSuitesWithRSAKex) {
-		t.Errorf("defaultCipherSuitesWithRSAKex should be longer than defaultCipherSuites")
-	}

 	// Check that disabled suites are marked insecure.
 	for _, badSuites := range []map[uint16]bool{disabledCipherSuites, rsaKexCiphers} {