crypto/tls: remove RSA KEX ciphers from the default list

Removes the RSA KEX based ciphers from the default list. This can be reverted using the tlsrsakex GODEBUG. Fixes #63413 Change-Id: Id221be3eb2f6c24b91039d380313f0c87d339f98 Reviewed-on: https://go-review.googlesource.com/c/go/+/541517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
2025-04-03 20:17:36 +03:00 · 2023-11-10 10:42:42 -08:00 · 2023-11-10 10:42:42 -08:00 · ae820c6a3c
commit ae820c6a3c
parent 3dc2410818
3 changed files with 36 additions and 4 deletions
--- a/common.go
+++ b/common.go
@ -670,7 +670,9 @@ type Config struct {
 	// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
 	//
 	// If CipherSuites is nil, a safe default list is used. The default cipher
-	// suites might change over time.
+	// suites might change over time. In Go 1.22 RSA key exchange based cipher
+	// suites were removed from the default list, but can be re-added with the
+	// GODEBUG setting tlsrsakex=1.
 	CipherSuites []uint16

 	// PreferServerCipherSuites is a legacy field and has no effect.