mirrors/utls

Fork 0

mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 20:47:36 +03:00

Commit graph

Author	SHA1	Message	Date
Adam Langley	a367222d8d	crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043	2014-10-15 17:54:04 -07:00
Adam Langley	a59ca4a0e7	crypto/tls: ensure that we don't resume when tickets are disabled. LGTM=r R=r, adg, rsc https://golang.org/cl/148080043	2014-09-26 11:02:09 +10:00
Russ Cox	bb890c0d27	build: move package sources from src/pkg to src Preparation was in CL 134570043. This CL contains only the effect of 'hg mv src/pkg/* src'. For more about the move, see golang.org/s/go14nopkg.	2014-09-08 00:08:51 -04:00

Author

SHA1

Message

Date

Adam Langley

a367222d8d

crypto/tls: support TLS_FALLBACK_SCSV as a server.

A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only
supports SSLv3 as a server, not as a client. An easy fix is to change
the default minimum version to TLS 1.0 but that seems a little much
this late in the 1.4 process as it may break some things.

Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a
mechanism for solving the fallback problem overall. Chrome has
implemented this since February and Google has urged others to do so in
light of yesterday's news.

With this change, clients can indicate that they are doing a fallback
connection and Go servers will be able to correctly reject them.

[1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
[2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

LGTM=rsc
R=rsc
CC=golang-codereviews
https://golang.org/cl/157090043

2014-10-15 17:54:04 -07:00

Adam Langley

a59ca4a0e7

crypto/tls: ensure that we don't resume when tickets are disabled.

LGTM=r
R=r, adg, rsc
https://golang.org/cl/148080043

2014-09-26 11:02:09 +10:00

Russ Cox

bb890c0d27

build: move package sources from src/pkg to src

Preparation was in CL 134570043.
This CL contains only the effect of 'hg mv src/pkg/* src'.
For more about the move, see golang.org/s/go14nopkg.

2014-09-08 00:08:51 -04:00

1 2 3

103 commits