golang/go
0
1
Fork 0
mirror of https://github.com/golang/go synced 2025-05-23 05:58:00 +00:00
Code Packages Activity
Files
master
go/doc/next/6-stdlib/99-minor/crypto/tls
History
Filippo Valsorda 59211acb5d crypto/tls: disable SHA-1 signature algorithms in TLS 1.2 
This implements RFC 9155 by removing support for SHA-1 algorithms:

  - we don't advertise them in ClientHello and CertificateRequest
    (where supportedSignatureAlgorithms is used directly)

  - we don't select them in our ServerKeyExchange and CertificateVerify
    (where supportedSignatureAlgorithms filters signatureSchemesForCertificate)

  - we reject them in the peer's ServerKeyExchange and CertificateVerify
    (where we check against the algorithms we advertised in ClientHello
    and CertificateRequest)
  
Fixes #72883

Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818
Reviewed-on: https://go-review.googlesource.com/c/go/+/658216
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
2025-05-21 15:09:29 -07:00
..
67516.md
crypto/tls: add ConnectionState.CurveID
2025-03-13 08:19:32 -07:00
71920.md
crypto/tls: add GetEncryptedClientHelloKeys
2025-05-21 12:15:37 -07:00
72883.md
crypto/tls: disable SHA-1 signature algorithms in TLS 1.2
2025-05-21 15:09:29 -07:00
fips.md
crypto/tls: relax native FIPS 140-3 mode
2025-03-13 13:33:22 -07:00
version_pref.md
crypto/tls: have servers prefer TLS 1.3 when supported
2025-05-21 12:17:01 -07:00