Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: TLS_FALLBACK_SCSV only if MaxVersion is set #11047

Closed
jansauer opened this issue Jun 3, 2015 · 1 comment
Closed

crypto/tls: TLS_FALLBACK_SCSV only if MaxVersion is set #11047

jansauer opened this issue Jun 3, 2015 · 1 comment
Milestone

Comments

@jansauer
Copy link

jansauer commented Jun 3, 2015

Based on my tests with ssllabs.com I only get downgrade attack prevention with TLS_FALLBACK_SCSV if I set MaxVersion in my tls.Config.

I tried it with TLS_FALLBACK_SCSV as first and as the last entry of my cipher suites but without any luck.

Here my server code

    config := &tls.Config{
        MinVersion: tls.VersionTLS11,
        MaxVersion: tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
            tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
        },
        PreferServerCipherSuites: true,
        ClientSessionCache:       tls.NewLRUClientSessionCache(128),
    }

    server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
    http2.ConfigureServer(server, nil)

    log.Printf("Staring webserver ...")
    go http.ListenAndServe(":3000", nil)
    server.ListenAndServeTLS(TLS_PUBLIC_KEY, TLS_PRIVATE_KEY)
@titanous
Copy link
Member

titanous commented Jun 5, 2015

This was fixed in 1965b03 which will be included in the 1.5 release.

@mikioh mikioh added this to the Go1.5 milestone Jun 6, 2015
@mikioh mikioh closed this as completed Jun 6, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants