Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: Add support for SHA256 CBC ciphers #15487

Closed
fatmcgav opened this issue Apr 29, 2016 · 3 comments
Closed

crypto/tls: Add support for SHA256 CBC ciphers #15487

fatmcgav opened this issue Apr 29, 2016 · 3 comments
Labels
FrozenDueToAge
Milestone
Unplanned

Comments

@fatmcgav
Copy link

I am currently attempting to use Golang v1.6 to interact with a 3rd party WS API.

Currently, they have a very limited set of supported ciphers:

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256

Unfortunately none of these overlap with supported Go's supported ciphers. Therefore I just get an 'EOF' response currently.

Putting it out on the golang-nuts mailing list, I got a response from Phus Lu which included a commit that adds the following ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256

Is there appetite to add support for these cipher suites to core?
@bradfitz bradfitz added this to the Unplanned milestone Apr 29, 2016
@phuslu
Copy link

phuslu commented Apr 30, 2016

There're more and more TLSv1.2-only servers in these days.
Hopefully go could have full TLSv1.2 ciphers support in future releases.

@fatmcgav fatmcgav mentioned this issue May 2, 2016
Closed
@gopherbot
Copy link

CL https://golang.org/cl/27315 mentions this issue.

@devcodewak devcodewak mentioned this issue Aug 19, 2016
Open
fatmcgav pushed a commit to fatmcgav/go that referenced this issue Oct 10, 2016
@agl @fatmcgav
crypto/tls: support AES-128-CBC cipher suites with SHA-256.
d8a78e8 
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes golang#15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@gopherbot
Copy link

CL https://golang.org/cl/35290 mentions this issue.

gopherbot pushed a commit that referenced this issue Jan 17, 2017
@FiloSottile @bradfitz
crypto/tls: disable CBC cipher suites with SHA-256 by default
48d8edb 
As is, they were fully vulnerable to the Lucky13 attack. The SHA1
variants implement limited countermeasures (see f28cf83) but the
SHA256 ones are apparently used rarely enough (see 8741504) that
it's not worth the extra code.

Instead, disable them by default and update the warning.

Updates #13385
Updates #15487

Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2
Reviewed-on: https://go-review.googlesource.com/35290
Reviewed-by: Adam Langley <alangley@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Matt Layher <mdlayher@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@FiloSottile FiloSottile mentioned this issue Aug 26, 2017
Closed
@golang golang locked and limited conversation to collaborators Jan 17, 2018
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl
crypto/tls: support AES-128-CBC cipher suites with SHA-256.
e099795 
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes golang#15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl
crypto/tls: support AES-128-CBC cipher suites with SHA-256.
cfd077f 
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes golang#15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@bradfitz @agl @phuslu @fatmcgav @gopherbot