Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode #57771

Closed
enj opened this issue Jan 13, 2023 · 3 comments
Closed

crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode #57771

enj opened this issue Jan 13, 2023 · 3 comments
Assignees
@FiloSottile
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.21

Comments

@enj
Copy link
Contributor

enj commented Jan 13, 2023

What version of Go are you using (go version)?

$ go version
go version go1.19.4 darwin/arm64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="arm64"
GOBIN=""
GOCACHE="$HOME/Library/Caches/go-build"
GOENV="$HOME/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="arm64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="$HOME/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="$HOME/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="$HOME/.gvm/gos/go1.19.4"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="$HOME/.gvm/gos/go1.19.4/pkg/tool/darwin_arm64"
GOVCS=""
GOVERSION="go1.19.4"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=$HOME/.tmp/go-build2231328078=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Set tls.Config.MinVersion to tls.VersionTLS13 and use that config to perform a TLS handshake.

What did you expect to see?

The server should see that tls.ClientHelloInfo.CipherSuites is set to tls.defaultCipherSuitesTLS13NoAES.

What did you see instead?

The servers sees TLS 1.2 cipher suites in tls.ClientHelloInfo.CipherSuites.

#49293 fixes this bug.
@enj enj mentioned this issue Jan 13, 2023
Closed
@gopherbot
Copy link

Change https://go.dev/cl/360794 mentions this issue: crypto/tls: advertise correct ciphers in TLS 1.3 only mode

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 13, 2023
@seankhliao
Copy link
Member

cc @golang/security

@seankhliao seankhliao added this to the Unplanned milestone Jan 20, 2023
@mateusz834 mateusz834 mentioned this issue Mar 30, 2023
Closed
@marten-seemann
Copy link
Contributor

Any chance this issue could be resolved any time soon? This is becoming more relevant now that crypto/tls is gaining QUIC support (#44886), since QUIC only uses TLS 1.3.

For reference, I've made the equivalent change to my crypto/tls fork for quic-go in quic-go/qtls-go1-20@a42b12e. With #60107, I finally won't need to fork crypto/tls any more, so it would be nice to have this in crypto/tls.

@FiloSottile FiloSottile modified the milestones: Unplanned, Go1.21 May 24, 2023
@FiloSottile FiloSottile self-assigned this May 24, 2023
@rolandshoemaker rolandshoemaker mentioned this issue May 25, 2023
Closed
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels May 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FiloSottile FiloSottile

Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.21
Development

Successfully merging a pull request may close this issue.

crypto/tls: advertise correct ciphers in TLS 1.3 only mode enj/golang
6 participants
@FiloSottile @marten-seemann @dmitshur @enj @gopherbot @seankhliao