proposal: crypto/x509: remove x509sha1 GODEBUG in Go 1.24 #62048
Comments
|
looks like this isn't mentioned in the tip release notes for 1.22 at https://tip.golang.org/doc/go1.22 ... should it be? |
|
Hi, just wondering was this proposal finally executed? Are we still supporting SHA1 in in Go 1.24? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Go 1.18 disabled the use of SHA1 in most X.509 certificates by default but added a GODEBUG for re-enabling them, to accommodate private CAs that might not have updated yet. https://go.dev/crypto/x509#InsecureAlgorithmError
Per https://go.dev/doc/godebug#go-118 we can remove that GODEBUG in Go 1.22 or later. The GKE team, which is the only team that reached out about needing to keep SHA1, has gathered metrics about their own dependence (via customers) on this setting, and they believe that they won't need it anymore after Go 1.23.
Unless there are other users who need us to keep the setting around longer, I propose that we retire the x509sha1 GODEBUG in Go 1.24. We would pre-announce this in the release notes for both Go 1.22 and Go 1.23.
The text was updated successfully, but these errors were encountered: