New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: cannot send TLS_FALLBACK_SCSV #9831
Comments
Another one for @agl. |
The Go client doesn't do fallback so doesn't need to send TLS_FALLBACK_SCSV. Why do you think that you need to send it? |
I wanted to check whether my server is handling TLS_FALLBACK_SCSV correctly and using crypto/tls seemed the easiest option. It's not the most important feature but it would be nice. |
On the fence about whether we want to support this, but dropping for 1.5 at least. You would probably be better off constructing a little ClientHello message yourself for this sort of testing. |
I'm going to call this one: I don't think that supporting this option is worthwhile in the standard library. The use-case is pretty obscure and there are lots of testing needs that can only be met by crafting ClientHellos already. |
version: go1.4.1
Because the ClientHello's cipher suites are constructed in
tls.Conn.clientHandshake()
(crypto/tls/handshake_client.go:31) from thecipherSuites
slice defined at crypto/tls/cipher_suites.go:69, which doesn't contain an entry for TLS_FALLBACK_SCSV, it's impossible for the package to send the SCSV.The relevant code is as follows:
Since TLS_FALLBACK_SCSV is not in
cipherSuites
, line 72 above will skip over any entries of TLS_FALLBACK_SCSV in the tls.Config. The following patch would resolve the issue:The text was updated successfully, but these errors were encountered: