]> Cypherpunks.ru repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 5d9bc60) | patch
crypto/tls: disable RSA-PSS in TLS 1.2
authorFilippo Valsorda <filippo@golang.org>
Tue, 5 Feb 2019 20:27:56 +0000 (15:27 -0500)
committerFilippo Valsorda <filippo@golang.org>
Thu, 7 Feb 2019 18:34:43 +0000 (18:34 +0000)
commit7ccd3583eddcd79679fb29cfc83a6e6fb6973f1e
tree2e0003c76862f5f80907778c5e6265fdb7c5814ftree
parent5d9bc60893d66073ca82eecee7c9800321535f52commit | diff
crypto/tls: disable RSA-PSS in TLS 1.2

Most of the issues that led to the decision on #30055 were related to
incompatibility with or faulty support for RSA-PSS (#29831, #29779,
v1.5 signatures). RSA-PSS is required by TLS 1.3, but is also available
to be negotiated in TLS 1.2.

Altering TLS 1.2 behavior based on GODEBUG=tls13=1 feels surprising, so
just disable RSA-PSS entirely in TLS 1.2 until TLS 1.3 is on by default,
so breakage happens all at once.

Updates #30055

Change-Id: Iee90454a20ded8895e5302e8bcbcd32e4e3031c2
Reviewed-on: https://go-review.googlesource.com/c/160998
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
16 files changed:
doc/go1.12.html diff | blob | history
src/crypto/tls/common.go diff | blob | history
src/crypto/tls/conn_test.go diff | blob | history
src/crypto/tls/handshake_client_test.go diff | blob | history
src/crypto/tls/handshake_server.go diff | blob | history
src/crypto/tls/handshake_server_test.go diff | blob | history
src/crypto/tls/key_agreement.go diff | blob | history
src/crypto/tls/testdata/Client-TLSv12-ClientCert-RSA-PSS-Disabled [new file with mode: 0644] blob
src/crypto/tls/testdata/Client-TLSv13-ClientCert-RSA-PSS-Disabled [new file with mode: 0644] blob
src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven-PSS-Disabled [new file with mode: 0644] blob
src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven-PSS-Disabled-Required [new file with mode: 0644] blob
src/crypto/tls/testdata/Server-TLSv12-RSA-PSS-Disabled [new file with mode: 0644] blob
src/crypto/tls/testdata/Server-TLSv12-RSA-PSS-Disabled-Required [new file with mode: 0644] blob
src/crypto/tls/testdata/Server-TLSv13-ClientAuthRequestedAndGiven-PSS-Disabled [new file with mode: 0644] blob
src/crypto/tls/testdata/Server-TLSv13-RSA-PSS-Disabled [new file with mode: 0644] blob
src/crypto/tls/tls_test.go diff | blob | history
Go GOST TLS 1.3