if isClient && v < VersionTLS10 {
continue
}
- // TLS 1.3 is opt-in in Go 1.12.
+ // TLS 1.3 is opt-out in Go 1.13.
if v == VersionTLS13 && !isTLS13Supported() {
continue
}
cached bool
}
-// isTLS13Supported returns whether the program opted into TLS 1.3 via
-// GODEBUG=tls13=1. It's cached after the first execution.
+// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting
+// out with GODEBUG=tls13=0. It's cached after the first execution.
func isTLS13Supported() bool {
tls13Support.Do(func() {
- tls13Support.cached = goDebugString("tls13") == "1"
+ tls13Support.cached = goDebugString("tls13") != "0"
})
return tls13Support.cached
}
// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
//
-// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
+// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable
// it, set the GODEBUG environment variable (comma-separated key=value
-// options) such that it includes "tls13=1". To enable it from within
-// the process, set the environment variable before any use of TLS:
-//
-// func init() {
-// os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
-// }
+// options) such that it includes "tls13=0".
package tls
// BUG(agl): The crypto/tls package only implements some countermeasures
"time"
)
-func init() {
- // TLS 1.3 is opt-in for Go 1.12, but we want to run most tests with it enabled.
- // TestTLS13Switch below tests the disabled behavior. See Issue 30055.
- tls13Support.Do(func() {}) // defuse the sync.Once
- tls13Support.cached = true
-}
-
var rsaCertPEM = `-----BEGIN CERTIFICATE-----
MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX