crypto/tls: change default minimum version to 1.2

Updates the default from 1.0 -> 1.2 for servers, bringing it in line
with clients. Add a GODEBUG setting, tls10server, which lets users
revert this change.

Fixes #62459

Change-Id: I2b82f85b1c2d527df1f9afefae4ab30a8f0ceb41
Reviewed-on: https://go-review.googlesource.com/c/go/+/541516
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

diff --git a/doc/godebug.md b/doc/godebug.md
index e4978b9d26334e3279db1715ed99ed3797b2092f..2ca27a640d33258158ede414d45c5c00bc2d5d64 100644 (file)
--- a/doc/godebug.md
+++ b/doc/godebug.md
@@ -151,6 +151,10 @@ For Go 1.22 it defaults to `gotypesalias=0`.
 For Go 1.23, `gotypealias=1` will become the default.
 This setting will be removed in a future release, Go 1.24 at the earliest.
 
+Go 1.22 changed the default minimum TLS version supported by both servers
+and clients to TLS 1.2. The default can be reverted to TLS 1.0 using the
+[`tls10server` setting](/pkg/crypto/tls/#Config).
+
 ### Go 1.21
 
 Go 1.21 made it a run-time error to call `panic` with a nil interface value,

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 656cb686508d45c01b074bc52fd622b126802606..69b0ee6ede7a6ed516688685a545d943af37355b 100644 (file)
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -18,6 +18,7 @@ import (
        "crypto/x509"
        "errors"
        "fmt"
+       "internal/godebug"
        "io"
        "net"
        "strings"
@@ -732,14 +733,11 @@ type Config struct {
 
        // MinVersion contains the minimum TLS version that is acceptable.
        //
-       // By default, TLS 1.2 is currently used as the minimum when acting as a
-       // client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
-       // supported by this package, both as a client and as a server.
+       // By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
+       // minimum supported by this package.
        //
-       // The client-side default can temporarily be reverted to TLS 1.0 by
-       // including the value "x509sha1=1" in the GODEBUG environment variable.
-       // Note that this option will be removed in Go 1.19 (but it will still be
-       // possible to set this field to VersionTLS10 explicitly).
+       // The server-side default can be reverted to TLS 1.0 by including the value
+       // "tls10server=1" in the GODEBUG environment variable.
        MinVersion uint16
 
        // MaxVersion contains the maximum TLS version that is acceptable.
@@ -1028,15 +1026,20 @@ var supportedVersions = []uint16{
 const roleClient = true
 const roleServer = false
 
+var tls10godebug = godebug.New("tls10server")
+
 func (c *Config) supportedVersions(isClient bool) []uint16 {
        versions := make([]uint16, 0, len(supportedVersions))
        for _, v := range supportedVersions {
                if needFIPS() && (v < fipsMinVersion(c) || v > fipsMaxVersion(c)) {
                        continue
                }
-               if (c == nil || c.MinVersion == 0) &&
-                       isClient && v < VersionTLS12 {
-                       continue
+               if (c == nil || c.MinVersion == 0) && v < VersionTLS12 {
+                       if !isClient && tls10godebug.Value() == "1" {
+                               tls10godebug.IncNonDefault()
+                       } else {
+                               continue
+                       }
                }
                if c != nil && c.MinVersion != 0 && v < c.MinVersion {
                        continue

diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
index 04abdcca89040db2bec1c55a8cfbe2c92c008bbf..15db760716c3dfe7f7024264e99bda7e5d1903b0 100644 (file)
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@@ -389,21 +389,22 @@ func TestClose(t *testing.T) {
 func TestVersion(t *testing.T) {
        serverConfig := &Config{
                Certificates: testConfig.Certificates,
-               MaxVersion:   VersionTLS11,
+               MaxVersion:   VersionTLS13,
        }
        clientConfig := &Config{
                InsecureSkipVerify: true,
-               MinVersion:         VersionTLS10,
+               MinVersion:         VersionTLS12,
        }
        state, _, err := testHandshake(t, clientConfig, serverConfig)
        if err != nil {
                t.Fatalf("handshake failed: %s", err)
        }
-       if state.Version != VersionTLS11 {
+       if state.Version != VersionTLS13 {
                t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11)
        }
 
        clientConfig.MinVersion = 0
+       serverConfig.MaxVersion = VersionTLS11
        _, _, err = testHandshake(t, clientConfig, serverConfig)
        if err == nil {
                t.Fatalf("expected failure to connect with TLS 1.0/1.1")
@@ -487,17 +488,17 @@ func testCrossVersionResume(t *testing.T, version uint16) {
                InsecureSkipVerify: true,
                ClientSessionCache: NewLRUClientSessionCache(1),
                ServerName:         "servername",
-               MinVersion:         VersionTLS10,
+               MinVersion:         VersionTLS12,
        }
 
-       // Establish a session at TLS 1.1.
-       clientConfig.MaxVersion = VersionTLS11
+       // Establish a session at TLS 1.3.
+       clientConfig.MaxVersion = VersionTLS13
        _, _, err := testHandshake(t, clientConfig, serverConfig)
        if err != nil {
                t.Fatalf("handshake failed: %s", err)
        }
 
-       // The client session cache now contains a TLS 1.1 session.
+       // The client session cache now contains a TLS 1.3 session.
        state, _, err := testHandshake(t, clientConfig, serverConfig)
        if err != nil {
                t.Fatalf("handshake failed: %s", err)
@@ -507,7 +508,7 @@ func testCrossVersionResume(t *testing.T, version uint16) {
        }
 
        // Test that the server will decline to resume at a lower version.
-       clientConfig.MaxVersion = VersionTLS10
+       clientConfig.MaxVersion = VersionTLS12
        state, _, err = testHandshake(t, clientConfig, serverConfig)
        if err != nil {
                t.Fatalf("handshake failed: %s", err)
@@ -516,7 +517,7 @@ func testCrossVersionResume(t *testing.T, version uint16) {
                t.Fatalf("handshake resumed at a lower version")
        }
 
-       // The client session cache now contains a TLS 1.0 session.
+       // The client session cache now contains a TLS 1.2 session.
        state, _, err = testHandshake(t, clientConfig, serverConfig)
        if err != nil {
                t.Fatalf("handshake failed: %s", err)
@@ -526,7 +527,7 @@ func testCrossVersionResume(t *testing.T, version uint16) {
        }
 
        // Test that the server will decline to resume at a higher version.
-       clientConfig.MaxVersion = VersionTLS11
+       clientConfig.MaxVersion = VersionTLS13
        state, _, err = testHandshake(t, clientConfig, serverConfig)
        if err != nil {
                t.Fatalf("handshake failed: %s", err)
@@ -1170,6 +1171,7 @@ func TestServerResumptionDisabled(t *testing.T) {
 func TestFallbackSCSV(t *testing.T) {
        serverConfig := Config{
                Certificates: testConfig.Certificates,
+               MinVersion:   VersionTLS11,
        }
        test := &serverTest{
                name:   "FallbackSCSV",

diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go
index c3f16c704a168de71311a45e4be5d1eeeca56966..16f655dd93dbebcca445931aa1e4b64e5eb39b8b 100644 (file)
--- a/src/crypto/tls/tls_test.go
+++ b/src/crypto/tls/tls_test.go
@@ -1365,6 +1365,7 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
                        SupportedPoints:   []uint8{pointFormatUncompressed},
                        SignatureSchemes:  []SignatureScheme{Ed25519},
                        SupportedVersions: []uint16{VersionTLS10},
+                       config:            &Config{MinVersion: VersionTLS10},
                }, "doesn't support Ed25519"},
                {ed25519Cert, &ClientHelloInfo{
                        CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
@@ -1379,6 +1380,7 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
                        SupportedCurves:   []CurveID{CurveP256}, // only relevant for ECDHE support
                        SupportedPoints:   []uint8{pointFormatUncompressed},
                        SupportedVersions: []uint16{VersionTLS10},
+                       config:            &Config{MinVersion: VersionTLS10},
                }, ""},
                {rsaCert, &ClientHelloInfo{
                        CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},

diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
index fb5de8a21e63ca5ca206267719a03e1279a5bd3e..6ec039f7b7eec7f081766a49e1011436b64dd5fb 100644 (file)
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@@ -45,6 +45,7 @@ var All = []Info{
        {Name: "panicnil", Package: "runtime", Changed: 21, Old: "1"},
        {Name: "randautoseed", Package: "math/rand"},
        {Name: "tarinsecurepath", Package: "archive/tar"},
+       {Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},
        {Name: "tlsmaxrsasize", Package: "crypto/tls"},
        {Name: "x509sha1", Package: "crypto/x509"},
        {Name: "x509usefallbackroots", Package: "crypto/x509"},

diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
index 6b614184f39b292543200669ea0302dcd85db7e1..a89f6dca65dd72b0d8fbf84a6e2686a13460f233 100644 (file)
--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
@@ -303,6 +303,10 @@ Below is the full list of supported metrics, ordered lexicographically.
                package due to a non-default GODEBUG=tarinsecurepath=...
                setting.
 
+       /godebug/non-default-behavior/tls10server:events
+               The number of non-default behaviors executed by the crypto/tls
+               package due to a non-default GODEBUG=tls10server=... setting.
+
        /godebug/non-default-behavior/tlsmaxrsasize:events
                The number of non-default behaviors executed by the crypto/tls
                package due to a non-default GODEBUG=tlsmaxrsasize=... setting.