For Go 1.23, `gotypealias=1` will become the default.
This setting will be removed in a future release, Go 1.24 at the earliest.
+Go 1.22 changed the default minimum TLS version supported by both servers
+and clients to TLS 1.2. The default can be reverted to TLS 1.0 using the
+[`tls10server` setting](/pkg/crypto/tls/#Config).
+
### Go 1.21
Go 1.21 made it a run-time error to call `panic` with a nil interface value,
"crypto/x509"
"errors"
"fmt"
+ "internal/godebug"
"io"
"net"
"strings"
// MinVersion contains the minimum TLS version that is acceptable.
//
- // By default, TLS 1.2 is currently used as the minimum when acting as a
- // client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
- // supported by this package, both as a client and as a server.
+ // By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
+ // minimum supported by this package.
//
- // The client-side default can temporarily be reverted to TLS 1.0 by
- // including the value "x509sha1=1" in the GODEBUG environment variable.
- // Note that this option will be removed in Go 1.19 (but it will still be
- // possible to set this field to VersionTLS10 explicitly).
+ // The server-side default can be reverted to TLS 1.0 by including the value
+ // "tls10server=1" in the GODEBUG environment variable.
MinVersion uint16
// MaxVersion contains the maximum TLS version that is acceptable.
const roleClient = true
const roleServer = false
+var tls10godebug = godebug.New("tls10server")
+
func (c *Config) supportedVersions(isClient bool) []uint16 {
versions := make([]uint16, 0, len(supportedVersions))
for _, v := range supportedVersions {
if needFIPS() && (v < fipsMinVersion(c) || v > fipsMaxVersion(c)) {
continue
}
- if (c == nil || c.MinVersion == 0) &&
- isClient && v < VersionTLS12 {
- continue
+ if (c == nil || c.MinVersion == 0) && v < VersionTLS12 {
+ if !isClient && tls10godebug.Value() == "1" {
+ tls10godebug.IncNonDefault()
+ } else {
+ continue
+ }
}
if c != nil && c.MinVersion != 0 && v < c.MinVersion {
continue
func TestVersion(t *testing.T) {
serverConfig := &Config{
Certificates: testConfig.Certificates,
- MaxVersion: VersionTLS11,
+ MaxVersion: VersionTLS13,
}
clientConfig := &Config{
InsecureSkipVerify: true,
- MinVersion: VersionTLS10,
+ MinVersion: VersionTLS12,
}
state, _, err := testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
}
- if state.Version != VersionTLS11 {
+ if state.Version != VersionTLS13 {
t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11)
}
clientConfig.MinVersion = 0
+ serverConfig.MaxVersion = VersionTLS11
_, _, err = testHandshake(t, clientConfig, serverConfig)
if err == nil {
t.Fatalf("expected failure to connect with TLS 1.0/1.1")
InsecureSkipVerify: true,
ClientSessionCache: NewLRUClientSessionCache(1),
ServerName: "servername",
- MinVersion: VersionTLS10,
+ MinVersion: VersionTLS12,
}
- // Establish a session at TLS 1.1.
- clientConfig.MaxVersion = VersionTLS11
+ // Establish a session at TLS 1.3.
+ clientConfig.MaxVersion = VersionTLS13
_, _, err := testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
}
- // The client session cache now contains a TLS 1.1 session.
+ // The client session cache now contains a TLS 1.3 session.
state, _, err := testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
}
// Test that the server will decline to resume at a lower version.
- clientConfig.MaxVersion = VersionTLS10
+ clientConfig.MaxVersion = VersionTLS12
state, _, err = testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
t.Fatalf("handshake resumed at a lower version")
}
- // The client session cache now contains a TLS 1.0 session.
+ // The client session cache now contains a TLS 1.2 session.
state, _, err = testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
}
// Test that the server will decline to resume at a higher version.
- clientConfig.MaxVersion = VersionTLS11
+ clientConfig.MaxVersion = VersionTLS13
state, _, err = testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
func TestFallbackSCSV(t *testing.T) {
serverConfig := Config{
Certificates: testConfig.Certificates,
+ MinVersion: VersionTLS11,
}
test := &serverTest{
name: "FallbackSCSV",
SupportedPoints: []uint8{pointFormatUncompressed},
SignatureSchemes: []SignatureScheme{Ed25519},
SupportedVersions: []uint16{VersionTLS10},
+ config: &Config{MinVersion: VersionTLS10},
}, "doesn't support Ed25519"},
{ed25519Cert, &ClientHelloInfo{
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support
SupportedPoints: []uint8{pointFormatUncompressed},
SupportedVersions: []uint16{VersionTLS10},
+ config: &Config{MinVersion: VersionTLS10},
}, ""},
{rsaCert, &ClientHelloInfo{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
{Name: "panicnil", Package: "runtime", Changed: 21, Old: "1"},
{Name: "randautoseed", Package: "math/rand"},
{Name: "tarinsecurepath", Package: "archive/tar"},
+ {Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},
{Name: "tlsmaxrsasize", Package: "crypto/tls"},
{Name: "x509sha1", Package: "crypto/x509"},
{Name: "x509usefallbackroots", Package: "crypto/x509"},
package due to a non-default GODEBUG=tarinsecurepath=...
setting.
+ /godebug/non-default-behavior/tls10server:events
+ The number of non-default behaviors executed by the crypto/tls
+ package due to a non-default GODEBUG=tls10server=... setting.
+
/godebug/non-default-behavior/tlsmaxrsasize:events
The number of non-default behaviors executed by the crypto/tls
package due to a non-default GODEBUG=tlsmaxrsasize=... setting.