Skip to content

crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode #57771

New issue
New issue
Closed
Closed
crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode#57771
Assignees
FiloSottile
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.
Milestone
 
Go1.21
@enj

Description

@enj
enj
opened on Jan 13, 2023

What version of Go are you using (go version)?

$ go version
go version go1.19.4 darwin/arm64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="arm64"
GOBIN=""
GOCACHE="$HOME/Library/Caches/go-build"
GOENV="$HOME/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="arm64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="$HOME/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="$HOME/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="$HOME/.gvm/gos/go1.19.4"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="$HOME/.gvm/gos/go1.19.4/pkg/tool/darwin_arm64"
GOVCS=""
GOVERSION="go1.19.4"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=$HOME/.tmp/go-build2231328078=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Set tls.Config.MinVersion to tls.VersionTLS13 and use that config to perform a TLS handshake.

What did you expect to see?

The server should see that tls.ClientHelloInfo.CipherSuites is set to tls.defaultCipherSuitesTLS13NoAES.

What did you see instead?

The servers sees TLS 1.2 cipher suites in tls.ClientHelloInfo.CipherSuites.

#49293 fixes this bug.

Activity

enj
mentioned this on Jan 13, 2023
gopherbot

gopherbot commented on Jan 13, 2023

@gopherbot
gopherbot
on Jan 13, 2023
Contributor

Change https://go.dev/cl/360794 mentions this issue: crypto/tls: advertise correct ciphers in TLS 1.3 only mode

seankhliao
added
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
on Jan 13, 2023
seankhliao

seankhliao commented on Jan 13, 2023

@seankhliao
seankhliao
on Jan 13, 2023
Member

cc @golang/security

seankhliao
added this to the Unplanned milestone on Jan 20, 2023
mateusz834
mentioned this on Mar 30, 2023
marten-seemann

marten-seemann commented on May 24, 2023

@marten-seemann
marten-seemann
on May 24, 2023
Contributor

Any chance this issue could be resolved any time soon? This is becoming more relevant now that crypto/tls is gaining QUIC support (#44886), since QUIC only uses TLS 1.3.

For reference, I've made the equivalent change to my crypto/tls fork for quic-go in quic-go/qtls-go1-20@a42b12e. With #60107, I finally won't need to fork crypto/tls any more, so it would be nice to have this in crypto/tls.

FiloSottile
modified the milestones: Unplanned, Go1.21 on May 24, 2023
FiloSottile
self-assigned this
on May 24, 2023
FiloSottile
added this to @FiloSottile's Go planson May 24, 2023
rolandshoemaker
mentioned this on May 25, 2023
gopherbot
closed this as completedin 20e08feon May 25, 2023
github-project-automation
moved this to Done in @FiloSottile's Go planson May 25, 2023
dmitshur
removed
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
on May 25, 2023

4 remaining items

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    Participants

    @FiloSottile@marten-seemann@dmitshur@enj@gopherbot

    Issue actions
      crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode · Issue #57771 · golang/go