tls-tris

Verlauf

Adam Langley 4e47a4aef7 crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043		vor 10 Jahren
..
Client-TLSv10-ClientCert-ECDSA-ECDSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv10-ClientCert-ECDSA-RSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv10-ClientCert-RSA-ECDSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv10-ClientCert-RSA-RSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv10-ECDHE-ECDSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv10-ECDHE-RSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv10-RSA-RC4	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv11-ECDHE-ECDSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv11-ECDHE-RSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv11-RSA-RC4	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ALPN	crypto/tls: add ALPN support.	vor 10 Jahren
Client-TLSv12-ALPN-NoMatch	crypto/tls: add ALPN support.	vor 10 Jahren
Client-TLSv12-ClientCert-ECDSA-ECDSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ClientCert-ECDSA-RSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ClientCert-RSA-ECDSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ClientCert-RSA-RSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ECDHE-ECDSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ECDHE-ECDSA-AES-GCM	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-ECDHE-RSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Client-TLSv12-RSA-RC4	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Server-SSLv3-RSA-3DES	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-SSLv3-RSA-AES	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-SSLv3-RSA-RC4	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv10-ECDHE-ECDSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Server-TLSv10-RSA-3DES	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv10-RSA-AES	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv10-RSA-RC4	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv11-FallbackSCSV	crypto/tls: support TLS_FALLBACK_SCSV as a server.	vor 10 Jahren
Server-TLSv11-RSA-RC4	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-ALPN	crypto/tls: add ALPN support.	vor 10 Jahren
Server-TLSv12-ALPN-NoMatch	crypto/tls: add ALPN support.	vor 10 Jahren
Server-TLSv12-CipherSuiteCertPreferenceECDSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Server-TLSv12-CipherSuiteCertPreferenceRSA	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Server-TLSv12-ClientAuthRequestedAndECDSAGiven	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-ClientAuthRequestedAndGiven	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-ClientAuthRequestedNotGiven	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-ECDHE-ECDSA-AES	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Server-TLSv12-IssueTicket	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-IssueTicketPreDisable	crypto/tls: ensure that we don't resume when tickets are disabled.	vor 10 Jahren
Server-TLSv12-RSA-3DES	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-RSA-AES	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-RSA-AES-GCM	crypto/tls: pick ECDHE curves based on server preference.	vor 10 Jahren
Server-TLSv12-RSA-RC4	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-Resume	crypto/tls: support renegotiation extension.	vor 10 Jahren
Server-TLSv12-ResumeDisabled	crypto/tls: ensure that we don't resume when tickets are disabled.	vor 10 Jahren
Server-TLSv12-SNI	crypto/tls: support renegotiation extension.	vor 10 Jahren