mirrors/XTLS_REALITY
0
0
Fork 0
mirror of https://github.com/XTLS/REALITY.git synced 2025-08-22 22:48:36 +00:00
Code

crypto/tls: disable 3-DES by default

Browse Source 
Fixes #66214

Change-Id: Iba8006a17fc7cd33c7485ab1a1ef8f56531c0ed1
Reviewed-on: https://go-review.googlesource.com/c/go/+/587295
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
yuhan6665 2024-08-18 22:46:19 -04:00
parent 7daa6c8547
commit 194e345d4a
2 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cipher_suites.go
View File

@ -16,6 +16,7 @@ import (
"fmt" "fmt"
"hash" "hash"
"runtime" "runtime"
"slices"
"golang.org/x/crypto/chacha20poly1305" "golang.org/x/crypto/chacha20poly1305"
"golang.org/x/sys/cpu" "golang.org/x/sys/cpu"
@ -345,21 +346,20 @@ var rsaKexCiphers = map[uint16]bool{
TLS_RSA_WITH_AES_256_GCM_SHA384: true, TLS_RSA_WITH_AES_256_GCM_SHA384: true,
} }
var defaultCipherSuites []uint16 // tdesCiphers contains 3DES ciphers,
var defaultCipherSuitesWithRSAKex []uint16 // which we also disable by default unless a GODEBUG is set.
var tdesCiphers = map[uint16]bool{
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: true,
TLS_RSA_WITH_3DES_EDE_CBC_SHA: true,
}
func init() { func defaultCipherSuites() []uint16 {
defaultCipherSuites = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) suites := slices.Clone(cipherSuitesPreferenceOrder)
defaultCipherSuitesWithRSAKex = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) return slices.DeleteFunc(suites, func(c uint16) bool {
for _, c := range cipherSuitesPreferenceOrder { return disabledCipherSuites[c] ||
if disabledCipherSuites[c] { rsaKexCiphers[c] ||
continue tdesCiphers[c]
} })
if !rsaKexCiphers[c] {
defaultCipherSuites = append(defaultCipherSuites, c)
}
defaultCipherSuitesWithRSAKex = append(defaultCipherSuitesWithRSAKex, c)
}
} }
// defaultCipherSuitesTLS13 is also the preference order, since there are no // defaultCipherSuitesTLS13 is also the preference order, since there are no

6
common.go
View File

@ -700,7 +700,9 @@ type Config struct {
// If CipherSuites is nil, a safe default list is used. The default cipher // If CipherSuites is nil, a safe default list is used. The default cipher
// suites might change over time. In Go 1.22 RSA key exchange based cipher // suites might change over time. In Go 1.22 RSA key exchange based cipher
// suites were removed from the default list, but can be re-added with the // suites were removed from the default list, but can be re-added with the
// GODEBUG setting tlsrsakex=1. // GODEBUG setting tlsrsakex=1. In Go 1.23 3DES cipher suites were removed
// from the default list, but can be re-added with the GODEBUG setting
// tls3des=1.
CipherSuites []uint16 CipherSuites []uint16
// PreferServerCipherSuites is a legacy field and has no effect. // PreferServerCipherSuites is a legacy field and has no effect.
@ -1056,7 +1058,7 @@ func (c *Config) cipherSuites() []uint16 {
if c.CipherSuites != nil { if c.CipherSuites != nil {
return c.CipherSuites return c.CipherSuites
} }
return defaultCipherSuites return defaultCipherSuites()
} }
var supportedVersions = []uint16{ var supportedVersions = []uint16{