crypto/tls: remove RSA KEX ciphers from the default list

Removes the RSA KEX based ciphers from the default list. This can be reverted using the tlsrsakex GODEBUG. Fixes #63413 Change-Id: Id221be3eb2f6c24b91039d380313f0c87d339f98 Reviewed-on: https://go-review.googlesource.com/c/go/+/541517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
2025-08-22 14:38:35 +00:00 · 2024-08-18 18:37:35 -04:00 · 2024-08-18 18:37:35 -04:00 · 90b3d86d6a
commit 90b3d86d6a
parent f34f366b70
2 changed files with 30 additions and 3 deletions
--- a/cipher_suites.go
+++ b/cipher_suites.go
@ -334,10 +334,35 @@ var disabledCipherSuites = []uint16{
 }

 var (
-	defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
-	defaultCipherSuites    = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
+	defaultCipherSuitesLen int
+	defaultCipherSuites    []uint16
 )

+// rsaKexCiphers contains the ciphers which use RSA based key exchange,
+// which we disable by default.
+var rsaKexCiphers = map[uint16]bool{
+	TLS_RSA_WITH_RC4_128_SHA:        true,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA:   true,
+	TLS_RSA_WITH_AES_128_CBC_SHA:    true,
+	TLS_RSA_WITH_AES_256_CBC_SHA:    true,
+	TLS_RSA_WITH_AES_128_CBC_SHA256: true,
+	TLS_RSA_WITH_AES_128_GCM_SHA256: true,
+	TLS_RSA_WITH_AES_256_GCM_SHA384: true,
+}
+
+//var rsaKEXgodebug = godebug.New("tlsrsakex")
+
+func init() {
+	rsaKexEnabled := false // rsaKEXgodebug.Value() == "1"
+	for _, c := range cipherSuitesPreferenceOrder[:len(cipherSuitesPreferenceOrder)-len(disabledCipherSuites)] {
+		if !rsaKexEnabled && rsaKexCiphers[c] {
+			continue
+		}
+		defaultCipherSuites = append(defaultCipherSuites, c)
+	}
+	defaultCipherSuitesLen = len(defaultCipherSuites)
+}
+
 // defaultCipherSuitesTLS13 is also the preference order, since there are no
 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
 // cipherSuitesPreferenceOrder applies.
--- a/common.go
+++ b/common.go
@ -683,7 +683,9 @@ type Config struct {
 	// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
 	//
 	// If CipherSuites is nil, a safe default list is used. The default cipher
-	// suites might change over time.
+	// suites might change over time. In Go 1.22 RSA key exchange based cipher
+	// suites were removed from the default list, but can be re-added with the
+	// GODEBUG setting tlsrsakex=1.
 	CipherSuites []uint16

 	// PreferServerCipherSuites is a legacy field and has no effect.