crypto/tls: disable SHA-1 signature algorithms in TLS 1.2

This implements RFC 9155 by removing support for SHA-1 algorithms: - we don't advertise them in ClientHello and CertificateRequest (where supportedSignatureAlgorithms is used directly) - we don't select them in our ServerKeyExchange and CertificateVerify (where supportedSignatureAlgorithms filters signatureSchemesForCertificate) - we reject them in the peer's ServerKeyExchange and CertificateVerify (where we check against the algorithms we advertised in ClientHello and CertificateRequest) Fixes #72883 Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818 Reviewed-on: https://go-review.googlesource.com/c/go/+/658216 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
2025-08-22 14:38:35 +00:00 · 2025-05-25 16:00:59 -04:00 · 2025-05-25 16:00:59 -04:00 · b82f8bbb59
commit b82f8bbb59
parent e82a8e057c
2 changed files with 9 additions and 4 deletions
--- a/auth.go
+++ b/auth.go
@ -219,7 +219,7 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
 	}

 	// Filter out any unsupported signature algorithms, for example due to
-	// FIPS 140-3 policy, or any downstream changes to defaults.go.
+	// FIPS 140-3 policy, tlssha1=0, or any downstream changes to defaults.go.
 	supportedAlgs := supportedSignatureAlgorithms(version)
 	sigAlgs = slices.DeleteFunc(sigAlgs, func(sigAlg SignatureScheme) bool {
 		return !isSupportedSignatureAlgorithm(sigAlg, supportedAlgs)
@ -239,7 +239,12 @@ func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureSche
 	if len(peerAlgs) == 0 && vers == VersionTLS12 {
 		// For TLS 1.2, if the client didn't send signature_algorithms then we
 		// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
-		peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
+		// RFC 9155 made signature_algorithms mandatory in TLS 1.2, and we gated
+		// it behind the tlssha1 GODEBUG setting.
+		// if tlssha1.Value() != "1" {
+			return 0, errors.New("tls: missing signature_algorithms from TLS 1.2 peer")
+		// }
+		// peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
 	}
 	// Pick signature scheme in the peer's preference order, as our
 	// preference order is not configurable.
--- a/defaults.go
+++ b/defaults.go
@ -23,6 +23,8 @@ func defaultCurvePreferences() []CurveID {
 	return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
 }

+//var tlssha1 = godebug.New("tlssha1")
+
 // defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
 // the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
 // CertificateRequest. The two fields are merged to match with TLS 1.3.
@ -39,8 +41,6 @@ func defaultSupportedSignatureAlgorithms() []SignatureScheme {
 		PKCS1WithSHA512,
 		ECDSAWithP384AndSHA384,
 		ECDSAWithP521AndSHA512,
-		PKCS1WithSHA1,
-		ECDSAWithSHA1,
 	}
 }