Skip to content

crypto/tls: remove SSLv3 support #32716

New issue
New issue
Closed
Closed
crypto/tls: remove SSLv3 support#32716
Labels
FrozenDueToAgeProposalProposal-AcceptedProposal-CryptoProposal related to crypto packages or other security issuesearly-in-cycleA change that should be done early in the 3 month dev cycle.
Milestone
 
Go1.14
@FiloSottile

Description

@FiloSottile
FiloSottile
opened on Jun 20, 2019

SSLv3 has been irreparably broken since the POODLE attack 5 years ago.

RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use in no uncertain terms, and proceeds to list everything that's broken with it.

SSLv3 MUST NOT be used.

Negotiation of SSLv3 from any version of TLS MUST NOT be permitted.

Major CDNs dropped support immediately upon the disclosure of POODLE. Google frontends followed in 2015. Mozilla called the end of SSL 3.0 in 2014.

In crypto/tls, SSLv3 is only supported on the server side, and is disabled by default. It's time we remove it entirely, as it's not just obsolete, but insecure.

I would like to mark it as deprecated in Go 1.13 and announce it in the release notes, also to get feedback on the impact, and then remove it in Go 1.14.

/cc @rsc @agl

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeProposalProposal-AcceptedProposal-CryptoProposal related to crypto packages or other security issuesearly-in-cycleA change that should be done early in the 3 month dev cycle.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions