ssl3.0 and TLS 1.3 - Githubissues

flashmob / go-guerrilla

Mini SMTP server written in golang

MIT License

2.78k stars 365 forks source link

ssl3.0 and TLS 1.3 #193

Closed tegk closed 4 years ago

tegk commented 4 years ago

Is it correct to assume that we do not support TLS 1.3 at the moment but do support ssl3.0?

config.go:127:1

// https://golang.org/pkg/crypto/tls/#pkg-constants
var TLSProtocols = map[string]uint16{
    "ssl3.0": tls.VersionSSL30,
    "tls1.0": tls.VersionTLS10,
    "tls1.1": tls.VersionTLS11,
    "tls1.2": tls.VersionTLS12,
}

Shall we remove ssl3.0 as it will be deprecated in Go 1.14 and is not secure? We also have to add TLS 1.3 :-)

flashmob commented 4 years ago

Yes, time to add TLS 1.3

To do:

remove SSL 3 from example config, also remove TLS_FALLBACK_SCSV form cipher suite list.
add TLS 1.3 support, and any new cipher options
Remove SSL 3 entirely, when built with Go 1.14 and higher.

flashmob commented 4 years ago

Hmm, there's no easy way to "Remove SSL 3 entirely, when built with Go 1.14 and higher." Therefore, will leave it in for now & deprecate it, remove once it's actually removed from Go.

btw, TLS 1.3 adds some new ciphersuites, but these can't be configured. Assuming that they can be used with older TLS versions

flashmob commented 4 years ago

Actually, may be able to just use the // +build !go1.14 build tag to "Remove SSL 3 entirely, when built with Go 1.14 and higher." afterall :-)

Another issue is that it seems like Travis CI broke for Go 1.10 and 1.9, will remove these from the tests.