Closed afrancoc2000 closed 2 months ago
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
The fact that TLS 1.3 cipher suites are non configurable is intended.
why? it can be done using curl, how can you then choose to use one specific cipher suite? shouldn't that be documented somewhere? why allowing to set cipher suites at all if you're going to ignore them?
It is documented on the Cipher suites field. Config was allowed for < 1.3 because some of them were less secure. Testing / educational uses are considered out of scope for crypto/tls, the goal is for secure by default usages.
got it thanks
Go version
go version go1.22.4 linux/amd64
Output of
go env
in your module/workspace:What did you do?
I'm doing some tests in my project to demonstrate the support for different cipher suites but when I use TLS V1.3, 3 default cipher suites are added, making it impossible to test just one cipher suite in my client request.
My client is for websockets but you can see the issue also happening in http requests.
What did you see happen?
Doing this I can see in wire shark my client offering a request including my chosen cipher suite plus: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
and if I select to use only TLS v1.3 not even my cipher suite shows up just the v1.3 defaults.
What did you expect to see?
Only my cipher suite being used from the client request, so I can test different cipher suites scenarios. I'm setting my cipher suite so I expect the request to use it, is not the default behavior when no cipher suite is defined.