-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: disable RSA key exchange cipher suites by default #63413
Comments
Google sees an extremely negligible, but non-zero, amount of traffic for RSA based kex's. Disabling these seems like a general security win for the vast majority of users. |
According to the SSLLabs recorded client handshakes, these are the clients that don't support ECDHE.
They are all ancient and unsupported, so I think we can go ahead in Go 1.22 (with a godebug). These are also a strict subset of the clients that don't support TLS 1.2, so we could avoid doing two breaking changes and bundle this with #62459, if we feel like that can ship in Go 1.22, too. |
So GODEBUG=tlsrsakex=1 would re-enable, and GODEBUG=tlsrsakex=0 would be the new default in some future Go version. |
Based on the discussion above, this proposal seems like a likely accept. Alongside #62459, Go 1.22 would also introduce a new default GODEBUG=tlsrsakex=0 that disables these RSA-only (non-ECDHE) cipher suites: TLS_RSA_WITH_AES_128_GCM_SHA256, As usual, the new GODEBUG would only be set in |
No change in consensus, so accepted. 🎉 Alongside #62459, Go 1.22 would also introduce a new default GODEBUG=tlsrsakex=0 that disables these RSA-only (non-ECDHE) cipher suites: TLS_RSA_WITH_AES_128_GCM_SHA256, As usual, the new GODEBUG would only be set in |
Change https://go.dev/cl/541517 mentions this issue: |
Change https://go.dev/cl/544336 mentions this issue: |
Updates #63413 Change-Id: I31fc2f9728582524cac5d101d0011093dbd05ed3 Reviewed-on: https://go-review.googlesource.com/c/go/+/544336 Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
RSA cipher suites are removed from default set in Go 1.22 github.com/golang/go#63413. Add all TLS 1.0 - 1.2 cipher suites if insecure is set to true.
RSA cipher suites are removed from default set in Go 1.22 github.com/golang/go#63413. Add all TLS 1.0 - 1.2 cipher suites if insecure is set to true.
The "RSA key exchange" cipher suites (not to be confused with ECDHE cipher suites that use RSA certificates), or non-ECDHE cipher suites, work dramatically differently from the ECDHE ones: instead of using the certificate to sign an ephemeral key exchange, they encrypt the session key with the certificate's public key.
This has two major downsides:
Thanks to automatic cipher suite ordering, we don't necessarily have to disable less secure cipher suites, confident that they will be only picked as a last resort. However, even as a last resort (1) and (2) are problematic: (1) delivers a meaningfully different security property for some connections, in a way that is mostly obscure to applications and not opt-in; (2) means that even just supporting the cipher suite makes it possible for attackers to mount potential attacks to retroactively decrypt connections, or even forge signatures.
Concretely, I propose we move the following cipher suites to disabled by default in Go 1.22 behind a godebug.
Unfortunately, we have even less data than #62459, because Cloudflare does not publish cipher suite stats.
In theory, we could prioritize disabling the server side, which is affected by the Marvin attack, but we are generally more aggressive in modernizing the client anyway (because clients can have a stronger expectation of competence from servers than the other way around), so might as well keep it simple and disable them on both sides.
/cc @rolandshoemaker @golang/security
The text was updated successfully, but these errors were encountered: