-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(http): use insecure cipher suites #4753
fix(http): use insecure cipher suites #4753
Conversation
Shouldn't |
we can try using this env , doing this (in retryablehttp) will reflect this change across other nuclei projects as well |
Thanks for this contribution @gnuletik ! |
@geeknik It seems tat VersionSSL30 is not supported anymore: https://pkg.go.dev/crypto/tls#pkg-constants
@tarunKoyalwar It seems that the |
Ah well, that's too bad. |
Hi, is there anything blocking a merge here? Thanks! |
@gnuletik , thanks for the pr but looking back at fastdialer it looks like this is implicitly covered. all pd tools internally use fastdialer which has auto ztls fallback (zcrypto project) and whenever a client hello or handshake fails , it reattempts connection with insecure ciphers and other options (see: https://github.com/projectdiscovery/fastdialer/blob/132fe30bd4812559e45ca164565f52089cb0d345/fastdialer/dialer.go#L384-L406) . and ztls supports ~350 ciphers https://github.com/projectdiscovery/tlsx/blob/f60f2bac3f2fd90c4d34ead0eea45758b520a47f/pkg/tlsx/ztls/utils.go#L81-L426 . so i think we can say this is already convered and about 1.22 cipher disabling , if i am not wrong this will not effect nuclei and other pd projects now, even if you compile it using go 1.22 because of go directive The go directive affects use of new language features:
from https://go.dev/ref/mod#go-mod-file-go this is because language features like deprecation of certain ciphers etc only affect if we explicitly bump go version in go.mod file and we have not done that yet and there's isn't any good reason to bump it unless we decide to use any 1.22 specific language features . i'm closing this PR , if you think otherwise feel free to reopen this / submit new one |
Proposed changes
Go 1.22 disabled the RSA key exchange cipher suites:
golang/go#63413
In order to be able to scan servers only supporting these cipher suites, the http client needs to explicitly support these.
Checklist