crypto/tls: remove tls3des GODEBUG setting

Updates #75316 Change-Id: Iedd2a6746d0ebd6a7b7147f34cb7435b6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/777382 TryBot-Bypass: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2026-06-27 19:30:52 +00:00 · 2026-05-12 16:03:59 -04:00 · 2026-05-12 16:03:59 -04:00 · 0f4862de57
commit 0f4862de57
parent 14a4bc2051
8 changed files with 6 additions and 27 deletions
--- a/doc/godebug.md
+++ b/doc/godebug.md
@ -162,6 +162,8 @@ Go 1.27 removed the `tlsunsafeekm` setting, as noted in the [Go 1.22](#go-122) s

 Go 1.27 removed the `tlsrsakex` setting, as noted in the [Go 1.22](#go-122) section.

+Go 1.27 removed the `tls3des` setting, as noted in the [Go 1.23](#go-123) section.
+
 Go 1.27 added a new `htmlmetacontenturlescape` setting that controls whether
 html/template will escape URLs in the `url=` portion of the content attribute of
 HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be
--- a/src/crypto/tls/cipher_suites.go
+++ b/src/crypto/tls/cipher_suites.go
@ -353,13 +353,9 @@ var disabledCipherSuites = map[uint16]bool{
 	TLS_RSA_WITH_AES_256_CBC_SHA:    true,
 	TLS_RSA_WITH_AES_128_GCM_SHA256: true,
 	TLS_RSA_WITH_AES_256_GCM_SHA384: true,
-}

-// tdesCiphers contains 3DES ciphers,
-// which we also disable by default unless a GODEBUG is set.
-var tdesCiphers = map[uint16]bool{
+	// 3DES
 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: true,
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA:       true,
 }

 var (
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@ -723,9 +723,7 @@ type Config struct {
 	// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
 	//
 	// If CipherSuites is nil, a safe default list is used. The default cipher
-	// suites might change over time. In Go 1.23 3DES cipher suites were removed
-	// from the default list, but can be re-added with the GODEBUG setting
-	// tls3des=1.
+	// suites might change over time.
 	CipherSuites []uint16

 	// PreferServerCipherSuites is a legacy field and has no effect.
--- a/src/crypto/tls/defaults.go
+++ b/src/crypto/tls/defaults.go
@ -66,8 +66,6 @@ func defaultSupportedSignatureAlgorithms() []SignatureScheme {
 	}
 }

-var tls3des = godebug.New("tls3des")
-
 func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
 	if aesGCMPreferred {
 		return slices.Clone(cipherSuitesPreferenceOrder)
@ -79,8 +77,7 @@ func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
 func defaultCipherSuites(aesGCMPreferred bool) []uint16 {
 	cipherSuites := supportedCipherSuites(aesGCMPreferred)
 	return slices.DeleteFunc(cipherSuites, func(c uint16) bool {
-		return disabledCipherSuites[c] ||
-			tls3des.Value() != "1" && tdesCiphers[c]
+		return disabledCipherSuites[c]
 	})
 }

--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@ -627,11 +627,6 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
 		return errors.New("tls: server chose an unconfigured cipher suite")
 	}

-	if hs.c.config.CipherSuites == nil && !fips140tls.Required() && tdesCiphers[hs.suite.id] {
-		tls3des.Value() // ensure godebug is initialized
-		tls3des.IncNonDefault()
-	}
-
 	hs.c.cipherSuite = hs.suite.id
 	return nil
 }
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@ -412,11 +412,6 @@ func (hs *serverHandshakeState) pickCipherSuite() error {
 	}
 	c.cipherSuite = hs.suite.id

-	if c.config.CipherSuites == nil && !fips140tls.Required() && tdesCiphers[hs.suite.id] {
-		tls3des.Value() // ensure godebug is initialized
-		tls3des.IncNonDefault()
-	}
-
 	for _, id := range hs.clientHello.cipherSuites {
 		if id == TLS_FALLBACK_SCSV {
 			// The client is doing a fallback connection. See RFC 7507.
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@ -61,7 +61,6 @@ var All = []Info{
 	{Name: "rsa1024min", Package: "crypto/rsa", Changed: 24, Old: "0"},
 	{Name: "tarinsecurepath", Package: "archive/tar"},
 	{Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},
-	{Name: "tls3des", Package: "crypto/tls", Changed: 23, Old: "1"},
 	{Name: "tlsmaxrsasize", Package: "crypto/tls"},
 	{Name: "tlsmlkem", Package: "crypto/tls", Changed: 24, Old: "0", Opaque: true},
 	{Name: "tlssecpmlkem", Package: "crypto/tls", Changed: 26, Old: "0", Opaque: true},
@ -99,6 +98,7 @@ var Removed = []RemovedInfo{
 	{Name: "gotypesalias", Removed: 27},
 	{Name: "tlsunsafeekm", Removed: 27}, // Old: "1"
 	{Name: "tlsrsakex", Removed: 27},    // Old: "1"
+	{Name: "tls3des", Removed: 27},      // Old: "1"
 }

 // Lookup returns the Info with the given name.
--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
@ -381,10 +381,6 @@ Below is the full list of supported metrics, ordered lexicographically.
 		The number of non-default behaviors executed by the crypto/tls
 		package due to a non-default GODEBUG=tls10server=... setting.

-	/godebug/non-default-behavior/tls3des:events
-		The number of non-default behaviors executed by the crypto/tls
-		package due to a non-default GODEBUG=tls3des=... setting.
-
 	/godebug/non-default-behavior/tlsmaxrsasize:events
 		The number of non-default behaviors executed by the crypto/tls
 		package due to a non-default GODEBUG=tlsmaxrsasize=... setting.