crypto/tls: change default minimum version to 1.2

Updates the default from 1.0 -> 1.2 for servers, bringing it in line with clients. Add a GODEBUG setting, tls10server, which lets users revert this change. Fixes #62459 Change-Id: I2b82f85b1c2d527df1f9afefae4ab30a8f0ceb41 Reviewed-on: https://go-review.googlesource.com/c/go/+/541516 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
2025-12-08 06:10:04 +00:00 · 2023-11-10 10:12:48 -08:00 · 2023-11-10 10:12:48 -08:00 · 362bf4fc6d
commit 362bf4fc6d
parent e7d582b55d
6 changed files with 36 additions and 20 deletions
--- a/doc/godebug.md
+++ b/doc/godebug.md
@ -151,6 +151,10 @@ For Go 1.22 it defaults to `gotypesalias=0`.
 For Go 1.23, `gotypealias=1` will become the default.
 This setting will be removed in a future release, Go 1.24 at the earliest.
 Go 1.22 changed the default minimum TLS version supported by both servers
 and clients to TLS 1.2. The default can be reverted to TLS 1.0 using the
 [`tls10server` setting](/pkg/crypto/tls/#Config).
 ### Go 1.21
 Go 1.21 made it a run-time error to call `panic` with a nil interface value,
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@ -18,6 +18,7 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"internal/godebug"
 	"io"
 	"net"
 	"strings"
@ -732,14 +733,11 @@ type Config struct {
 	// MinVersion contains the minimum TLS version that is acceptable.
 	//
-	// By default, TLS 1.2 is currently used as the minimum when acting as a
+	// By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
-	// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
+	// minimum supported by this package.
 	// supported by this package, both as a client and as a server.
 	//
-	// The client-side default can temporarily be reverted to TLS 1.0 by
+	// The server-side default can be reverted to TLS 1.0 by including the value
-	// including the value "x509sha1=1" in the GODEBUG environment variable.
+	// "tls10server=1" in the GODEBUG environment variable.
 	// Note that this option will be removed in Go 1.19 (but it will still be
 	// possible to set this field to VersionTLS10 explicitly).
 	MinVersion uint16
 	// MaxVersion contains the maximum TLS version that is acceptable.
@ -1028,15 +1026,20 @@ var supportedVersions = []uint16{
 const roleClient = true
 const roleServer = false
 var tls10godebug = godebug.New("tls10server")
 func (c *Config) supportedVersions(isClient bool) []uint16 {
 	versions := make([]uint16, 0, len(supportedVersions))
 	for _, v := range supportedVersions {
 		if needFIPS() && (v < fipsMinVersion(c) || v > fipsMaxVersion(c)) {
 			continue
 		}
-		if (c == nil || c.MinVersion == 0) &&
+		if (c == nil || c.MinVersion == 0) && v < VersionTLS12 {
-			isClient && v < VersionTLS12 {
+			if !isClient && tls10godebug.Value() == "1" {
-			continue
+				tls10godebug.IncNonDefault()
 			} else {
 				continue
 			}
 		}
 		if c != nil && c.MinVersion != 0 && v < c.MinVersion {
 			continue
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@ -389,21 +389,22 @@ func TestClose(t *testing.T) {
 func TestVersion(t *testing.T) {
 	serverConfig := &Config{
 		Certificates: testConfig.Certificates,
-		MaxVersion:   VersionTLS11,
+		MaxVersion:   VersionTLS13,
 	}
 	clientConfig := &Config{
 		InsecureSkipVerify: true,
-		MinVersion:         VersionTLS10,
+		MinVersion:         VersionTLS12,
 	}
 	state, _, err := testHandshake(t, clientConfig, serverConfig)
 	if err != nil {
 		t.Fatalf("handshake failed: %s", err)
 	}
-	if state.Version != VersionTLS11 {
+	if state.Version != VersionTLS13 {
 		t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11)
 	}
 	clientConfig.MinVersion = 0
 	serverConfig.MaxVersion = VersionTLS11
 	_, _, err = testHandshake(t, clientConfig, serverConfig)
 	if err == nil {
 		t.Fatalf("expected failure to connect with TLS 1.0/1.1")
@ -487,17 +488,17 @@ func testCrossVersionResume(t *testing.T, version uint16) {
 		InsecureSkipVerify: true,
 		ClientSessionCache: NewLRUClientSessionCache(1),
 		ServerName:         "servername",
-		MinVersion:         VersionTLS10,
+		MinVersion:         VersionTLS12,
 	}
-	// Establish a session at TLS 1.1.
+	// Establish a session at TLS 1.3.
-	clientConfig.MaxVersion = VersionTLS11
+	clientConfig.MaxVersion = VersionTLS13
 	_, _, err := testHandshake(t, clientConfig, serverConfig)
 	if err != nil {
 		t.Fatalf("handshake failed: %s", err)
 	}
-	// The client session cache now contains a TLS 1.1 session.
+	// The client session cache now contains a TLS 1.3 session.
 	state, _, err := testHandshake(t, clientConfig, serverConfig)
 	if err != nil {
 		t.Fatalf("handshake failed: %s", err)
@ -507,7 +508,7 @@ func testCrossVersionResume(t *testing.T, version uint16) {
 	}
 	// Test that the server will decline to resume at a lower version.
-	clientConfig.MaxVersion = VersionTLS10
+	clientConfig.MaxVersion = VersionTLS12
 	state, _, err = testHandshake(t, clientConfig, serverConfig)
 	if err != nil {
 		t.Fatalf("handshake failed: %s", err)
@ -516,7 +517,7 @@ func testCrossVersionResume(t *testing.T, version uint16) {
 		t.Fatalf("handshake resumed at a lower version")
 	}
-	// The client session cache now contains a TLS 1.0 session.
+	// The client session cache now contains a TLS 1.2 session.
 	state, _, err = testHandshake(t, clientConfig, serverConfig)
 	if err != nil {
 		t.Fatalf("handshake failed: %s", err)
@ -526,7 +527,7 @@ func testCrossVersionResume(t *testing.T, version uint16) {
 	}
 	// Test that the server will decline to resume at a higher version.
-	clientConfig.MaxVersion = VersionTLS11
+	clientConfig.MaxVersion = VersionTLS13
 	state, _, err = testHandshake(t, clientConfig, serverConfig)
 	if err != nil {
 		t.Fatalf("handshake failed: %s", err)
@ -1170,6 +1171,7 @@ func TestServerResumptionDisabled(t *testing.T) {
 func TestFallbackSCSV(t *testing.T) {
 	serverConfig := Config{
 		Certificates: testConfig.Certificates,
 		MinVersion:   VersionTLS11,
 	}
 	test := &serverTest{
 		name:   "FallbackSCSV",
--- a/src/crypto/tls/tls_test.go
+++ b/src/crypto/tls/tls_test.go
@ -1365,6 +1365,7 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
 			SupportedPoints:   []uint8{pointFormatUncompressed},
 			SignatureSchemes:  []SignatureScheme{Ed25519},
 			SupportedVersions: []uint16{VersionTLS10},
 			config:            &Config{MinVersion: VersionTLS10},
 		}, "doesn't support Ed25519"},
 		{ed25519Cert, &ClientHelloInfo{
 			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
@ -1379,6 +1380,7 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
 			SupportedCurves:   []CurveID{CurveP256}, // only relevant for ECDHE support
 			SupportedPoints:   []uint8{pointFormatUncompressed},
 			SupportedVersions: []uint16{VersionTLS10},
 			config:            &Config{MinVersion: VersionTLS10},
 		}, ""},
 		{rsaCert, &ClientHelloInfo{
 			CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@ -45,6 +45,7 @@ var All = []Info{
 	{Name: "panicnil", Package: "runtime", Changed: 21, Old: "1"},
 	{Name: "randautoseed", Package: "math/rand"},
 	{Name: "tarinsecurepath", Package: "archive/tar"},
 	{Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},
 	{Name: "tlsmaxrsasize", Package: "crypto/tls"},
 	{Name: "x509sha1", Package: "crypto/x509"},
 	{Name: "x509usefallbackroots", Package: "crypto/x509"},
--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
@ -303,6 +303,10 @@ Below is the full list of supported metrics, ordered lexicographically.
 		package due to a non-default GODEBUG=tarinsecurepath=...
 		setting.
 	/godebug/non-default-behavior/tls10server:events
 		The number of non-default behaviors executed by the crypto/tls
 		package due to a non-default GODEBUG=tls10server=... setting.
 	/godebug/non-default-behavior/tlsmaxrsasize:events
 		The number of non-default behaviors executed by the crypto/tls
 		package due to a non-default GODEBUG=tlsmaxrsasize=... setting.