crypto/tls: enforce TLS 1.3 (and TLS 1.2) downgrade protection checks

Fixes #37763 Change-Id: Ic6bcc9af0d164966f4ae31087998e5b546540038 Reviewed-on: https://go-review.googlesource.com/c/go/+/231038 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
2025-12-08 06:10:04 +00:00 · 2020-04-29 17:54:24 -04:00 · 2020-04-29 17:54:24 -04:00 · a6c6e59655
commit a6c6e59655
parent b4ecafc986
4 changed files with 63 additions and 2 deletions
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@ -207,6 +207,10 @@ const (
 	downgradeCanaryTLS11 = "DOWNGRD\x00"
 )

+// testingOnlyForceDowngradeCanary is set in tests to force the server side to
+// include downgrade canaries even if it's using its highers supported version.
+var testingOnlyForceDowngradeCanary bool
+
 // ConnectionState records basic TLS details about the connection.
 type ConnectionState struct {
 	Version                     uint16                // TLS version used by the connection (e.g. VersionTLS12)