crypto/tls: remove the tlsunsafeekm GODEBUG setting

Updates #75316 Change-Id: I2efa3e485653f5b403d92e5d99959e356a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/777380 Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2026-06-28 03:40:37 +00:00 · 2026-05-12 15:56:41 -04:00 · 2026-05-12 15:56:41 -04:00 · a7bc19bf37
commit a7bc19bf37
parent 5cc4ceb800
6 changed files with 5 additions and 21 deletions
--- a/doc/godebug.md
+++ b/doc/godebug.md
@ -158,6 +158,8 @@ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).

 Go 1.27 removed the `gotypesalias` setting, as noted in the [Go 1.22](#go-122) section.

+Go 1.27 removed the `tlsunsafeekm` setting, as noted in the [Go 1.22](#go-122) section.
+
 Go 1.27 added a new `htmlmetacontenturlescape` setting that controls whether
 html/template will escape URLs in the `url=` portion of the content attribute of
 HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@ -338,11 +338,6 @@ type ConnectionState struct {
 // the seed. If the connection was set to allow renegotiation via
 // Config.Renegotiation, or if the connections supports neither TLS 1.3 nor
 // Extended Master Secret, this function will return an error.
-//
-// Exporting key material without Extended Master Secret or TLS 1.3 was disabled
-// in Go 1.22 due to security issues (see the Security Considerations sections
-// of RFC 5705 and RFC 7627), but can be re-enabled with the GODEBUG setting
-// tlsunsafeekm=1.
 func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) {
 	return cs.ekm(label, context, length)
 }
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@ -15,7 +15,6 @@ import (
 	"errors"
 	"fmt"
 	"hash"
-	"internal/godebug"
 	"io"
 	"net"
 	"sync"
@ -1610,8 +1609,6 @@ func (c *Conn) ConnectionState() ConnectionState {
 	return c.connectionStateLocked()
 }

-var tlsunsafeekm = godebug.New("tlsunsafeekm")
-
 func (c *Conn) connectionStateLocked() ConnectionState {
 	var state ConnectionState
 	state.HandshakeComplete = c.isHandshakeComplete.Load()
@ -1638,13 +1635,7 @@ func (c *Conn) connectionStateLocked() ConnectionState {
 	if c.config.Renegotiation != RenegotiateNever {
 		state.ekm = noEKMBecauseRenegotiation
 	} else if c.vers != VersionTLS13 && !c.extMasterSecret {
-		state.ekm = func(label string, context []byte, length int) ([]byte, error) {
-			if tlsunsafeekm.Value() == "1" {
-				tlsunsafeekm.IncNonDefault()
-				return c.ekm(label, context, length)
-			}
-			return noEKMBecauseNoEMS(label, context, length)
-		}
+		state.ekm = noEKMBecauseNoEMS
 	} else {
 		state.ekm = c.ekm
 	}
--- a/src/crypto/tls/prf.go
+++ b/src/crypto/tls/prf.go
@ -248,7 +248,7 @@ func noEKMBecauseRenegotiation(label string, context []byte, length int) ([]byte
 // Master Secret is not negotiated and thus we wish to fail all key-material
 // export requests.
 func noEKMBecauseNoEMS(label string, context []byte, length int) ([]byte, error) {
-	return nil, errors.New("crypto/tls: ExportKeyingMaterial is unavailable when neither TLS 1.3 nor Extended Master Secret are negotiated; override with GODEBUG=tlsunsafeekm=1")
+	return nil, errors.New("crypto/tls: ExportKeyingMaterial is unavailable when neither TLS 1.3 nor Extended Master Secret are negotiated")
 }

 // ekmFromMasterSecret generates exported keying material as defined in RFC 5705.
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@ -67,7 +67,6 @@ var All = []Info{
 	{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
 	{Name: "tlssecpmlkem", Package: "crypto/tls", Changed: 26, Old: "0", Opaque: true},
 	{Name: "tlssha1", Package: "crypto/tls", Changed: 25, Old: "1"},
-	{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
 	// Mark tracebacklabels as Opaque so we don't generate a metric that we can't increment.
 	// IncNonDefault uses a sync.Once, which involves sync.Mutex, and is not safe from a signal handler.
 	// (Tracebacks are generated in signal-handlers.)
@ -99,6 +98,7 @@ type RemovedInfo struct {
 var Removed = []RemovedInfo{
 	{Name: "x509sha1", Removed: 24},
 	{Name: "gotypesalias", Removed: 27},
+	{Name: "tlsunsafeekm", Removed: 27}, // Old: "1"
 }

 // Lookup returns the Info with the given name.
--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
@ -397,10 +397,6 @@ Below is the full list of supported metrics, ordered lexicographically.
 		The number of non-default behaviors executed by the crypto/tls
 		package due to a non-default GODEBUG=tlssha1=... setting.

-	/godebug/non-default-behavior/tlsunsafeekm:events
-		The number of non-default behaviors executed by the crypto/tls
-		package due to a non-default GODEBUG=tlsunsafeekm=... setting.
-
 	/godebug/non-default-behavior/updatemaxprocs:events
 		The number of non-default behaviors executed by the runtime
 		package due to a non-default GODEBUG=updatemaxprocs=... setting.