From d8688173264a8dd1dc7cc432ff7471fdab7956e4 Mon Sep 17 00:00:00 2001 From: genkiroid Date: Sun, 29 Sep 2019 13:36:22 +0900 Subject: [PATCH 1/3] Limit max tls version --- cert.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/cert.go b/cert.go index 1d12682..a5b712a 100644 --- a/cert.go +++ b/cert.go @@ -44,9 +44,6 @@ var cipherSuites = map[string]uint16{ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, - "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, - "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, } var userTempl string @@ -116,11 +113,19 @@ func cipherSuite() ([]uint16, error) { var cs []uint16 cs = []uint16{cipherSuites[CipherSuite]} if cs[0] == 0 { - return nil, fmt.Errorf("%s is unsupported cipher suite.", CipherSuite) + return nil, fmt.Errorf("%s is unsupported cipher suite or tls1.3 cipher suite.", CipherSuite) } return cs, nil } +func tlsVersion() uint16 { + if CipherSuite != "" { + return tls.VersionTLS12 + } + // Currently TLS 1.3 + return 0 +} + var serverCert = func(host, port string) ([]*x509.Certificate, string, error) { d := &net.Dialer{ Timeout: time.Duration(TimeoutSeconds) * time.Second, @@ -134,6 +139,7 @@ var serverCert = func(host, port string) ([]*x509.Certificate, string, error) { conn, err := tls.DialWithDialer(d, "tcp", host+":"+port, &tls.Config{ InsecureSkipVerify: SkipVerify, CipherSuites: cs, + MaxVersion: tlsVersion(), }) if err != nil { return []*x509.Certificate{&x509.Certificate{}}, "", err From 89d12404c2e047af328e9cdec33e8ed38fb92f4c Mon Sep 17 00:00:00 2001 From: genkiroid Date: Sun, 29 Sep 2019 13:36:34 +0900 Subject: [PATCH 2/3] Add test --- cert_test.go | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/cert_test.go b/cert_test.go index ffe2a43..2b55917 100644 --- a/cert_test.go +++ b/cert_test.go @@ -1,6 +1,7 @@ package cert import ( + "crypto/tls" "crypto/x509" "crypto/x509/pkix" "fmt" @@ -266,7 +267,7 @@ func TestCertChain(t *testing.T) { } func TestCipherSuite(t *testing.T) { - CipherSuite = "TLS_CHACHA20_POLY1305_SHA256" + CipherSuite = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" if _, err := cipherSuite(); err != nil { t.Errorf(`unexpected err %s, want nil`, err.Error()) } @@ -274,10 +275,34 @@ func TestCipherSuite(t *testing.T) { func TestCipherSuiteError(t *testing.T) { CipherSuite = "UNSUPPORTED_CIPHER_SUITE" + want := "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite or tls1.3 cipher suite." + if _, err := cipherSuite(); err == nil { t.Error(`unexpected nil, want error`) - } else if err.Error() != "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite." { - t.Errorf(`unexpected err message, want %q`, "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite.") + } else if err.Error() != want { + t.Errorf(`unexpected err message, want %q`, want) + } +} + +func TestTlsVersion(t *testing.T) { + type want struct { + version uint16 + } + var tests = []struct { + cipherSuite string + want want + }{ + {"", want{0}}, // 0 means TLS1.3 currently + {"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", want{tls.VersionTLS12}}, + } + + for _, test := range tests { + CipherSuite = test.cipherSuite + v := tlsVersion() + got := want{v} + if got != test.want { + t.Errorf("tlsVersion() = %v, want %v", got, test.want) + } } } From d4c9194fd818aa882927ea4bd36a619e9c892257 Mon Sep 17 00:00:00 2001 From: genkiroid Date: Sun, 29 Sep 2019 13:39:07 +0900 Subject: [PATCH 3/3] Update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index df1bb77..1fda038 100644 --- a/README.md +++ b/README.md @@ -210,6 +210,8 @@ Error: ``` +**If you specify a cipher suite, the maximum TLS version used is limited to TLS1.2. This is because if the server supports TLS1.3, the specified cipher suite is ignored and communication is performed using TLS1.3. This eliminates the meaning of specifying a cipher suite and confuses us. This specification will change when the cipher suite for tls1.3 becomes configurable in Go.** + ## License [MIT](https://github.com/genkiroid/cert/blob/master/LICENSE)