-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow setting the minimum TLS version #1611
Comments
I'll say that I hate allowing configuration of security things like this, but so long as it's for letting admins kill old versions of TLS it'd be fine I guess. So long as we don't bundle any other sort of configuration of ciphers or preferred cipher order or other esoteric specifics in with this - way too many projects expose every weird security detail and give the user the ability to screw up the config and shoot themselves in the foot. |
I wouldn't suggest making ciphers configurable, and TLS 1.3 uses completely different cipher names than 1.2 and earlier. There is a point that OpenSSL and with that nginx don't directly expose them because there are no insecure ciphers in 1.3. It shouldn't need configuration. As for ciphers with 1.2, gotls enables AES-CBC with 1.2, which is considered rather poor. Mozilla for example recommends even for their intermediate configuration to turn them off. In my opinion - feel free to disagree - that configuration should be roughly the default nowadays. |
Here's upstream's plan for this: golang/go#45428 |
Go supports the following versions:
(tls.Config).MinVersion
can be used to set the minimum version, which defaults to 1.0. Operators may want to increase this.The text was updated successfully, but these errors were encountered: