From 7a5e7047a4606e1deab7d4adcf9f057c7f8ce88c Mon Sep 17 00:00:00 2001
From: Filippo Valsorda Minor changes to the library
weakness. They are still enabled by default but only as a last resort,
thanks to the cipher suite ordering change above.
+ Beginning in the next release, Go 1.18, the
+ Config.MinVersion
+ for crypto/tls
clients will default to TLS 1.2, disabling TLS 1.0
+ and TLS 1.1 by default. Applications will be able to override the change by
+ explicitly setting Config.MinVersion
.
+ This will not affect crypto/tls
servers.
+
+ Beginning in the next release, Go 1.18, crypto/x509
will
+ reject certificates signed with the SHA-1 hash function. This doesn't
+ apply to self-signed root certificates. Practical attacks against SHA-1
+ have been demonstrated in 2017 and publicly
+ trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
+