1
0
mirror of https://github.com/golang/go synced 2024-11-23 06:30:06 -07:00

doc/go1.14: add crypto/tls release notes

A few minor changes that didn't feel worth mentioning:

* CL 205059: support leaving Certificates/GetCertificate nil if
  GetConfigForClient is set
* CL 205059: send the unrecognized_name alert when there are no
  available certificates
* CL 205068: add correct names for CHACHA20_POLY1305 ciphersuite constants
* CL 204046: fix CreateCRL for Ed25519 CAs
* CL 205058: add CertificateRequestInfo.Version

Change-Id: Ie820fb0c6842e669edde031132c7cda5b09e7682
Reviewed-on: https://go-review.googlesource.com/c/go/+/216759
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
This commit is contained in:
Filippo Valsorda 2020-01-28 14:37:58 -08:00
parent d91c3bc203
commit 1b7fefc91f

View File

@ -453,19 +453,61 @@ TODO
<dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt> <dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
<dd> <dd>
<p><!-- CL 191976 --> <p><!-- CL 191976 -->
TODO: <a href="https://golang.org/cl/191976">https://golang.org/cl/191976</a>: remove SSLv3 support Support for SSL version 3.0 (SSLv3) has been removed. Note that SSLv3 is the
<a href="https://tools.ietf.org/html/rfc7568">cryptographically broken</a>
protocol predating TLS.
</p> </p>
<p><!-- CL 191999 --> <p><!-- CL 191999 -->
TODO: <a href="https://golang.org/cl/191999">https://golang.org/cl/191999</a>: remove TLS 1.3 opt-out TLS 1.3 can't be disabled via the <code>GODEBUG</code> environment
variable anymore. Use the
<a href="/pkg/crypto/tls/#Config.MaxVersion"><code>Config.MaxVersion</code></a>
field to configure TLS versions.
</p>
<p><!-- CL 205059 -->
When multiple certificate chains are provided through the
<a href="/pkg/crypto/tls/#Config.Certificates"><code>Config.Certificates</code></a>
field, the first one compatible with the peer is now automatically
selected. This allows for example providing an ECDSA and an RSA
certificate, and letting the package automatically select the best one.
Note that the performance of this selection is going to be poor unless the
<a href="/pkg/crypto/tls/#Certificate.Leaf"><code>Certificate.Leaf</code></a>
field is set.
</p>
<p><!-- CL 175517 -->
The new <a href="/pkg/crypto/tls/#CipherSuites"><code>CipherSuites</code></a>
and <a href="/pkg/crypto/tls/#InsecureCipherSuites"><code>InsecureCipherSuites</code></a>
functions return a list of currently implemented cipher suites.
The new <a href="/pkg/crypto/tls/#CipherSuiteName"><code>CipherSuiteName</code></a>
function returns a name for a cipher suite ID.
</p>
<p><!-- CL 205058, 205057 -->
The new <a href="/pkg/crypto/tls/#ClientHelloInfo.SupportsCertificate">
<code>(*ClientHelloInfo).SupportsCertificate</code></a> and
<a href="/pkg/crypto/tls/#CertificateRequestInfo.SupportsCertificate">
<code>(*CertificateRequestInfo).SupportsCertificate</code></a>
methods expose whether a peer supports a certain certificate.
</p> </p>
<p><!-- CL 174329 --> <p><!-- CL 174329 -->
The <code>tls</code> package no longer supports NPN and now only The <code>tls</code> package no longer supports the legacy Next Protocol
supports ALPN. In previous releases it supported both. There are Negotiation (NPN) extension and now only supports ALPN. In previous
no API changes and code should function identically as before. releases it supported both. There are no API changes and applications
Most other clients & servers have already removed NPN support in should function identically as before. Most other clients and servers have
favor of the standardized ALPN. already removed NPN support in favor of the standardized ALPN.
</p>
<p><!-- CL 205063, 205062 -->
RSA-PSS signatures are now used when supported in TLS 1.2 handshakes. This
won't affect most applications, but custom
<a href="/pkg/crypto/tls/#Certificate.PrivateKey"><code>Certificate.PrivateKey</code></a>
implementations that don't support RSA-PSS signatures will need to use the new
<a href="/pkg/crypto/tls/#Certificate.SupportedSignatureAlgorithms">
<code>Certificate.SupportedSignatureAlgorithms</code></a>
field to disable them.
</p> </p>
</dl><!-- crypto/tls --> </dl><!-- crypto/tls -->