mirror of
https://github.com/golang/go
synced 2024-11-23 03:20:03 -07:00
doc/go1.14: add crypto/tls release notes
A few minor changes that didn't feel worth mentioning: * CL 205059: support leaving Certificates/GetCertificate nil if GetConfigForClient is set * CL 205059: send the unrecognized_name alert when there are no available certificates * CL 205068: add correct names for CHACHA20_POLY1305 ciphersuite constants * CL 204046: fix CreateCRL for Ed25519 CAs * CL 205058: add CertificateRequestInfo.Version Change-Id: Ie820fb0c6842e669edde031132c7cda5b09e7682 Reviewed-on: https://go-review.googlesource.com/c/go/+/216759 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
This commit is contained in:
Filippo Valsorda
parent
d91c3bc203
commit
1b7fefc91f
@ -453,19 +453,61 @@ TODO
|
|||||||
<dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
|
<dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
|
||||||
<dd>
|
<dd>
|
||||||
<p><!-- CL 191976 -->
|
<p><!-- CL 191976 -->
|
||||||
TODO: <a href="https://golang.org/cl/191976">https://golang.org/cl/191976</a>: remove SSLv3 support
|
Support for SSL version 3.0 (SSLv3) has been removed. Note that SSLv3 is the
|
||||||
|
<a href="https://tools.ietf.org/html/rfc7568">cryptographically broken</a>
|
||||||
|
protocol predating TLS.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p><!-- CL 191999 -->
|
<p><!-- CL 191999 -->
|
||||||
TODO: <a href="https://golang.org/cl/191999">https://golang.org/cl/191999</a>: remove TLS 1.3 opt-out
|
TLS 1.3 can't be disabled via the <code>GODEBUG</code> environment
|
||||||
|
variable anymore. Use the
|
||||||
|
<a href="/pkg/crypto/tls/#Config.MaxVersion"><code>Config.MaxVersion</code></a>
|
||||||
|
field to configure TLS versions.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p><!-- CL 205059 -->
|
||||||
|
When multiple certificate chains are provided through the
|
||||||
|
<a href="/pkg/crypto/tls/#Config.Certificates"><code>Config.Certificates</code></a>
|
||||||
|
field, the first one compatible with the peer is now automatically
|
||||||
|
selected. This allows for example providing an ECDSA and an RSA
|
||||||
|
certificate, and letting the package automatically select the best one.
|
||||||
|
Note that the performance of this selection is going to be poor unless the
|
||||||
|
<a href="/pkg/crypto/tls/#Certificate.Leaf"><code>Certificate.Leaf</code></a>
|
||||||
|
field is set.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p><!-- CL 175517 -->
|
||||||
|
The new <a href="/pkg/crypto/tls/#CipherSuites"><code>CipherSuites</code></a>
|
||||||
|
and <a href="/pkg/crypto/tls/#InsecureCipherSuites"><code>InsecureCipherSuites</code></a>
|
||||||
|
functions return a list of currently implemented cipher suites.
|
||||||
|
The new <a href="/pkg/crypto/tls/#CipherSuiteName"><code>CipherSuiteName</code></a>
|
||||||
|
function returns a name for a cipher suite ID.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p><!-- CL 205058, 205057 -->
|
||||||
|
The new <a href="/pkg/crypto/tls/#ClientHelloInfo.SupportsCertificate">
|
||||||
|
<code>(*ClientHelloInfo).SupportsCertificate</code></a> and
|
||||||
|
<a href="/pkg/crypto/tls/#CertificateRequestInfo.SupportsCertificate">
|
||||||
|
<code>(*CertificateRequestInfo).SupportsCertificate</code></a>
|
||||||
|
methods expose whether a peer supports a certain certificate.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p><!-- CL 174329 -->
|
<p><!-- CL 174329 -->
|
||||||
The <code>tls</code> package no longer supports NPN and now only
|
The <code>tls</code> package no longer supports the legacy Next Protocol
|
||||||
supports ALPN. In previous releases it supported both. There are
|
Negotiation (NPN) extension and now only supports ALPN. In previous
|
||||||
no API changes and code should function identically as before.
|
releases it supported both. There are no API changes and applications
|
||||||
Most other clients & servers have already removed NPN support in
|
should function identically as before. Most other clients and servers have
|
||||||
favor of the standardized ALPN.
|
already removed NPN support in favor of the standardized ALPN.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p><!-- CL 205063, 205062 -->
|
||||||
|
RSA-PSS signatures are now used when supported in TLS 1.2 handshakes. This
|
||||||
|
won't affect most applications, but custom
|
||||||
|
<a href="/pkg/crypto/tls/#Certificate.PrivateKey"><code>Certificate.PrivateKey</code></a>
|
||||||
|
implementations that don't support RSA-PSS signatures will need to use the new
|
||||||
|
<a href="/pkg/crypto/tls/#Certificate.SupportedSignatureAlgorithms">
|
||||||
|
<code>Certificate.SupportedSignatureAlgorithms</code></a>
|
||||||
|
field to disable them.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
</dl><!-- crypto/tls -->
|
</dl><!-- crypto/tls -->
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user