diff --git a/doc/go1.22.html b/doc/go1.22.html index bf01cffce0..792ea655ac 100644 --- a/doc/go1.22.html +++ b/doc/go1.22.html @@ -363,32 +363,22 @@ defer func() {
- TODO: https://go.dev/issue/43922: implement RFC7627 +
+ ConnectionState.ExportKeyingMaterial
will now
+ return an error unless TLS 1.3 is in use, or the extended_master_secret
extension is supported by both the server and
+ client. crypto/tls
has supported this extension since Go 1.20. This can be disabled with the
+ tlsunsafeekm=1
GODEBUG setting.
- TODO: https://go.dev/issue/62459: make default minimum version for servers TLS 1.2 +
+ By default, the minimum version offered by crypto/tls
servers is now TLS 1.2 if not specified with
+ config.MinimumVersion
, matching the behavior of crypto/tls
+ clients. This change can be reverted with the tls10server=1
GODEBUG setting.
- TODO: https://go.dev/issue/63413: disable RSA key exchange cipher suites by default -
- -- TODO: https://go.dev/cl/514997: crypto/tls: change SendSessionTicket to take an options struct; modified api/go1.21.txt -
- -- TODO: https://go.dev/cl/541516: crypto/tls: change default minimum version to 1.2 -
- -- TODO: https://go.dev/cl/541517: crypto/tls: remove RSA KEX ciphers from the default list -
- -- TODO: https://go.dev/cl/544155: crypto/tls: disable ExportKeyingMaterial without EMS +
+ By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3
+ handshakes. This change can be reverted with the tlsrsakex=1
GODEBUG setting.
- TODO: https://go.dev/issue/57178: support code-constrained roots
+ The new CertPool.AddCertWithConstraint
+ method can be used to add customized constraints to root certificates to be applied during chain building.
- TODO: https://go.dev/issue/58922: add android user trusted CA folder as a possible source for certificate retrieval +
+ On Android, root certificates will now be loaded from /data/misc/keychain/certs-added
as well as /system/etc/security/cacerts
.
- TODO: https://go.dev/issue/60665: introduce new robust OID type & use it for certificate policies -
+
+ A new type, OID
, supports ASN.1 Object Identifiers with individual
+ components larger than 31 bits. A new field which uses this type, Policies
,
+ is added to the Certificate
struct, and is now populated during parsing. Any OIDs which cannot be represented
+ using a asn1.ObjectIdentifier
will appear in Policies
,
+ but not in the old PolicyIdentifiers
field.
-
- TODO: https://go.dev/cl/519315: crypto/x509: implement AddCertWithConstraint; modified api/next/57178.txt -
- -
- TODO: https://go.dev/cl/520535: crypto/x509: add new OID type and use it in Certificate; modified api/next/60665.txt
+ When calling CreateCertificate
, the Policies
field is ignored, and
+ policies are taken from the PolicyIdentifiers
field. Using the x509usepolicies=1
GODEBUG setting inverts this,
+ populating certificate policies from the Policies
field, and ignoring the PolicyIdentifiers
field. We may change the
+ default value of x509usepolicies
in Go 1.23, making Policies
the default field for marshaling.