crypto/tls: TLS 1.0 is not min version by default in HTTP server

[nwtgck]

What version of Go are you using (go version)?

$ go version
go version go1.12.9 darwin/amd64

Does this issue reproduce with the latest release?

Yes. 1.12.9 is the latest release now.

What did you do? - Test code

Here is very simple HTTPS server code. You can choose &tls.Config{} or &tls.Config{MinVersion: tls.VersionTLS10} by the comment.

// main.go
package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
)

func main() {
	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, _ = fmt.Fprintln(w, "<h1>hello, world</h1>")
	})

	// Start HTTP server
	fmt.Println("Listening...")

	// TLS config
	// NOTE: Switch by comment
	tlsConfig := &tls.Config{}
	//tlsConfig := &tls.Config{MinVersion: tls.VersionTLS10}

	server := &http.Server{Addr: ":8443", Handler: handler, TLSConfig: tlsConfig}
	// Start HTTPS server
	if err := server.ListenAndServeTLS("./ssl_certs/server.crt", "./ssl_certs/server.key"); err != nil {
		log.Fatal(err.Error())
	}
}

Run

go run main.go

What did you expect to see? & What did you see instead?

Testing

I use the following command to confirm whether SSLv3 is supported or not.

openssl s_client -connect localhost:8443 -ssl3

When using &tls.Config{}, SSLv3 is NOT rejected.
When using &tls.Config{MinVersion: tls.VersionTLS10}, SSLv3 is rejected and the server emits "http: TLS handshake error from 127.0.0.1:65528: tls: client offered only unsupported versions: [300]", which is my expectation.

I expect both &tls.Config{} and &tls.Config{MinVersion: tls.VersionTLS10} cases reject SSLv3, but that was not true. The official document says "If zero, then TLS 1.0 is taken as the minimum" like the following.

Document

// MinVersion contains the minimum SSL/TLS version that is acceptable.
// If zero, then TLS 1.0 is taken as the minimum.
MinVersion uint16

from: tls - The Go Programming Language

In the document, MinVersion should be TLS 1.0, so I think it rejects SSLv3. However, the server allows SSLv3.

[bcmills]

CC @FiloSottile

[gopherbot]

Change https://golang.org/cl/191877 mentions this issue: crypto/tls: make SSLv3 again disabled by default

[nwtgck]

Is this vulnerable? In default, HTTP server in Go 1.12 has a possibility of downgrade attack?

[FiloSottile]

No, SSLv3 is broken, but not so broken that TLS connections can be downgraded to it arbitrarily by an attacker. Virtually all clients don't do insecure fallbacks anymore (and haven't for years), and in any case we support TLS_FALLBACK_SCSV.

This does not pose a threat to clients that support TLS, but it will allow clients that only support SSLv3 to connect insecurely, which should not be the case.

[gopherbot]

Change https://golang.org/cl/191998 mentions this issue: [release-branch.go1.13] crypto/tls: make SSLv3 again disabled by default

[nwtgck]

@FiloSottile Thank you very much for your explanation and fix!

[FiloSottile]

Thank you for catching this just in time for Go 1.13!

[nwtgck]

@FiloSottile I'm looking forward to Go 1.13 release!