crypto/tls: disable client-side TLS 1.0 and TLS 1.1

[FiloSottile]

TLS 1.0 and TLS 1.1 are legacy versions of TLS with significant robustness and complexity issues. They use SHA-1 in the handshake and they don't support AEAD cipher suites, meaning they require Encrypt-then-MAC CBC cipher suites that are vulnerable to side channel attacks. TLS 1.0 requires clunky countermeasures for attacks against CBC cipher suites.

TLS 1.2 was standardized in 2008. RFC 8996 strongly deprecated TLS 1.0 and TLS 1.1. All modern browsers removed support for TLS 1.0 and TLS 1.1 in 2020. PCI compliance has required TLS 1.2 since 2018. NIST guidelines require TLS 1.1 since 2014 and TLS 1.2 since 2019.

In terms of how the real world looks like, SSL Pulse says that only 0.7% of surveyed sites only support TLS 1.0. No websites supports TLS 1.1 but not TLS 1.2. Note that this data is not weighted by popularity. Since browsers removed TLS 1.0 and TLS 1.1 support, there are no connections numbers, but it was significantly lower before turndown.

On the client side the landscape is not as bright. Can I use says only 98.16% of web clients support TLS 1.2. I remember server-side connection numbers to be a little better, but not as good as client-side numbers.

There is also generally a qualitative difference between TLS 1.0 clients and TLS 1.0 servers. The former imply an outdated device, which can be expensive to replace, but possibly still serviceable. The latter implies a catastrophically out of date server which is not safe to use and must be updated.

Based on this, I propose a multi-stage plan for turning off and eventually removing TLS 1.0 and TLS 1.1.

I am requesting approval for the first stage, and will go through the proposal process again for each successive stage.

Stage 1

When zero, Config.MinVersion is changed to default to VersionTLS12 on the client side.

This can be overridden by setting Config.MinVersion (or with a temporary GODEBUG value).

Pre-announce this in Go 1.17, implement it in Go 1.18, remove the GODEBUG switch in Go 1.19.

Stage 2

When zero, Config.MinVersion is changed to default to VersionTLS12 on the server side.

This can be overridden by setting Config.MinVersion (or with a temporary GODEBUG value).

Pre-announce this in TBD, implement it in TBD+1, remove the GODEBUG switch in TBD+2.

(Stage 2, whenever it comes, might also be a good time to disable by default TLS 1.0-correlated ciphersuites like 3DES.)

Stage 3

TLS 1.0 and TLS 1.1 are turned off.

This can be temporarily overridden by both setting Config.MinVersion and a GODEBUG value simultaneously.

Pre-announce this in TBD, implement it in TBD+1, remove the GODEBUG switch and all TLS 1.0 and TLS 1.1 code in TBD+2.

(Stage 3, whenever it comes, might also be a good time to remove other off-by-default things like RC4 and 3DES.)

[tmthrgd]

Stage 3 seems like a copy-paste typo. If the protocols have been removed (code yeeted), then I don’t see how they could possibly be re-enabled
at run-time.

[FiloSottile]

Stage 3 seems like a copy-paste typo. If the protocols have been removed (code yeeted), then I don’t see how they could possibly be re-enabled at run-time.

The code will be yeeted at TBD+2, in TBD+1 it will behave as if it was removed unless GODEBUG is set. The difference is that Config.MinVersion will stop working.

[tmthrgd]

Stage 3 seems like a copy-paste typo. If the protocols have been removed (code yeeted), then I don’t see how they could possibly be re-enabled at run-time.

The code will be yeeted at TBD+2, in TBD+1 it will behave as if it was removed unless GODEBUG is set. The difference is that Config.MinVersion will stop working.

Ah I see, I see. That makes sense. It might help to clarify that in “This can be temporarily overridden with both Config.MinVersion and a GODEBUG value.” because that seems to state they’d both keep working during the transition.

[rsc]

Retitled to be clear this proposal discussion and potential approval is only for "Stage 1".

[rsc]

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

[ucirello]

I'd like to oppose this proposal - both its first stage and in its entirety. With the caveat that I would be OK to replace the code I use with an extended library version of the packages (golang.org/x).

The data you put forward assumes publicly visible servers. In private networking the mentality that says "if it is not broken, don't fix it" creates a dramatically different reality. The fact is that I still need to interface with a lot of software with broken crypto (SSLv3, TLS1.0 etc).

The introduction and adoption of this proposal would create me a very big problem - in order to keep interfacing with old software, I would have to keep my own go installation frozen in time, or bear the cost of keeping a fork.

Please, reconsider this proposal - either don't proceed with it, or offer an extended library that I could keep using.

Thanks @FiloSottile @rsc

[FiloSottile]

The fact is that I still need to interface with a lot of software with broken crypto (SSLv3, TLS1.0 etc).

If you need SSLv3 I assume you are already using a fork?

Since this is a proposal for approval of Stage 1, are you saying you need to connect to servers which don't support TLS 1.2? That would imply no modern browsers can connect to them either, so could you share what kind of software that is? How does that software get security updates? What timeline would you estimate for that software to get TLS 1.2 support?

[ucirello]

If you need SSLv3 I assume you are already using a fork?

Or in my case, I have at least some deployments running an old version of the code. So these customers are stuck with older versions.

Since this is a proposal for approval of Stage 1, are you saying you need to connect to servers which don't support TLS 1.2?

Correct

That would imply no modern browsers can connect to them either, so could you share what kind of software that is?

Database Protocols Software and ancient deployments of remote desktop sharing software.

How does that software get security updates? What timeline would you estimate for that software to get TLS 1.2 support?

I don't believe they do. And the timeline is none. Because, "if it is not broken, don't fix it". Sad, I know.

[FiloSottile]

How does that software get security updates? What timeline would you estimate for that software to get TLS 1.2 support?

I don't believe they do. And the timeline is none. Because, "if it is not broken, don't fix it". Sad, I know.

I feel for who has to maintain those systems, but making modern well-run systems pay (because remember that complexity has a security cost, in more ways than one) for systems that decided to be permanently insecure is not an option, sorry.

Anyway, it sounds like you wouldn't be affected by this change until Stage 3. Do you have any objections to Stage 1? Why?

[mvdan]

Presumably, systems insisting on sticking to deprecated versions of TLS could also just stay on an older version of Go? I get that upgrading Go has other benefits, but I'm fully with @FiloSottile that keeping that use case working for a long time seems like the wrong tradeoff.