Description
Go version
go version 1.23.3 X86_64/linux
Output of go env in your module/workspace:
GO111MODULE='on'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/tmpusr/.cache/go-build'
GOENV='/home/tmpusr/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/tmpusr/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/tmpusr/go'
GOPRIVATE=''
GOPROXY='https://goproxy.cn'
GOROOT='/media/vdc/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/media/vdc/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.3'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/tmpusr/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/media/vdc/MyProjects/GoProjects/tlstest/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1584434915=/tmp/go-build -gno-record-gcc-switches'What did you do?
Golang 1.23.3, I write a simple https file downloading program:
package main
import (
"crypto/tls"
"io"
"log"
"net/http"
"os"
)
func main() {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
NextProtos: []string{"http/1.1"},
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
InsecureSkipVerify: true,
PreferServerCipherSuites: true,
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
var url string
if len(os.Args) < 2 {
url = "https://127.0.0.1:14433/1k.txt"
} else {
url = os.Args[1]
}
resp, err := client.Get(url)
if err != nil {
log.Fatalf("get error: %v", err)
}
defer resp.Body.Close()
file, err := os.Create("1m.file")
if err != nil {
log.Fatalf("crete error: %v", err)
}
defer file.Close()
_, err = io.Copy(file, resp.Body)
if err != nil {
log.Fatalf("write error %v", err)
}
log.Println("all success")
}What did you see happen?
The packets sended by client.Get function as follows:
There is no encrypt_then_mac extension in the TLS Client Hello packet, the hmac mode is mac_then_encrypt
The Go language's crypto/tls API does not support the encrypt_then_mac extension field。
Here is the description of encryt_then_mac in rfc 7366:
The use of encrypt-then-MAC is negotiated via TLS/DTLS extensions as defined in TLS [2]. On connecting, the client includes the encrypt_then_mac extension in its client_hello if it wishes to use encrypt-then-MAC rather than the default MAC-then-encrypt. If the server is capable of meeting this requirement, it responds with an encrypt_then_mac in its server_hello. The "extension_type" value for this extension SHALL be 22 (0x16), and the "extension_data" field of this extension SHALL be empty. The client and server MUST NOT use encrypt-then-MAC unless both sides have successfully exchanged encrypt_then_mac extensions.
What did you expect to see?
crypto/tls/handshake_messages.go,clientHelloMsg.marshalMsg and unmarshal support encrypt_then_mac.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status