crypto/tls: deprecate SSLv3 support
Updates #32716
Change-Id: Ia0c03918e8f2da4d9824c49c6d4cfca1b0787b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/184102
Reviewed-by: Andrew Bonventre <andybons@golang.org>
diff --git a/doc/go1.13.html b/doc/go1.13.html
index 9d2c65b..4240d4b 100644
--- a/doc/go1.13.html
+++ b/doc/go1.13.html
@@ -534,6 +534,14 @@
<dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
<dd>
+ <p>
+ Support for SSL version 3.0 (SSLv3) <a href="https://golang.org/issue/32716">
+ is now deprecated and will be removed in Go 1.14</a>. Note that SSLv3
+ <a href="https://tools.ietf.org/html/rfc7568">is cryptographically
+ broken</a>, is already disabled by default in <code>crypto/tls</code>,
+ and was never supported by Go clients.
+ </p>
+
<p><!-- CL 177698 -->
Ed25519 certificates are now supported in TLS versions 1.2 and 1.3.
</p>
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index d135b1f..da1eae0 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -23,11 +23,14 @@
)
const (
- VersionSSL30 = 0x0300
VersionTLS10 = 0x0301
VersionTLS11 = 0x0302
VersionTLS12 = 0x0303
VersionTLS13 = 0x0304
+
+ // Deprecated: SSLv3 is cryptographically broken, and will be
+ // removed in Go 1.14. See golang.org/issue/32716.
+ VersionSSL30 = 0x0300
)
const (