crypto/tls: TestBoringClientHello failure

Question

crypto/tls: TestBoringClientHello failure

derekparker opened this issue 2 years ago · comments

Testing the latest commit on master I'm now seeing the following failure:

--- FAIL: TestBoringClientHello (0.00s)
    boring_test.go:292: client offered disallowed suite 0x1303
FAIL
FAIL    crypto/tls      2.827s

Derek Parker · Answer 1 · Sat Oct 01 2022 02:44:35 GMT+0800 (China Standard Time)

I believe this is because we've started enabling TLS 1.3, the disallowed suite causing the test to fail is TLS_CHACHA20_POLY1305_SHA256.

cc @ueno

Derek Parker · Answer 2 · Sat Oct 01 2022 02:45:36 GMT+0800 (China Standard Time)

https://github.com/golang/go/blob/release-branch.go1.19/src/crypto/tls/cipher_suites.go#L692

Daiki Ueno · Answer 3 · Mon Oct 03 2022 13:12:05 GMT+0800 (China Standard Time)

Hmm, that's strange, as we exclude TLS_CHACHA20_POLY1305_SHA256 here and here. I've tried to reproduce with the following, but couldn't.

$ fips-mode-setup --check
FIPS mode is enabled.
$ cd go
# apply patches
$ cd src
$ ./make.bash
$ cd ..
$ export GOROOT=$PWD
$ export PATH="$GOROOT/bin:$PATH"
$ cd src/crypto/tls
$ GOLANG_FIPS=1 go test -v -run "Boring"
=== RUN   TestBoringClientHello
--- PASS: TestBoringClientHello (0.00s)

Derek Parker · Answer 4 · Tue Oct 11 2022 00:17:10 GMT+0800 (China Standard Time)

@ueno run it without GOLANG_FIPS=1 and it should fail.

David Benoit · Answer 5 · Tue Oct 18 2022 00:16:04 GMT+0800 (China Standard Time)

Fixed by #54