Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix!: removeTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher by default#13837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
coadler merged 3 commits intomainfromcolin/remove-3des-cipher
Jul 9, 2024

Conversation

coadler
Copy link
Contributor

@coadlercoadler commentedJul 8, 2024
edited
Loading

This cipher is included by default in Go as a fallback, but is marked as an insecure cipher. This removes the 3des cipher by default.

Before:

$ nmap --script ssl-enum-ciphers -p 443 xxxxxxxStarting Nmap 7.94 ( https://nmap.org ) at 2024-07-08 14:16 CDTNmap scan report for xxxxx (xxx.xxx.xxx.xxx)Host is up (0.038s latency).rDNS record for xxx.xxx.xxx.xxx: xxx.xxx.xxx.xxx.bc.googleusercontent.comPORT    STATE SERVICE443/tcp open  https| ssl-enum-ciphers:|   TLSv1.2:|     ciphers:|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C|     compressors:|       NULL|     cipher preference: server|     warnings:|       64-bit block cipher 3DES vulnerable to SWEET32 attack|   TLSv1.3:|     ciphers:|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A|     cipher preference: server|_  least strength: C

After:

$ nmap --script ssl-enum-ciphers -p 443 xxxxxxxStarting Nmap 7.94 ( https://nmap.org ) at 2024-07-08 15:04 CDTNmap scan report for xxxxx (xxx.xxx.xxx.xxx)Host is up (0.039s latency).rDNS record for xxx.xxx.xxx.xxx: xxx.xxx.xxx.xxx.bc.googleusercontent.comPORT    STATE SERVICE443/tcp open  https| ssl-enum-ciphers:|   TLSv1.2:|     ciphers:|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A|     compressors:|       NULL|     cipher preference: client|   TLSv1.3:|     ciphers:|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A|     cipher preference: server|_  least strength: A

…aultThis cipher is included by default in Go as a fallback, but is marked asan insecure cipher. This removes the 3des cipher by default.Before:```$ nmap --script ssl-enum-ciphers -p 443 xxxxxxxStarting Nmap 7.94 (https://nmap.org ) at 2024-07-08 14:16 CDTNmap scan report for xxxxx (xxx.xxx.xxx.xxx)Host is up (0.038s latency).rDNS record for xxx.xxx.xxx.xxx: xxx.xxx.xxx.xxx.bc.googleusercontent.comPORT    STATE SERVICE443/tcp open  https| ssl-enum-ciphers:|   TLSv1.2:|     ciphers:|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C|     compressors:|       NULL|     cipher preference: server|     warnings:|       64-bit block cipher 3DES vulnerable to SWEET32 attack|   TLSv1.3:|     ciphers:|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A|     cipher preference: server|_  least strength: C```After:```$ nmap --script ssl-enum-ciphers -p 443 xxxxxxxStarting Nmap 7.94 (https://nmap.org ) at 2024-07-08 15:04 CDTNmap scan report for xxxxx (xxx.xxx.xxx.xxx)Host is up (0.039s latency).rDNS record for xxx.xxx.xxx.xxx: xxx.xxx.xxx.xxx.bc.googleusercontent.comPORT    STATE SERVICE443/tcp open  https| ssl-enum-ciphers:|   TLSv1.2:|     ciphers:|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A|     compressors:|       NULL|     cipher preference: client|   TLSv1.3:|     ciphers:|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A|     cipher preference: server|_  least strength: A```
@coadlercoadler self-assigned thisJul 8, 2024
@coadlercoadler changed the titlefix!(cli): removeTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher by defaultfix!: removeTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher by defaultJul 8, 2024
@github-actionsgithub-actionsbot added the release/breakingThis label is applied to PRs to detect breaking changes as part of the release process labelJul 8, 2024
@coadlercoadlerenabled auto-merge (squash)July 9, 2024 17:13
@coadlercoadler merged commitaf00177 intomainJul 9, 2024
28 checks passed
@coadlercoadler deleted the colin/remove-3des-cipher branchJuly 9, 2024 17:18
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJul 9, 2024
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@EmyrkEmyrkEmyrk approved these changes

@deansheatherdeansheatherdeansheather approved these changes

Assignees

@coadlercoadler

Labels
release/breakingThis label is applied to PRs to detect breaking changes as part of the release process
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@coadler@Emyrk@deansheather
[8]ページ先頭
©2009-2025 Movatter.jp