|
| 1 | +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | +From: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> |
| 3 | +Date: Fri, 12 Dec 2025 16:46:44 +0100 |
| 4 | +Subject: [PATCH] align TLS settings with Microsoft policies |
| 5 | + |
| 6 | +--- |
| 7 | + doc/godebug.md | 4 ++++ |
| 8 | + src/crypto/tls/defaults.go | 10 +++++++++- |
| 9 | + src/crypto/tls/tls_test.go | 24 ++++++++++++++++++++++++ |
| 10 | + src/internal/godebugs/table.go | 1 + |
| 11 | + 4 files changed, 38 insertions(+), 1 deletion(-) |
| 12 | + |
| 13 | +diff --git a/doc/godebug.md b/doc/godebug.md |
| 14 | +index 28a2dc506ef8ff..8be51c6a136df6 100644 |
| 15 | +--- a/doc/godebug.md |
| 16 | ++++ b/doc/godebug.md |
| 17 | +@@ -183,6 +183,10 @@ APIs ignore the random `io.Reader` parameter. For Go 1.26, it defaults |
| 18 | + to `cryptocustomrand=0`, ignoring the random parameters. Using `cryptocustomrand=1` |
| 19 | + reverts to the pre-Go 1.26 behavior. |
| 20 | + |
| 21 | ++Microsoft build of Go 1.26 added a new `ms_tlsx25519` setting that controls whether |
| 22 | ++`crypto/tls` enables the X25519 and X25519MLKEM768 TLS groups by default. Setting |
| 23 | ++`ms_tlsx25519=0` disables these groups. The default value is `ms_tlsx25519=1`. |
| 24 | ++ |
| 25 | + ### Go 1.25 |
| 26 | + |
| 27 | + Go 1.25 added a new `decoratemappings` setting that controls whether the Go |
| 28 | +diff --git a/src/crypto/tls/defaults.go b/src/crypto/tls/defaults.go |
| 29 | +index 8de8d7e0934b07..0ba8d3ebf0d6e4 100644 |
| 30 | +--- a/src/crypto/tls/defaults.go |
| 31 | ++++ b/src/crypto/tls/defaults.go |
| 32 | +@@ -15,10 +15,18 @@ import ( |
| 33 | + |
| 34 | + var tlsmlkem = godebug.New("tlsmlkem") |
| 35 | + var tlssecpmlkem = godebug.New("tlssecpmlkem") |
| 36 | ++var ms_tlsx25519 = godebug.New("ms_tlsx25519") |
| 37 | + |
| 38 | + // defaultCurvePreferences is the default set of supported key exchanges, as |
| 39 | + // well as the preference order. |
| 40 | +-func defaultCurvePreferences() []CurveID { |
| 41 | ++func defaultCurvePreferences() (groups []CurveID) { |
| 42 | ++ defer func() { |
| 43 | ++ if ms_tlsx25519.Value() == "0" { |
| 44 | ++ groups = slices.DeleteFunc(groups, func(c CurveID) bool { |
| 45 | ++ return c == X25519 || c == X25519MLKEM768 |
| 46 | ++ }) |
| 47 | ++ } |
| 48 | ++ }() |
| 49 | + switch { |
| 50 | + // tlsmlkem=0 restores the pre-Go 1.24 default. |
| 51 | + case tlsmlkem.Value() == "0": |
| 52 | +diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go |
| 53 | +index 5f4a2b9de4fd1f..98726c6e9509d5 100644 |
| 54 | +--- a/src/crypto/tls/tls_test.go |
| 55 | ++++ b/src/crypto/tls/tls_test.go |
| 56 | +@@ -2113,6 +2113,30 @@ func TestHandshakeMLKEM(t *testing.T) { |
| 57 | + expectClient: []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}, |
| 58 | + expectSelected: X25519MLKEM768, |
| 59 | + }, |
| 60 | ++ { |
| 61 | ++ name: "GODEBUG ms_tlsx25519=0", |
| 62 | ++ preparation: func(t *testing.T) { |
| 63 | ++ t.Setenv("GODEBUG", "ms_tlsx25519=0") |
| 64 | ++ }, |
| 65 | ++ expectClient: []CurveID{SecP256r1MLKEM768, SecP384r1MLKEM1024, CurveP256, CurveP384, CurveP521}, |
| 66 | ++ expectSelected: SecP256r1MLKEM768, |
| 67 | ++ }, |
| 68 | ++ { |
| 69 | ++ name: "GODEBUG ms_tlsx25519=0 and tlsmlkem=0", |
| 70 | ++ preparation: func(t *testing.T) { |
| 71 | ++ t.Setenv("GODEBUG", "ms_tlsx25519=0,tlsmlkem=0") |
| 72 | ++ }, |
| 73 | ++ expectClient: []CurveID{CurveP256, CurveP384, CurveP521}, |
| 74 | ++ expectSelected: CurveP256, |
| 75 | ++ }, |
| 76 | ++ { |
| 77 | ++ name: "GODEBUG ms_tlsx25519=0 and tlssecpmlkem=0", |
| 78 | ++ preparation: func(t *testing.T) { |
| 79 | ++ t.Setenv("GODEBUG", "ms_tlsx25519=0,tlssecpmlkem=0") |
| 80 | ++ }, |
| 81 | ++ expectClient: []CurveID{CurveP256, CurveP384, CurveP521}, |
| 82 | ++ expectSelected: CurveP256, |
| 83 | ++ }, |
| 84 | + } |
| 85 | + |
| 86 | + baseConfig := testConfig.Clone() |
| 87 | +diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go |
| 88 | +index 8f6d8bbdda656c..089d7172d5985b 100644 |
| 89 | +--- a/src/internal/godebugs/table.go |
| 90 | ++++ b/src/internal/godebugs/table.go |
| 91 | +@@ -49,6 +49,7 @@ var All = []Info{ |
| 92 | + {Name: "httpservecontentkeepheaders", Package: "net/http", Changed: 23, Old: "1"}, |
| 93 | + {Name: "installgoroot", Package: "go/build"}, |
| 94 | + {Name: "jstmpllitinterp", Package: "html/template", Opaque: true}, // bug #66217: remove Opaque |
| 95 | ++ {Name: "ms_tlsx25519", Package: "crypto/tls", Opaque: true}, |
| 96 | + //{Name: "multipartfiles", Package: "mime/multipart"}, |
| 97 | + {Name: "multipartmaxheaders", Package: "mime/multipart"}, |
| 98 | + {Name: "multipartmaxparts", Package: "mime/multipart"}, |
0 commit comments