From 1b7fefc91f7779c886a307c809144b57d84ed35e Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Tue, 28 Jan 2020 14:37:58 -0800 Subject: [PATCH] doc/go1.14: add crypto/tls release notes A few minor changes that didn't feel worth mentioning: * CL 205059: support leaving Certificates/GetCertificate nil if GetConfigForClient is set * CL 205059: send the unrecognized_name alert when there are no available certificates * CL 205068: add correct names for CHACHA20_POLY1305 ciphersuite constants * CL 204046: fix CreateCRL for Ed25519 CAs * CL 205058: add CertificateRequestInfo.Version Change-Id: Ie820fb0c6842e669edde031132c7cda5b09e7682 Reviewed-on: https://go-review.googlesource.com/c/go/+/216759 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Ian Lance Taylor --- doc/go1.14.html | 56 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/doc/go1.14.html b/doc/go1.14.html index 655144201f..75e04a6821 100644 --- a/doc/go1.14.html +++ b/doc/go1.14.html @@ -453,19 +453,61 @@ TODO
crypto/tls

- TODO: https://golang.org/cl/191976: remove SSLv3 support + Support for SSL version 3.0 (SSLv3) has been removed. Note that SSLv3 is the + cryptographically broken + protocol predating TLS.

- TODO: https://golang.org/cl/191999: remove TLS 1.3 opt-out + TLS 1.3 can't be disabled via the GODEBUG environment + variable anymore. Use the + Config.MaxVersion + field to configure TLS versions. +

+ +

+ When multiple certificate chains are provided through the + Config.Certificates + field, the first one compatible with the peer is now automatically + selected. This allows for example providing an ECDSA and an RSA + certificate, and letting the package automatically select the best one. + Note that the performance of this selection is going to be poor unless the + Certificate.Leaf + field is set. +

+ +

+ The new CipherSuites + and InsecureCipherSuites + functions return a list of currently implemented cipher suites. + The new CipherSuiteName + function returns a name for a cipher suite ID. +

+ +

+ The new + (*ClientHelloInfo).SupportsCertificate and + + (*CertificateRequestInfo).SupportsCertificate + methods expose whether a peer supports a certain certificate.

- The tls package no longer supports NPN and now only - supports ALPN. In previous releases it supported both. There are - no API changes and code should function identically as before. - Most other clients & servers have already removed NPN support in - favor of the standardized ALPN. + The tls package no longer supports the legacy Next Protocol + Negotiation (NPN) extension and now only supports ALPN. In previous + releases it supported both. There are no API changes and applications + should function identically as before. Most other clients and servers have + already removed NPN support in favor of the standardized ALPN. +

+ +

+ RSA-PSS signatures are now used when supported in TLS 1.2 handshakes. This + won't affect most applications, but custom + Certificate.PrivateKey + implementations that don't support RSA-PSS signatures will need to use the new + + Certificate.SupportedSignatureAlgorithms + field to disable them.

-- 2.50.0