diff options
| author | David Anderson <[email protected]> | 2017-01-01 15:16:35 -0800 |
|---|---|---|
| committer | David Anderson <[email protected]> | 2017-01-01 15:16:35 -0800 |
| commit | 09cc4bb6199e7c8ef49d4c3f5e4077b49f892407 (patch) | |
| tree | 2c4059e5c41d8ac9da191fc1ebbd4b3933960df5 | |
| parent | c41a68d73b757355dbd1f433fc4e2afe161c1f7b (diff) | |
Remove support for SSL 3.0.
It's obsolete, actively dangerous, and support has been removed from
all major browsers.
| -rw-r--r-- | sni.go | 8 | ||||
| -rw-r--r-- | sni_test.go | 20 |
2 files changed, 11 insertions, 17 deletions
@@ -105,8 +105,8 @@ func parseHello(b []byte) ([]byte, error) { return nil, fmt.Errorf("ClientHello has unsupported version %d.%d", b[0], b[1]) } switch b[1] { - case 0, 1, 2, 3: - // SSL 3, TLS 1.0, TLS 1.1, TLS 1.2 + case 1, 2, 3: + // TLS 1.0, TLS 1.1, TLS 1.2 default: return nil, fmt.Errorf("TLS record has unsupported version %d.%d", b[0], b[1]) } @@ -199,8 +199,8 @@ func handshakeRecord(r io.Reader) ([]byte, int, error) { return nil, 0, fmt.Errorf("TLS record has unsupported version %d.%d", hdr.Major, hdr.Minor) } switch hdr.Minor { - case 0, 1, 2, 3: - // SSL 3, TLS 1.0, TLS 1.1, TLS 1.2 + case 1, 2, 3: + // TLS 1.0, TLS 1.1, TLS 1.2 default: return nil, 0, fmt.Errorf("TLS record has unsupported version %d.%d", hdr.Major, hdr.Minor) } diff --git a/sni_test.go b/sni_test.go index a27b90c..8c87d24 100644 --- a/sni_test.go +++ b/sni_test.go @@ -152,12 +152,6 @@ func TestHandshakeRecord(t *testing.T) { tlsver int }{ { - // SSL 3.0, 1b packet - []byte{22, 3, 0, 0, 1, 3}, - []byte{3}, - 0, - }, - { // TLS 1.0, 1b packet []byte{22, 3, 1, 0, 1, 3}, []byte{3}, @@ -229,6 +223,12 @@ func TestHandshakeRecord(t *testing.T) { nil, 0, }, + { + // Obsolete SSL 3.0 + []byte{22, 3, 0, 0, 1, 3}, + nil, + 0, + }, } for _, test := range tests { @@ -308,13 +308,7 @@ func TestParseHello(t *testing.T) { true, }, { - // First valid packet. SSL 3.0, no extensions present. - packet([]byte{1, 0, 0, 73, 3, 0}, slice(32), []byte{32}, slice(32), []byte{0, 2, 1, 2, 1, 0}), - nil, - false, - }, - { - // TLS 1.0, no extensions present. + // First valid packet. TLS 1.0, no extensions present. packet([]byte{1, 0, 0, 73, 3, 1}, slice(32), []byte{32}, slice(32), []byte{0, 2, 1, 2, 1, 0}), nil, false, |