Yes, I'm aware it's intentional, but it causes a lower security grade on SSLLabs <https://ssllabs.com/>.
On Thu, Aug 25, 2022 at 1:20 PM 'Sean Liao' via golang-nuts < golang-nuts@googlegroups.com> wrote: > This is intentional, see https://go.dev/issue/45430 > > - sean > > On Thu, Aug 25, 2022, 19:07 'Diana Tuck' via golang-nuts < > golang-nuts@googlegroups.com> wrote: > >> Since upgrading to 1.17 in which the cipher order is determined by the >> golang lib, clients that previously negotiated with more secure ciphers are >> now using less secure ciphers. >> >> We see that Windows 7 and 8 clients can no longer negotiate using xc027 >> and are instead using 0x9c, which is lower in both of their preference >> order. >> >> On 1.16, using testssl.sh, for example: >> >> IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) >> IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) >> IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) >> IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH >> (P-256) >> >> And since upgrading to 1.17 (and 1.18): >> >> IE 11 Win 7 TLSv1.2 AES128-GCM-SHA256, No FS >> IE 11 Win 8.1 TLSv1.2 AES128-GCM-SHA256, No FS >> IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) >> IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH >> (P-256) >> >> Win 7 >> <https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=95> >> and >> Win 8.1 >> <https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%208.1&key=134> >> prefer >> 0xc027 over 0x9c, but now both negotiate using 0x9c. >> >> We could theoretically solve this by removing 0x9c from our supported >> cipher suites to force the selection of 0xc027, but unfortunately we >> need to keep supporting these older clients. >> >> I wanted to check here to see if anyone has any suggestions before filing >> a bug, because in my opinion, the client cipher suite order preference >> should be honored at the very least even if the server preference is no >> longer honored. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/golang-nuts/726cacb3-ddf3-4602-8455-4eae9889f236n%40googlegroups.com >> <https://groups.google.com/d/msgid/golang-nuts/726cacb3-ddf3-4602-8455-4eae9889f236n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "golang-nuts" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/golang-nuts/EqtkbU9nXHE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/CAGabyPrJ56%3DPd0Du1ooVd9dx-CA3N%3DNkHN46OaHfFTC7S%2B_x1A%40mail.gmail.com > <https://groups.google.com/d/msgid/golang-nuts/CAGabyPrJ56%3DPd0Du1ooVd9dx-CA3N%3DNkHN46OaHfFTC7S%2B_x1A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Thank you, Diana Tuck Software Engineer +1 (919) 270-9838 diana.t...@elastic.co <https://www.elastic.co/> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAFtbrWxvs_uwgTNZzyNMU3uWvCizHaLeGnM-84b3%2B9pvtUmcZw%40mail.gmail.com.
