doc/go1.18: add crypto/tls, crypto/x509, and crypto/elliptic release …

…notes Updates #45428 Updates #41682 Change-Id: I811bc4f8ec8de6b6db6a2917e265a72134a05e78 Reviewed-on: https://go-review.googlesource.com/c/go/+/382454 Trust: Filippo Valsorda <[email protected]> Trust: Katie Hockman <[email protected]> Reviewed-by: Katie Hockman <[email protected]>
golang · Feb 2, 2022 · a9384ee · a9384ee
1 parent 53d6a72
commit a9384ee
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/doc/go1.18.html b/doc/go1.18.html
@@ -546,6 +546,39 @@ <h3 id="netip">New <code>net/netip</code> package</h3>
   <a href="/pkg/net/#UDPAddr.AddrPort"><code>UDPAddr.AddrPort</code></a>.
 </p>
 
+<h3 id="tls10">TLS 1.0 and 1.1 disabled by default client-side</h3>
+
+<p><!-- CL 359779, golang.org/issue/45428 -->
+  If <a href="/pkg/crypto/tls/#Config.MinVersion"><code>Config.MinVersion</code></a>
+  is not set, it now defaults to TLS 1.2 for client connections. Any safely
+  up-to-date server is expected to support TLS 1.2, and browsers have required
+  it since 2020. TLS 1.0 and 1.1 are still supported by setting
+  <code>Config.MinVersion</code> to <code>VersionTLS10</code>.
+  The server-side default is unchanged at TLS 1.0.
+</p>
+
+<p>
+  The default can be temporarily reverted to TLS 1.0 by setting the
+  <code>GODEBUG=tls10default=1</code> environment variable.
+  This option will be removed in Go 1.19.
+</p>
+
+<h3 id="sha1">Rejecting SHA-1 certificates</h3>
+
+<p><!-- CL 359777, golang.org/issue/41682 -->
+  <code>crypto/x509</code> will now
+  reject certificates signed with the SHA-1 hash function. This doesn't
+  apply to self-signed root certificates. Practical attacks against SHA-1
+  <a href="https://shattered.io/">have been demonstrated since 2017</a> and publicly
+  trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
+</p>
+
+<p>
+  This can be temporarily reverted by setting the
+  <code>GODEBUG=x509sha1=1</code> environment variable.
+  This option will be removed in Go 1.19.
+</p>
+
 <h3 id="minor_library_changes">Minor changes to the library</h3>
 
 <p>
@@ -598,6 +631,35 @@ <h3 id="minor_library_changes">Minor changes to the library</h3>
   </dd>
 </dl><!-- bytes -->
 
+<dl id="crypto/elliptic"><dt><a href="/pkg/crypto/elliptic/">crypto/elliptic</a></dt>
+  <dd>
+    <p><!-- CL 320071, CL 320072, CL 320074, CL 361402, CL 360014 -->
+      The <a href="/pkg/crypto/elliptic#P224"><code>P224</code></a>,
+      <a href="/pkg/crypto/elliptic#P384"><code>P384</code></a>, and
+      <a href="/pkg/crypto/elliptic#P521"><code>P521</code></a> curve
+      implementations are now all backed by code generated by the
+      <a href="https://github.com/mmcloughlin/addchain">addchain</a> and
+      <a href="https://github.com/mit-plv/fiat-crypto">fiat-crypto</a>
+      projects, the latter of which is based on a formally-verified model
+      of the arithmetic operations. They now use safer complete formulas
+      and internal APIs. P-224 and P-384 are now approximately four times
+      faster. All specific curve implementations are now constant-time.
+    </p>
+
+    <p>
+      Operating on invalid curve points (those for which the
+      <code>IsOnCurve</code> method returns false, and which are never returned
+      by <a href="/pkg/crypto/elliptic#Unmarshal"><code>Unmarshal</code></a> or
+      a <code>Curve</code> method operating on a valid point) has always been
+      undefined behavior, can lead to key recovery attacks, and is now
+      unsupported by the new backend. If an invalid point is supplied to a
+      <code>P224</code>, <code>P384</code>, or <code>P521</code> method, that
+      method will now return a random point. The behavior might change to an
+      explicit panic in a future release.
+    </p>
+  </dd>
+</dl><!-- crypto/elliptic -->
+
 <dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
   <dd>
     <p><!-- CL 325250 -->