Skip to content

Commit 4510b1b

Browse files
camilamacedo86claude
camilamacedo86
and
claude
authored
Update TLS profiles to Mozilla v5.8 (#2631)
Minimal changes to make verify work: - Change INPUT URL from latest.json to 5.8.json - Update ciphers.go to ciphers.iana (Mozilla v5.8 format change) - Add X25519MLKEM768 post-quantum curve constant - Filter out unsupported ciphers not in Go's crypto/tls: - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_RSA_WITH_AES_256_CBC_SHA256 - Update CHACHA20_POLY1305 constants to include _SHA256 suffix Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
1 parent fd25bf7 commit 4510b1b

File tree

3 files changed

+25
-16
lines changed

3 files changed

+25
-16
lines changed

hack/tools/update-tls-profiles.sh

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ if [ -z "${JQ}" ]; then
88
fi
99

1010
OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.go
11-
INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
11+
INPUT=https://ssl-config.mozilla.org/guidelines/5.8.json
1212

1313
TMPFILE="$(mktemp)"
1414
trap 'rm -rf "$TMPFILE"' EXIT
@@ -38,7 +38,7 @@ cipherNums: []uint16{
3838
EOF
3939

4040
${JQ} -r ".configurations.$1.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
41-
${JQ} -r ".configurations.$1.ciphers.go[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
41+
${JQ} -r ".configurations.$1.ciphers.iana[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
4242

4343
cat >> ${OUTPUT} <<EOF
4444
},
@@ -65,5 +65,9 @@ generate_profile "modern"
6565
generate_profile "intermediate"
6666
generate_profile "old"
6767

68+
# Remove unsupported ciphers from Go's crypto/tls package (Mozilla v5.8 includes these but Go doesn't support them)
69+
sed -i.bak '/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/d; /TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/d; /TLS_RSA_WITH_AES_256_CBC_SHA256/d' ${OUTPUT}
70+
rm -f ${OUTPUT}.bak
71+
6872
# Make go happy
6973
go fmt ${OUTPUT}

internal/shared/util/tlsprofiles/mozilla_data.go

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
package tlsprofiles
22

33
// DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
4-
// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
5-
// DATA VERSION: 5.7
4+
// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/5.8.json
5+
// DATA VERSION: 5.8
66

77
import (
88
"crypto/tls"
@@ -18,6 +18,7 @@ var modernTLSProfile = tlsProfile{
1818
},
1919
curves: curveSlice{
2020
curveNums: []tls.CurveID{
21+
X25519MLKEM768,
2122
X25519,
2223
prime256v1,
2324
secp384r1,
@@ -36,12 +37,13 @@ var intermediateTLSProfile = tlsProfile{
3637
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3738
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
3839
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
39-
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
40-
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
40+
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
41+
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
4142
},
4243
},
4344
curves: curveSlice{
4445
curveNums: []tls.CurveID{
46+
X25519MLKEM768,
4547
X25519,
4648
prime256v1,
4749
secp384r1,
@@ -60,8 +62,8 @@ var oldTLSProfile = tlsProfile{
6062
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6163
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
6264
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
63-
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
64-
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
65+
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
66+
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
6567
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
6668
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
6769
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
@@ -78,6 +80,7 @@ var oldTLSProfile = tlsProfile{
7880
},
7981
curves: curveSlice{
8082
curveNums: []tls.CurveID{
83+
X25519MLKEM768,
8184
X25519,
8285
prime256v1,
8386
secp384r1,

internal/shared/util/tlsprofiles/tlsprofiles.go

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -69,17 +69,19 @@ func cipherSuiteId(name string) uint16 {
6969

7070
// This is primarily so that we don't have to rewrite curve values in mozilla_data.go
7171
const (
72-
X25519 tls.CurveID = tls.X25519
73-
prime256v1 tls.CurveID = tls.CurveP256
74-
secp384r1 tls.CurveID = tls.CurveP384
75-
secp521r1 tls.CurveID = tls.CurveP521
72+
X25519MLKEM768 tls.CurveID = tls.X25519MLKEM768
73+
X25519 tls.CurveID = tls.X25519
74+
prime256v1 tls.CurveID = tls.CurveP256
75+
secp384r1 tls.CurveID = tls.CurveP384
76+
secp521r1 tls.CurveID = tls.CurveP521
7677
)
7778

7879
var curves = map[string]tls.CurveID{
79-
"X25519": tls.X25519,
80-
"prime256v1": tls.CurveP256,
81-
"secp384r1": tls.CurveP384,
82-
"secp521r1": tls.CurveP521,
80+
"X25519MLKEM768": tls.X25519MLKEM768,
81+
"X25519": tls.X25519,
82+
"prime256v1": tls.CurveP256,
83+
"secp384r1": tls.CurveP384,
84+
"secp521r1": tls.CurveP521,
8385
}
8486

8587
// Returns 0 for an invalid curve name

0 commit comments

Comments
 (0)