Go

Go

By DeepSource

TLS cipher suite used is considered weak GO-S1029

Security

The cipher suite used is considered weak and might make the program vulnerable to related attacks. Use the function tls.CipherSuites() to get a list of good cipher suites.

tls.InsecureCipherSuites returns a list of cipher suites implemented by crypto/tls package that have security issues. Here are some of the insecure cipher suites that should be avoided:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

To get a list of recommended cipher suites, use: tls.CipherSuites() from crypto/tls.

Examples

Bad practice

tr := &http.Transport{
    TLSClientConfig: &tls.Config{CipherSuites: []uint16{
        tls.TLS_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
    }},
}

Recommended

tr := &http.Transport{
    TLSClientConfig: &tls.Config{CipherSuites: []uint16{
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_RSA_WITH_AES_256_CBC_SHA,
    }},
}

References