Version: go 1.24.5
Not sure if it's a bug or by design
What did you do?
I created a cutomized tls.Config without setting the MinVersion or MaxVersion, assuming it would use Go's documented default.
tlsConfig := &tls.Config{}
conn, err := tls.Dial("tcp", "example.com:443", tlsConfig)
I then used tcpdump to get the versions offered by the client.
16 03 01
which indicate 0x301 as TLS 1.0
What did you expected to see?
// MinVersion contains the minimum TLS version that is acceptable.
//
// By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
// minimum supported by this package.
so when you set
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS13,
}
conn, err := tls.Dial("tcp", "example.com:443", tlsConfig)
you will get
16 03 03
which indicate 0x302 as TLS 1.2
Proposed Solution: i think either remove this fallback behavior, or update the documentation, indicate if leave empty, the initial ClientHello message will start with TLS 1.0
Comment From: gabyhelp
Related Issues
- crypto/tls: TLS 1.0 is not min version by default in HTTP server #33837 (closed)
- crypto/tls: make default minimum version for servers TLS 1.2 #62459 (closed)
- crypto/tls: package says it implements TLS 1.1, but actually implements SSL 3.0 and TLS 1.0, but not 1.1 #3216 (closed)
- crypto/tls: cipher suite configuration is ignored breaking existing code #31072 (closed)
- crypto/tls: ClientHello offers a long list of old cipher suites even though MinVersion is set to TLS 1.3 #59332 (closed)
- crypto/tls: incorrect ciphers advertised in TLS 1.3 only mode #57771 (closed)
- crypto/tls: set TLSPlaintext.version to MinVersion #31104 (closed)
- crypto/tls: should apply default NextProtos to the result of GetConfigForClient #70214
Related Code Changes
Related Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)