Remove support for SSL 3.0.

danderson · danderson · commit 09cc4bb6199e · 2017-01-01T15:16:35.000-08:00
It's obsolete, actively dangerous, and support has been removed from
all major browsers.
diff --git a/sni.go b/sni.go
@@ -105,8 +105,8 @@ func parseHello(b []byte) ([]byte, error) {
 		return nil, fmt.Errorf("ClientHello has unsupported version %d.%d", b[0], b[1])
 	}
 	switch b[1] {
-	case 0, 1, 2, 3:
-		// SSL 3, TLS 1.0, TLS 1.1, TLS 1.2
+	case 1, 2, 3:
+		// TLS 1.0, TLS 1.1, TLS 1.2
 	default:
 		return nil, fmt.Errorf("TLS record has unsupported version %d.%d", b[0], b[1])
 	}
@@ -199,8 +199,8 @@ func handshakeRecord(r io.Reader) ([]byte, int, error) {
 		return nil, 0, fmt.Errorf("TLS record has unsupported version %d.%d", hdr.Major, hdr.Minor)
 	}
 	switch hdr.Minor {
-	case 0, 1, 2, 3:
-		// SSL 3, TLS 1.0, TLS 1.1, TLS 1.2
+	case 1, 2, 3:
+		// TLS 1.0, TLS 1.1, TLS 1.2
 	default:
 		return nil, 0, fmt.Errorf("TLS record has unsupported version %d.%d", hdr.Major, hdr.Minor)
 	}
diff --git a/sni_test.go b/sni_test.go
@@ -151,12 +151,6 @@ func TestHandshakeRecord(t *testing.T) {
 		out    []byte
 		tlsver int
 	}{
-		{
-			// SSL 3.0, 1b packet
-			[]byte{22, 3, 0, 0, 1, 3},
-			[]byte{3},
-			0,
-		},
 		{
 			// TLS 1.0, 1b packet
 			[]byte{22, 3, 1, 0, 1, 3},
@@ -229,6 +223,12 @@ func TestHandshakeRecord(t *testing.T) {
 			nil,
 			0,
 		},
+		{
+			// Obsolete SSL 3.0
+			[]byte{22, 3, 0, 0, 1, 3},
+			nil,
+			0,
+		},
 	}
 
 	for _, test := range tests {
@@ -308,13 +308,7 @@ func TestParseHello(t *testing.T) {
 			true,
 		},
 		{
-			// First valid packet. SSL 3.0, no extensions present.
-			packet([]byte{1, 0, 0, 73, 3, 0}, slice(32), []byte{32}, slice(32), []byte{0, 2, 1, 2, 1, 0}),
-			nil,
-			false,
-		},
-		{
-			// TLS 1.0, no extensions present.
+			// First valid packet. TLS 1.0, no extensions present.
 			packet([]byte{1, 0, 0, 73, 3, 1}, slice(32), []byte{32}, slice(32), []byte{0, 2, 1, 2, 1, 0}),
 			nil,
 			false,

Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,8 @@ func parseHello(b []byte) ([]byte, error) {`
`105`	`105`	`return nil, fmt.Errorf("ClientHello has unsupported version %d.%d", b[0], b[1])`
`106`	`106`	`}`
`107`	`107`	`switch b[1] {`
`108`		`- case 0, 1, 2, 3:`
`109`		`- // SSL 3, TLS 1.0, TLS 1.1, TLS 1.2`
	`108`	`+ case 1, 2, 3:`
	`109`	`+ // TLS 1.0, TLS 1.1, TLS 1.2`
`110`	`110`	`default:`
`111`	`111`	`return nil, fmt.Errorf("TLS record has unsupported version %d.%d", b[0], b[1])`
`112`	`112`	`}`
`@@ -199,8 +199,8 @@ func handshakeRecord(r io.Reader) ([]byte, int, error) {`
`199`	`199`	`return nil, 0, fmt.Errorf("TLS record has unsupported version %d.%d", hdr.Major, hdr.Minor)`
`200`	`200`	`}`
`201`	`201`	`switch hdr.Minor {`
`202`		`- case 0, 1, 2, 3:`
`203`		`- // SSL 3, TLS 1.0, TLS 1.1, TLS 1.2`
	`202`	`+ case 1, 2, 3:`
	`203`	`+ // TLS 1.0, TLS 1.1, TLS 1.2`
`204`	`204`	`default:`
`205`	`205`	`return nil, 0, fmt.Errorf("TLS record has unsupported version %d.%d", hdr.Major, hdr.Minor)`
`206`	`206`	`}`