- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/tls-cipher
Language: Go
Severity: Warning
Category: Security
CWE: 327
The use of these cipher suites can expose your application to security vulnerabilities.
tls.TLS_RSA_WITH_AES_128_CBC_SHA256
: This cipher suite uses the RSA key exchange algorithm, AES-128 in CBC mode for encryption, and SHA-256 for message authentication. It is considered weak and deprecated because it relies on RSA key exchange, which has known vulnerabilities. Consider using cipher suites based on the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) algorithm instead.tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
: This cipher suite uses the ECDHE algorithm with ECDSA for key exchange, AES-128 in CBC mode for encryption, and SHA-256 for message authentication. However, it is also considered weak because of its reliance on CBC mode, which has known vulnerabilities. It is recommended to use cipher suites with GCM (Galois/Counter Mode) mode for better security.tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
: This cipher suite uses the ECDHE algorithm for key exchange, RSA for authentication, and 3DES in CBC mode for encryption. It is deprecated due to the use of 3DES, which is considered a weak encryption algorithm. It is advisable to use cipher suites that employ AES instead.tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA
and tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
: Both of these cipher suites use the ECDHE algorithm for key exchange, RSA/ECDSA for authentication, and RC4-128 for encryption. RC4 is considered a weak encryption algorithm due to several vulnerabilities. It is recommended to use more secure symmetric encryption algorithms such as AES.tls.TLS_RSA_WITH_AES_128_CBC_SHA256
, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA
, and tls.TLS_RSA_WITH_RC4_128_SHA
: These cipher suites use the RSA key exchange algorithm, but they also have weaknesses. They rely on RSA for key exchange and various encryption algorithms with SHA for message authentication. It is better to use cipher suites with ECDHE instead of RSA for key exchange and prefer AES-GCM-based encryption algorithms for better security.To ensure secure communication in your Go applications, you should use modern and strong cipher suites that provide forward secrecy, secure key exchange, and authenticated encryption algorithms. Avoid using the deprecated and weak cipher suites mentioned above and refer to Go’s crypto/tls
documentation for the recommended cipher suites to use in your specific application.
import (
"crypto/tls"
"fmt"
"net/http"
)
func main() {
http := &http.Transport{
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
}},
}
}
import (
"crypto/tls"
"fmt"
"net/http"
)
func main() {
http := &http.Transport{
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_AES_256_GCM_SHA384,
}},
}
}