From fceb8d9edfa60d66a0e09c6469812b431a2798bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Fri, 8 Aug 2025 16:23:01 +0200 Subject: [PATCH] Losen the dependency on go-connections/tlsconfig MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As of go-connections 0.6.0, there is no difference between "server" and "client" configuration; so, take this opportunity to switch from "server" defaults in client contexts, which were used for an unknown reason. Also, don't use the whole tlsconfig.ClientDefault(), to _slightly_ move into the direction of using the Go built-in defaults, and to get a _bit_ closer to getting out of the business of managing TLS policy. Should not change behavior (but the update from go-connections 0.5.0 to 0.6.0 did change the list of accepted TLS 1.2 cipher suites). Signed-off-by: Miloslav Trmač --- add.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/add.go b/add.go index 59290e92d..030865909 100644 --- a/add.go +++ b/add.go @@ -144,7 +144,12 @@ func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string, return err } tlsClientConfig := &tls.Config{ - CipherSuites: tlsconfig.DefaultServerAcceptedCiphers, + // As of 2025-08, tlsconfig.ClientDefault() differs from Go 1.23 defaults only in CipherSuites; + // so, limit us to only using that value. If go-connections/tlsconfig changes its policy, we + // will want to consider that and make a decision whether to follow suit. + // There is some chance that eventually the Go default will be to require TLS 1.3, and that point + // we might want to drop the dependency on go-connections entirely. + CipherSuites: tlsconfig.ClientDefault().CipherSuites, } if err := tlsclientconfig.SetupCertificates(certPath, tlsClientConfig); err != nil { return err