I am using the latest spacemonkeygo/openssl as of today. My code is as follows:
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
ClientAuth: clientAuth,
ClientCAs: clientCertPool,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
cfg.Rand = rand.Reader
srv := &http.Server{
Addr: ":" + httpsPort,
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
// some proprietary stuff
handler.ServeHTTP(w, req)
}),
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Fatal(openssl.ServerListenAndServeTLS(srv, certFile, pkeyFile))
As you can see, MinVersion is set to TLS 1.2 and I also specified a narrow set of CipherSuites. However, sslscan shows that TLS1.0-1.2 are all accepted:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 128 bits SEED-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Accepted TLSv1.2 128 bits RC4-SHA
Accepted TLSv1.2 128 bits RC4-MD5
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 128 bits SEED-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Accepted TLSv1.1 128 bits RC4-SHA
Accepted TLSv1.1 128 bits RC4-MD5
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Preferred TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits SEED-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Accepted TLSv1.0 128 bits RC4-SHA
Accepted TLSv1.0 128 bits RC4-MD5
Accepted TLSv1.0 112 bits DES-CBC3-SHA
I have further verified that calling srv.ListenAndServeTLS(certFile, pkeyFile) instead works as expected and only TLS 1.2 ciphers are returned:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-521 DHE 521
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA
FYI I need to use spacemonkeygo openssl pkg as I need FIPS mode support.