I spent some time going over golang and educated myself on its TLS. This “bug report” was particularly enlightening. I understand Syncthing a bit better now.
I’m going to respond out of order a bit…
This is a good principle and one I wholeheartedly agree with. It’s just not being applied here.
The shift you are speaking of has been driven by two things. First, by poor implementations of large crypto libraries supporting large standards. I say poor, but really it’s driven by the natural law (basically of entropy) that states the larger the library, the more likely there is to have a security-affecting bug somewhere.
The second driver is the fact that some standards are overlarge, have been made by standards bodies that have had suspect motives and/or were not fully competent, and have been very slow to react to the cryptographic realities in the wild. They therefore contain primitives that are at best suspect.
Wireguard, who is the poster child for that principle of “Have one joint and keep it well oiled”, started as a 1:1 protocol (one source of client talking to one source of server, or in this case, one source of client/server). They weren’t trying to leverage into an existing many:many and interoperate with existing clients or servers, so they had the luxury of doing it exactly the right way. They selected cryptographic primitives which are above reproach in their design, security, and openness. They implemented them in small, tight code, which is easily vetted. I have nothing but good things to say about Wireguard.
It is applying…
…100% properly.
go TLS is not one joint
Go TLS is not one joint because TLS is not one joint. TLS is itself the poster child for both drivers I mention above. It is large, over complex, and it includes (even 1.3) suspect primitives. The go TLS maintainers indicate they will not allow crypto selectability because they state “All supported cipher suites are safe”. But if they are all safe, then selectability isn’t an issue, is it? They say they will keep you safe by making all the decisions for you. And they state that if one of their decisions turns out to be bad, they will just patch it.
Of course, for Syncthing this means that if a bug in go TLS is found, or if one of their primitives turns out to be weak, or one of their decisions turns out to be suboptimal, then it has to be reported, go TLS has to patch it, Syncthing has to recompile, then it has to be disted out. Which is no mean problem in the case of Linux distros.
Is there any other SSL implementation that bars crypto suite selection? OpenSSL and wolfSSL both allow it.
go TLS is not well oiled
That was an oh my God moment. There have been constant time software techniques and implementations of AES for over a decade. For both main methods (table lookup and straight calculation). Good ones which are as well optimized as constant-time can be.
I don’t see why. All I have to say is I’m really happy for ST’s untrusted feature now, because it is using hard-coded chacha20, and I hope it gets extended to include untrusted connections.