I feel like this answers one particular possible endgoal rather than a problem.
The problem in this case being, the user not being able to specify and guarantee a cipher list.
If there's a good reason for not allowing it, it should be spelled out for dummies(like me). And left at that. If there's not a good reason, perhaps it should be considered.
Both the bug report and reply here instead argue about TLS fingerprinting, which while was brought up in the bug report, is not explicitly what's being reported as the problem.
The cipher list being out of the hands of the user is following a modern best practice in security API design: remove configuration at both protocol level (where possible), and from the end user, as they present constant sources of security problems.
For TLS in particular, to provide a safe, known secure set of defaults that the language can change with shifting guidance as cipher suites rotate in and out or are blacklisted for problems is necessary to meet the goals of usability without sacrificing on security. Adding user configuration is introducing a footgun, a place where the user can break the security properties of the system. In addition to not being free to implement, maintaining that configuration option, and then explaining how exposing it isn't a vulnerability everytime someone misconfigures their system and breaks TLS is undesirable and has the potential to give golang's crypto packages a bad name.
Note that nowhere was there a hard no, we'll never implement this, but so far, the use case for needing it is fingerprint bypassing, and that doesn't outweigh the general concerns.
If server blacklists your TLS fingerprint, you can no longer use that server with that client. Only workaround would be a client that can configure its own fingerprint. What you're saying is akin to "let remove the clients ability to set HTTP headers". IE its just nonsense. If server rejects every request because of clients TLS configuration, and client has no agency over that configuration, then the client has no usability.
> Note that nowhere was there a hard no, we'll never implement this
I would say the maintainer closing the issue, is a pretty clear signal for that:
The issue was closed for bypassing fingerprinting, a use case that the maintainers feel is not a valid precursor to this feature. Again, that isn’t a no to the feature under any circumstance, just a statement that this use case is insufficient.
More generally, if a server wants to fingerprint you, there are a variety of additional fields and changes that will flow from that as it’s an arms race, one that this libraries authors are not inclined to keep adding features and configuration for them. There exist other libraries for this purpose, some linked in the discussion. So no, it’s not like saying you can’t set your own HTTP headers at all, more akin to saying that if your needs fall outside the 99% use case you may need to go elsewhere.
> The issue was closed for bypassing fingerprinting, a use case that the maintainers feel is not a valid precursor to this feature. Again, that isn’t a no to the feature under any circumstance, just a statement that this use case is insufficient.
I implore you to open a new issue then, under the guise of your valid use case. I am sure that it will stay open, and that it will not be closed as a duplicate /s
The problem in this case being, the user not being able to specify and guarantee a cipher list.
If there's a good reason for not allowing it, it should be spelled out for dummies(like me). And left at that. If there's not a good reason, perhaps it should be considered.
Both the bug report and reply here instead argue about TLS fingerprinting, which while was brought up in the bug report, is not explicitly what's being reported as the problem.