tris: import go wrapper and interoperability tests
This commit is contained in:
父節點
26a95ba46a
當前提交
6e85ff94f0
42
.travis.yml
Normal file
42
.travis.yml
Normal file
@ -0,0 +1,42 @@
|
||||
sudo: required
|
||||
language: go
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
go:
|
||||
- 1.7
|
||||
|
||||
env:
|
||||
- MODE=gotest
|
||||
- MODE=interop CLIENT=boring
|
||||
- MODE=interop CLIENT=boring REVISION=origin/master
|
||||
- MODE=interop CLIENT=bogo
|
||||
- MODE=interop CLIENT=bogo REVISION=origin/master
|
||||
- MODE=interop CLIENT=tstclnt
|
||||
- MODE=interop CLIENT=tstclnt REVISION=default
|
||||
- MODE=interop CLIENT=mint
|
||||
|
||||
matrix:
|
||||
fast_finish: true
|
||||
allow_failures:
|
||||
- env: MODE=interop CLIENT=bogo REVISION=origin/master
|
||||
- env: MODE=interop CLIENT=boring REVISION=origin/master
|
||||
- env: MODE=interop CLIENT=tstclnt REVISION=default
|
||||
|
||||
install:
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/tris-localserver/start.sh -d && docker ps -a; fi
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/interop.sh INSTALL $CLIENT $REVISION; fi
|
||||
|
||||
script:
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/interop.sh RUN $CLIENT 443; fi # ECDSA
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/interop.sh RUN $CLIENT 4443; fi # RSA
|
||||
- if [ "$MODE" = "gotest" ]; then ./_dev/go.sh test crypto/tls; fi
|
||||
|
||||
after_script:
|
||||
- if [ "$MODE" = "interop" ]; then docker ps -a; docker logs tris-localserver; fi
|
||||
|
||||
cache:
|
||||
directories:
|
||||
- _dev/GOROOT
|
||||
- _dev/go
|
77
README.md
Normal file
77
README.md
Normal file
@ -0,0 +1,77 @@
|
||||
```
|
||||
_____ _ ____ _ _
|
||||
|_ _| | / ___| | |_ _ __(_)___
|
||||
| | | | \___ \ _____| __| '__| / __|
|
||||
| | | |___ ___) |_____| |_| | | \__ \
|
||||
|_| |_____|____/ \__|_| |_|___/
|
||||
|
||||
```
|
||||
|
||||
crypto/tls, now with 100% more 1.3.
|
||||
|
||||
DO NOT USE THIS FOR THE SAKE OF EVERYTHING THAT'S GOOD AND JUST.
|
||||
|
||||
[![Build Status](https://travis-ci.org/cloudflare/tls-tris.svg?branch=master)](https://travis-ci.org/cloudflare/tls-tris)
|
||||
|
||||
## Usage
|
||||
|
||||
Since `crypto/tls` is very deeply (and not that elegantly) coupled with the Go stdlib,
|
||||
tls-tris shouldn't be used as an external package. It is also impossible to vendor it
|
||||
as `crypto/tls` because stdlib packages would import the standard one and mismatch.
|
||||
|
||||
So, to build with tls-tris, you need to use a custom GOROOT.
|
||||
A script is provided that will take care of it for you: `./_dev/go.sh`.
|
||||
Just use that instead of the `go` tool.
|
||||
|
||||
The script also transparently fetches the custom Cloudflare Go compiler with the required backports.
|
||||
|
||||
```
|
||||
./_dev/go.sh build ./_dev/tris-localserver
|
||||
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443
|
||||
```
|
||||
|
||||
## Debugging
|
||||
|
||||
When the environment variable `TLSDEBUG` is set to `error`, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs.
|
||||
|
||||
## Building Caddy
|
||||
|
||||
```
|
||||
./_dev/go.sh build github.com/mholt/caddy
|
||||
```
|
||||
|
||||
*Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at `_dev/caddy/caddy.patch`.*
|
||||
|
||||
## Testing with Firefox
|
||||
|
||||
1. Download the latest Firefox Nightly
|
||||
1. Navigate to about:config and set `security.tls.version.max` to `4`
|
||||
1. Connect to https://tris.filippo.io/ or tris-localserver
|
||||
|
||||
## Testing with BoringSSL/BoGo/NSS/Mint
|
||||
|
||||
```
|
||||
./_dev/tris-localserver/start.sh --rm
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:boring _dev/boring
|
||||
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:bogo _dev/bogo
|
||||
docker run -i --rm tls-tris:bogo $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:tstclnt _dev/tstclnt
|
||||
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:mint _dev/mint
|
||||
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
To build a specific revision, use `--build-arg REVISION=abcdef1234`.
|
4
_dev/.gitignore
vendored
Normal file
4
_dev/.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
/GOROOT
|
||||
/go
|
||||
/tris-localserver/tris-localserver
|
||||
/caddy/caddy
|
38
_dev/Makefile
Normal file
38
_dev/Makefile
Normal file
@ -0,0 +1,38 @@
|
||||
GO ?= go
|
||||
GOENV := $(shell $(GO) env GOOS)_$(shell $(GO) env GOARCH)
|
||||
GOROOTINFO := $(shell $(GO) version | cut -d' ' -f 3)_$(GOENV)
|
||||
|
||||
.PHONY: GOROOT
|
||||
GOROOT: GOROOT/$(GOENV)/.ok_$(GOROOTINFO)
|
||||
@rm -f GOROOT/$(GOENV)/pkg/*/crypto/tls.a
|
||||
|
||||
GOROOT/$(GOENV)/.ok_$(GOROOTINFO):
|
||||
rm -rf GOROOT/$(GOENV)
|
||||
mkdir -p GOROOT/$(GOENV)/pkg
|
||||
cp -r "$(shell $(GO) env GOROOT)/src" GOROOT/$(GOENV)/src
|
||||
cp -r "$(shell $(GO) env GOROOT)/pkg/include" GOROOT/$(GOENV)/pkg/include
|
||||
cp -r "$(shell $(GO) env GOROOT)/pkg/tool" GOROOT/$(GOENV)/pkg/tool
|
||||
rm -r GOROOT/$(GOENV)/src/crypto/tls
|
||||
ln -s ../../../../.. GOROOT/$(GOENV)/src/crypto/tls
|
||||
GOROOT="$(CURDIR)/GOROOT/$(GOENV)" $(GO) install -v std
|
||||
ifeq ($(shell go env CGO_ENABLED),1)
|
||||
GOROOT="$(CURDIR)/GOROOT/$(GOENV)" $(GO) install -race -v std
|
||||
endif
|
||||
@touch "$@"
|
||||
|
||||
GO_COMMIT := 5782050a487e002acfd14a3f4c2c815c7854928c
|
||||
|
||||
.PHONY: go
|
||||
go: go/.ok_$(GO_COMMIT)_$(GOENV)
|
||||
|
||||
go/.ok_$(GO_COMMIT)_$(GOENV):
|
||||
rm -rf go/.ok_*_$(GOENV) go/$(GOENV)
|
||||
mkdir -p go
|
||||
git clone --branch 1.7.3 --single-branch --depth 25 https://github.com/cloudflare/go go/$(GOENV)
|
||||
cd go/$(GOENV) && git checkout $(GO_COMMIT)
|
||||
cd go/$(GOENV)/src && GOROOT_BOOTSTRAP="$(shell $(GO) env GOROOT)" ./make.bash
|
||||
@touch "$@"
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
rm -rf GOROOT go
|
25
_dev/bogo/Dockerfile
Normal file
25
_dev/bogo/Dockerfile
Normal file
@ -0,0 +1,25 @@
|
||||
FROM alpine
|
||||
|
||||
RUN apk add --update \
|
||||
git \
|
||||
cmake \
|
||||
perl \
|
||||
python \
|
||||
build-base \
|
||||
go \
|
||||
ninja \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
||||
RUN git clone https://boringssl.googlesource.com/boringssl
|
||||
|
||||
# see _dev/boring for REVISION info
|
||||
ARG REVISION=9b885c5
|
||||
|
||||
RUN cd boringssl && git fetch
|
||||
RUN cd boringssl && git checkout $REVISION
|
||||
|
||||
ADD bogo-client.go /bogo-client.go
|
||||
RUN go build /bogo-client.go
|
||||
|
||||
ADD run.sh /run.sh
|
||||
ENTRYPOINT ["/run.sh"]
|
28
_dev/bogo/bogo-client.go
Normal file
28
_dev/bogo/bogo-client.go
Normal file
@ -0,0 +1,28 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"./boringssl/ssl/test/runner"
|
||||
)
|
||||
|
||||
func main() {
|
||||
tr := &http.Transport{
|
||||
DialTLS: func(network, addr string) (net.Conn, error) {
|
||||
return runner.Dial(network, addr, &runner.Config{
|
||||
InsecureSkipVerify: true,
|
||||
})
|
||||
},
|
||||
}
|
||||
client := &http.Client{Transport: tr}
|
||||
resp, err := client.Get("https://" + os.Args[1])
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
if err := resp.Write(os.Stdout); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
3
_dev/bogo/run.sh
Executable file
3
_dev/bogo/run.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#! /bin/sh
|
||||
|
||||
exec /bogo-client "$@"
|
47
_dev/boring/Dockerfile
Normal file
47
_dev/boring/Dockerfile
Normal file
@ -0,0 +1,47 @@
|
||||
FROM alpine
|
||||
|
||||
RUN apk add --update \
|
||||
git \
|
||||
cmake \
|
||||
perl \
|
||||
python \
|
||||
build-base \
|
||||
go \
|
||||
ninja \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
||||
RUN git clone https://boringssl.googlesource.com/boringssl
|
||||
RUN mkdir boringssl/build
|
||||
RUN cd boringssl/build && cmake -GNinja ..
|
||||
RUN cd boringssl && ninja -C build
|
||||
|
||||
# Draft 14
|
||||
# ARG REVISION=88536c3
|
||||
|
||||
# Draft 15
|
||||
# RUN cd boringssl && git fetch https://boringssl.googlesource.com/boringssl refs/changes/40/10840/18:draft15
|
||||
# ARG REVISION=cae930d
|
||||
|
||||
# Draft "14.25" (sigalg renumbering)
|
||||
# ARG REVISION=af56fbd
|
||||
|
||||
# Draft "14.25" w/ x25519 only
|
||||
# ARG REVISION=c8b6b4f
|
||||
|
||||
# Draft "14.5" (sigalg, x25519, version ext)
|
||||
# ARG REVISION=54afdab
|
||||
|
||||
# Draft 16
|
||||
# ARG REVISION=89917a5
|
||||
|
||||
# Draft 18
|
||||
ARG REVISION=9b885c5
|
||||
|
||||
RUN cd boringssl && git fetch
|
||||
RUN cd boringssl && git checkout $REVISION
|
||||
RUN cd boringssl/build && cmake -GNinja ..
|
||||
RUN cd boringssl && ninja -C build
|
||||
|
||||
ADD httpreq.txt /httpreq.txt
|
||||
ADD run.sh /run.sh
|
||||
ENTRYPOINT ["/run.sh"]
|
5
_dev/boring/httpreq.txt
Normal file
5
_dev/boring/httpreq.txt
Normal file
@ -0,0 +1,5 @@
|
||||
GET / HTTP/1.1
|
||||
Host: example.com
|
||||
Connection: close
|
||||
|
||||
|
3
_dev/boring/run.sh
Executable file
3
_dev/boring/run.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#! /bin/sh
|
||||
|
||||
exec /boringssl/build/tool/bssl s_client -min-version tls1.3 -max-version tls1.3 -connect "$@" < /httpreq.txt
|
12
_dev/caddy/Caddyfile
Normal file
12
_dev/caddy/Caddyfile
Normal file
@ -0,0 +1,12 @@
|
||||
tris.filippo.io {
|
||||
tls bip@filippo.io
|
||||
gzip
|
||||
log stdout
|
||||
proxy / https://blog.filippo.io
|
||||
}
|
||||
|
||||
cf.tris.filippo.io {
|
||||
tls bip@filippo.io
|
||||
log stdout
|
||||
proxy / https://blog.cloudflare.com
|
||||
}
|
18
_dev/caddy/Dockerfile
Normal file
18
_dev/caddy/Dockerfile
Normal file
@ -0,0 +1,18 @@
|
||||
FROM scratch
|
||||
|
||||
# docker create -v /root/.caddy --name caddy-data caddy /bin/true
|
||||
# docker run -d --restart always --volumes-from caddy-data -p 80:80 -p 443:443 caddy
|
||||
|
||||
# go get -d -v github.com/mholt/caddy/caddy
|
||||
# GOOS=linux ../go.sh build -v -i github.com/mholt/caddy/caddy
|
||||
ADD caddy caddy
|
||||
ADD Caddyfile Caddyfile
|
||||
ADD https://mkcert.org/generate/ /etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
EXPOSE 80
|
||||
EXPOSE 443
|
||||
|
||||
ENV TLSDEBUG error
|
||||
ENV HOME /root/
|
||||
|
||||
CMD [ "/caddy" ]
|
56
_dev/caddy/caddy.patch
Normal file
56
_dev/caddy/caddy.patch
Normal file
@ -0,0 +1,56 @@
|
||||
diff --git a/caddytls/config.go b/caddytls/config.go
|
||||
index 91c7451..c3e87d5 100644
|
||||
--- a/caddytls/config.go
|
||||
+++ b/caddytls/config.go
|
||||
@@ -241,6 +241,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
|
||||
if i > 0 && cfg.PreferServerCipherSuites != configs[i-1].PreferServerCipherSuites {
|
||||
return nil, fmt.Errorf("cannot both use PreferServerCipherSuites and not use it")
|
||||
}
|
||||
+ config.PreferServerCipherSuites = cfg.PreferServerCipherSuites
|
||||
|
||||
// Go with the widest range of protocol versions
|
||||
if cfg.ProtocolMinVersion < config.MinVersion {
|
||||
@@ -335,7 +336,7 @@ func SetDefaultTLSParams(config *Config) {
|
||||
config.ProtocolMinVersion = tls.VersionTLS11
|
||||
}
|
||||
if config.ProtocolMaxVersion == 0 {
|
||||
- config.ProtocolMaxVersion = tls.VersionTLS12
|
||||
+ config.ProtocolMaxVersion = tls.VersionTLS13
|
||||
}
|
||||
|
||||
// Prefer server cipher suites
|
||||
@@ -357,6 +358,7 @@ var supportedProtocols = map[string]uint16{
|
||||
"tls1.0": tls.VersionTLS10,
|
||||
"tls1.1": tls.VersionTLS11,
|
||||
"tls1.2": tls.VersionTLS12,
|
||||
+ "tls1.3": tls.VersionTLS13,
|
||||
}
|
||||
|
||||
// Map of supported ciphers, used only for parsing config.
|
||||
@@ -370,6 +372,8 @@ var supportedProtocols = map[string]uint16{
|
||||
//
|
||||
// This map, like any map, is NOT ORDERED. Do not range over this map.
|
||||
var supportedCiphersMap = map[string]uint16{
|
||||
+ "ECDHE-ECDSA-CHACHA20-POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
+ "ECDHE-RSA-CHACHA20-POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
"ECDHE-RSA-AES256-GCM-SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
"ECDHE-RSA-AES128-GCM-SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
@@ -391,6 +395,8 @@ var supportedCiphersMap = map[string]uint16{
|
||||
// Note that TLS_FALLBACK_SCSV is not in this list since it is always
|
||||
// added manually.
|
||||
var supportedCiphers = []uint16{
|
||||
+ tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
+ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
@@ -407,6 +413,8 @@ var supportedCiphers = []uint16{
|
||||
|
||||
// List of all the ciphers we want to use by default
|
||||
var defaultCiphers = []uint16{
|
||||
+ tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
+ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
13
_dev/go.sh
Executable file
13
_dev/go.sh
Executable file
@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env bash
|
||||
set -e
|
||||
|
||||
BASEDIR=$(cd "$(dirname "$0")" && pwd)
|
||||
|
||||
make --quiet -C "$BASEDIR" go >&2
|
||||
GOENV="$(go env GOOS)_$(go env GOARCH)"
|
||||
|
||||
unset GOROOT
|
||||
make --quiet -C "$BASEDIR" GOROOT GO="$BASEDIR/go/$GOENV/bin/go" >&2
|
||||
export GOROOT="$BASEDIR/GOROOT/$GOENV"
|
||||
|
||||
exec $BASEDIR/go/$GOENV/bin/go "$@"
|
17
_dev/interop.sh
Executable file
17
_dev/interop.sh
Executable file
@ -0,0 +1,17 @@
|
||||
#!/usr/bin/env bash
|
||||
set -xeuo pipefail
|
||||
|
||||
if [ "$1" = "INSTALL" ]; then
|
||||
if [ -n "${3:-}" ]; then
|
||||
REVISION="--build-arg REVISION=$3"
|
||||
else
|
||||
REVISION=""
|
||||
fi
|
||||
docker build $REVISION -t tls-tris:$2 _dev/$2
|
||||
|
||||
elif [ "$1" = "RUN" ]; then
|
||||
IP=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver)
|
||||
docker run -i --rm tls-tris:$2 $IP:$3 | tee output.txt
|
||||
grep "Hello TLS 1.3" output.txt
|
||||
|
||||
fi
|
21
_dev/mint/Dockerfile
Normal file
21
_dev/mint/Dockerfile
Normal file
@ -0,0 +1,21 @@
|
||||
FROM golang:1.7-alpine
|
||||
|
||||
RUN apk add --update \
|
||||
git \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
||||
RUN go get github.com/bifurcation/mint
|
||||
|
||||
# Draft 18
|
||||
ARG REVISION=271abd1
|
||||
|
||||
RUN cd /go/src/github.com/bifurcation/mint && git fetch
|
||||
RUN cd /go/src/github.com/bifurcation/mint && git checkout $REVISION
|
||||
|
||||
ADD mint-client.go /mint-client.go
|
||||
RUN GOBIN=/ go install /mint-client.go
|
||||
|
||||
ENV MINT_LOG=*
|
||||
|
||||
ADD run.sh /run.sh
|
||||
ENTRYPOINT ["/run.sh"]
|
26
_dev/mint/mint-client.go
Normal file
26
_dev/mint/mint-client.go
Normal file
@ -0,0 +1,26 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"github.com/bifurcation/mint"
|
||||
)
|
||||
|
||||
func main() {
|
||||
tr := &http.Transport{
|
||||
DialTLS: func(network, addr string) (net.Conn, error) {
|
||||
return mint.Dial(network, addr, nil)
|
||||
},
|
||||
}
|
||||
client := &http.Client{Transport: tr}
|
||||
resp, err := client.Get("https://" + os.Args[1])
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
if err := resp.Write(os.Stdout); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
3
_dev/mint/run.sh
Executable file
3
_dev/mint/run.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#! /bin/sh
|
||||
|
||||
exec /mint-client "$@"
|
10
_dev/tris-localserver/Dockerfile
Normal file
10
_dev/tris-localserver/Dockerfile
Normal file
@ -0,0 +1,10 @@
|
||||
FROM scratch
|
||||
|
||||
# GOOS=linux ../go.sh build -v -i .
|
||||
ADD tris-localserver ./
|
||||
|
||||
ENV TLSDEBUG error
|
||||
|
||||
EXPOSE 443
|
||||
EXPOSE 4443
|
||||
CMD [ "./tris-localserver", "0.0.0.0:443", "0.0.0.0:4443" ]
|
124
_dev/tris-localserver/server.go
Normal file
124
_dev/tris-localserver/server.go
Normal file
@ -0,0 +1,124 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
)
|
||||
|
||||
var tlsVersionToName = map[uint16]string{
|
||||
tls.VersionTLS10: "1.0",
|
||||
tls.VersionTLS11: "1.1",
|
||||
tls.VersionTLS12: "1.2",
|
||||
tls.VersionTLS13: "1.3",
|
||||
0x7f00 | 16: "1.3 (draft 16)",
|
||||
0x7f00 | 18: "1.3 (draft 18)",
|
||||
}
|
||||
|
||||
func main() {
|
||||
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "<!DOCTYPE html><p>Hello TLS %s _o/\n", tlsVersionToName[r.TLS.Version])
|
||||
})
|
||||
|
||||
http.HandleFunc("/ch", func(w http.ResponseWriter, r *http.Request) {
|
||||
r.Header.Set("Content-Type", "text/plain")
|
||||
fmt.Fprintf(w, "Client Hello packet (%d bytes):\n%s", len(r.TLS.ClientHello), hex.Dump(r.TLS.ClientHello))
|
||||
})
|
||||
|
||||
go func() {
|
||||
if len(os.Args) < 3 {
|
||||
return
|
||||
}
|
||||
cert, err := tls.X509KeyPair([]byte(rsaCert), []byte(rsaKey))
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
s := &http.Server{
|
||||
Addr: os.Args[2],
|
||||
TLSConfig: &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
PreferServerCipherSuites: true,
|
||||
},
|
||||
}
|
||||
log.Fatal(s.ListenAndServeTLS("", ""))
|
||||
}()
|
||||
|
||||
cert, err := tls.X509KeyPair([]byte(ecdsaCert), []byte(ecdsaKey))
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
s := &http.Server{
|
||||
Addr: os.Args[1],
|
||||
TLSConfig: &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
PreferServerCipherSuites: true,
|
||||
},
|
||||
}
|
||||
log.Fatal(s.ListenAndServeTLS("", ""))
|
||||
}
|
||||
|
||||
const (
|
||||
rsaKey = `-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEA1DHcIM3SThFqy8nAkPQFX0E7ph8jqh8EATXryjKHGuVjR3Xh
|
||||
OQ0BSPoJxyfdg/VEwevFrtmZAfz0WCbxvP2SVCmf7oobg4V2KPSo3nNt9vlBFUne
|
||||
RtIyHRQ8YRnGSWaRHzJbX6ffltnG2aD+8qUfk161rdZgxBA9G0Ga47IkwQhT2Hqu
|
||||
H3dW2Uu4W2WMyt6gX/tdyEAV57MOPcoceknr7Nb2kfiuDPR7h6wFrW3I6eoj8oX2
|
||||
SkIOuVNt1Z31BAUcPJDUjqopI0o9tolM/7X13M8dEY0OJQVr7FQYDF9JeSYeEMyb
|
||||
wizjBaHDm48mSghP1o5UssQBbNNC83btXCjiLQIDAQABAoIBACzvGgRAUYaCnbDl
|
||||
2kdXxUN0luMIuQ6vXrO67WF17bI+XRWm2riwDlObzzJDON9Wsua1vLjYD1SickOw
|
||||
i4RP1grIfbuPt1/UhT8LAC+LFgA0rBmL+OvaWw5ZWKffQ2QLujN3AG5zKB/Tog43
|
||||
z4UmfldAuQxE11zta2M4M0qAUNQnQj1oiuI8RUdG0VvvLw8Htdi1ogH0CI5R669z
|
||||
NjHt+JV+2gzKx6EX0s8mQL3yXGkC2xXItRbFclyCMJEhPS7QbBu+tru35N6WpzAq
|
||||
BCl2Q7LQogvSA6MXuMOx6CyuExVfgmhbfeoheLE8gmXwl0Y37n/g6ZBZFAtpCjcs
|
||||
UckPv0ECgYEA1orl7RwgIsZljMap6vWtMGoRIHKmT91DGpMmkh4suZe+yAk85maU
|
||||
49Vd+8ZfIN41AH37yrsGOcPHgz5o5QufELpoub6DCsQ7u9F1vQp55cp+qyBWzAgz
|
||||
b/xUuVnIyv3kLan3fpk7ZGCBXFBpLG0QXMFOHtda3Mlk5SmuoEYaYRkCgYEA/TLR
|
||||
u4neKqyqwsqMuRJGC1iKFVmfCjZeNMtPNbTWpdqez/vvT8APnEpIumUGt8YROLGZ
|
||||
8biUr5/ViOkmaP3wmQbO9m2/cE01lMTYv75w1cw2KVQe6kAHJkOx+JEx9xg53RJ/
|
||||
QlFtG5MQUy2599Gxp8BMGaXLH5yo4qwvNvY6CDUCgYEArxr7AwX7rKZlZ/sV4HHY
|
||||
gzVu+R7aY0DibiRATO5X7rrNuhLgI+UCDNqvNLn6FqeGdvpcsmDneeozQwmDL77G
|
||||
ey7KHyBBcF4tquQQxtRwHX+i1yUz8p+W7AX1WLrRSezjeenJ2QhUE1849hGjZeE2
|
||||
g546lq2Kub2enfPhVWsiSLECgYEA72T5QCPeVuLioUH5Q5Kvf1K7W+xcnr9A2xHP
|
||||
Vqwgtre5qFQ/tFuXZuIlWXbjnyY6aiwhrZYjntm0f7pRgrt2nHj/fafOdVPK8Voc
|
||||
xU4+SSbHntPWVw0qtVcUEjzVzRauvwMaJ43tZ0DpEnwNdO5i1oTObwF+x+jLFWZP
|
||||
TdwIinECgYBzjZeCxxOMk5SlPpTsLUtgC+q3m1AavXhUVNEPP2gKMOIPTETPbhbG
|
||||
LBxB2vVbJiS3J7itQy8gceT89O0vSEZnaTPXiM/Ws1QbkBJ8yW7KI7X4WuzN4Imq
|
||||
/cLBRXLb8R328U27YyQFNGMjr2tX/+vx5FulJjSloWMRNuFWUngv7w==
|
||||
-----END RSA PRIVATE KEY-----`
|
||||
rsaCert = `-----BEGIN CERTIFICATE-----
|
||||
MIIC+jCCAeKgAwIBAgIRANBDimJ/ww2tz77qcYIhuZowDQYJKoZIhvcNAQELBQAw
|
||||
EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA5MjQxNzI5MTlaFw0yNjA5MjIxNzI5
|
||||
MTlaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
|
||||
ggEKAoIBAQDUMdwgzdJOEWrLycCQ9AVfQTumHyOqHwQBNevKMoca5WNHdeE5DQFI
|
||||
+gnHJ92D9UTB68Wu2ZkB/PRYJvG8/ZJUKZ/uihuDhXYo9Kjec232+UEVSd5G0jId
|
||||
FDxhGcZJZpEfMltfp9+W2cbZoP7ypR+TXrWt1mDEED0bQZrjsiTBCFPYeq4fd1bZ
|
||||
S7hbZYzK3qBf+13IQBXnsw49yhx6Sevs1vaR+K4M9HuHrAWtbcjp6iPyhfZKQg65
|
||||
U23VnfUEBRw8kNSOqikjSj22iUz/tfXczx0RjQ4lBWvsVBgMX0l5Jh4QzJvCLOMF
|
||||
ocObjyZKCE/WjlSyxAFs00Lzdu1cKOItAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
|
||||
oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
|
||||
CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAygPV4enmvwSuMd1JarxOXpOK
|
||||
Z4Nsk7EKlfCPgzxQUOkFdLIr5ZG1kUkQt/omzTmoIWjLAsoYzT0ZCPOrioczKsWj
|
||||
MceFUIkT0w+eIl+8DzauPy34o8rjcApglF165UG3iphlpI+jdPzv5TBarUAbwsFb
|
||||
ClMLEiNJQ0OMxAIaRtb2RehD4q3OWlpWf6joJ36PRBqL8T5+f2x6Tg3c64UR+QPX
|
||||
98UcCQHHdEhm7y2z5Z2Wt0B48tZ+UAxDEoEwMghNyw7wUD79IRlXGYypBnXaMuLX
|
||||
46aGxbsSQ7Rfg62Co3JG7vo+eJd0AoZHrtFUnfM8V70IFzMBZnSwRslHRJe56Q==
|
||||
-----END CERTIFICATE-----`
|
||||
ecdsaCert = `-----BEGIN CERTIFICATE-----
|
||||
MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw
|
||||
DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow
|
||||
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO
|
||||
B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN
|
||||
MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
|
||||
BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
|
||||
hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C
|
||||
IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j
|
||||
-----END CERTIFICATE-----`
|
||||
ecdsaKey = `-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49
|
||||
AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w
|
||||
5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==
|
||||
-----END EC PRIVATE KEY-----`
|
||||
)
|
9
_dev/tris-localserver/start.sh
Executable file
9
_dev/tris-localserver/start.sh
Executable file
@ -0,0 +1,9 @@
|
||||
#! /bin/sh
|
||||
set -e
|
||||
|
||||
cd "$(dirname $0)"
|
||||
|
||||
CGO_ENABLED=0 GOOS=linux ../go.sh build -v -i .
|
||||
docker build -t tris-localserver .
|
||||
exec docker run --name tris-localserver --env TLSDEBUG=error "$@" tris-localserver
|
||||
|
41
_dev/tstclnt/Dockerfile
Normal file
41
_dev/tstclnt/Dockerfile
Normal file
@ -0,0 +1,41 @@
|
||||
FROM buildpack-deps
|
||||
|
||||
RUN hg clone https://hg.mozilla.org/projects/nspr
|
||||
RUN hg clone https://hg.mozilla.org/projects/nss
|
||||
|
||||
ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
|
||||
# Incremental build snapshot disabled as dependencies don't seem to be solid:
|
||||
# the same value changed in a header file would apply to one .c file and not another
|
||||
# RUN cd nss && make nss_build_all
|
||||
|
||||
# Draft 15
|
||||
# ARG REVISION=c483e5f9e0bc
|
||||
|
||||
# Draft 16
|
||||
# ARG REVISION=3e7b53b18112
|
||||
|
||||
# Draft 18
|
||||
ARG REVISION=b6dfef6d0ff0
|
||||
|
||||
RUN cd nss && hg pull
|
||||
RUN cd nss && hg checkout -C $REVISION
|
||||
|
||||
ADD *.patch ./
|
||||
RUN for p in *.patch; do patch -p1 -d nss < $p; done
|
||||
|
||||
RUN cd nss && make nss_build_all
|
||||
|
||||
# ENV HOST=localhost
|
||||
# RUN cd nss/tests/ssl_gtests && ./ssl_gtests.sh
|
||||
|
||||
RUN cd nss && make install
|
||||
|
||||
RUN mv /dist/$(uname -s)$(uname -r | cut -f 1-2 -d . -)_$(uname -m)_${CC:-cc}_glibc_PTH_64_$([ -n "$BUILD_OPT" ] && echo OPT || echo DBG).OBJ /dist/OBJ-PATH
|
||||
|
||||
ENV LD_LIBRARY_PATH=/dist/OBJ-PATH/lib
|
||||
|
||||
ENV SSLTRACE=100 SSLDEBUG=100
|
||||
|
||||
ADD httpreq.txt /httpreq.txt
|
||||
ADD run.sh /run.sh
|
||||
ENTRYPOINT ["/run.sh"]
|
5
_dev/tstclnt/httpreq.txt
Normal file
5
_dev/tstclnt/httpreq.txt
Normal file
@ -0,0 +1,5 @@
|
||||
GET / HTTP/1.1
|
||||
Host: example.com
|
||||
Connection: close
|
||||
|
||||
|
37
_dev/tstclnt/poll.patch
Normal file
37
_dev/tstclnt/poll.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff -r 15c6a01b9fe8 cmd/tstclnt/tstclnt.c
|
||||
--- a/cmd/tstclnt/tstclnt.c Fri Jun 10 18:34:00 2016 +0100
|
||||
+++ b/cmd/tstclnt/tstclnt.c Thu Jun 16 16:26:29 2016 +0100
|
||||
@@ -713,7 +713,6 @@
|
||||
return NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
|
||||
}
|
||||
|
||||
-#if defined(WIN32) || defined(OS2)
|
||||
void
|
||||
thread_main(void *arg)
|
||||
{
|
||||
@@ -746,7 +745,6 @@
|
||||
PR_Close(ps);
|
||||
}
|
||||
|
||||
-#endif
|
||||
|
||||
static void
|
||||
printHostNameAndAddr(const char *host, const PRNetAddr *addr)
|
||||
@@ -1545,7 +1543,8 @@
|
||||
npds = 2;
|
||||
std_out = PR_GetSpecialFD(PR_StandardOutput);
|
||||
|
||||
-#if defined(WIN32) || defined(OS2)
|
||||
+ // Enabled PR_Poll compatibility mode for running in docker run. (sigh).
|
||||
+
|
||||
/* PR_Poll cannot be used with stdin on Windows or OS/2. (sigh).
|
||||
** But use of PR_Poll and non-blocking sockets is a major feature
|
||||
** of this program. So, we simulate a pollable stdin with a
|
||||
@@ -1573,7 +1572,6 @@
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
-#endif
|
||||
|
||||
if (serverCertAuth.testFreshStatusFromSideChannel) {
|
||||
SSL_ForceHandshake(s);
|
8
_dev/tstclnt/run.sh
Executable file
8
_dev/tstclnt/run.sh
Executable file
@ -0,0 +1,8 @@
|
||||
#! /bin/bash
|
||||
|
||||
IFS=':' read -ra ADDR <<< "$1"
|
||||
shift
|
||||
HOST="${ADDR[0]}"
|
||||
PORT="${ADDR[1]}"
|
||||
|
||||
exec /dist/OBJ-PATH/bin/tstclnt -D -V tls1.3:tls1.3 -o -O -h $HOST -p $PORT -v "$@" < /httpreq.txt
|
載入中…
新增問題並參考
Block a user