Filippo Valsorda
il y a 7 ans
committed by
Peter Wu
Peter Wu
3 fichiers modifiés avec 8 ajouts et 54 suppressions
-
+4 -15README.md
-
+1 -1_dev/caddy/Dockerfile
-
+3 -38_dev/caddy/caddy.patch
+ 4
- 15
README.md
Voir le fichier
| @@ -9,7 +9,7 @@ | |||
| crypto/tls, now with 100% more 1.3. | |||
| DO NOT USE THIS FOR THE SAKE OF EVERYTHING THAT'S GOOD AND JUST. | |||
| THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED. | |||
| [](https://travis-ci.org/cloudflare/tls-tris) | |||
| @@ -23,7 +23,7 @@ So, to build with tls-tris, you need to use a custom GOROOT. | |||
| A script is provided that will take care of it for you: `./_dev/go.sh`. | |||
| Just use that instead of the `go` tool. | |||
| The script also transparently fetches the custom Cloudflare Go compiler with the required backports. | |||
| The script also transparently fetches the custom Cloudflare Go 1.8rc3 compiler with the required backports. | |||
| ``` | |||
| ./_dev/go.sh build ./_dev/tris-localserver | |||
| @@ -32,7 +32,7 @@ TLSDEBUG=error ./tris-localserver 127.0.0.1:4443 | |||
| ## Debugging | |||
| When the environment variable `TLSDEBUG` is set to `error`, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. | |||
| When the environment variable `TLSDEBUG` is set to `error`, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is `short`, only the error and the first meaningful stack frame are printed. | |||
| ## Building Caddy | |||
| @@ -42,13 +42,7 @@ When the environment variable `TLSDEBUG` is set to `error`, Tris will print a he | |||
| *Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at `_dev/caddy/caddy.patch`.* | |||
| ## Testing with Firefox | |||
| 1. Download the latest Firefox Nightly | |||
| 1. Navigate to about:config and set `security.tls.version.max` to `4` | |||
| 1. Connect to https://tris.filippo.io/ or tris-localserver | |||
| ## Testing with BoringSSL/BoGo/NSS/Mint | |||
| ## Testing with BoringSSL/NSS/Mint/... | |||
| ``` | |||
| ./_dev/tris-localserver/start.sh --rm | |||
| @@ -59,11 +53,6 @@ docker build -t tls-tris:boring _dev/boring | |||
| docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443 | |||
| ``` | |||
| ``` | |||
| docker build -t tls-tris:bogo _dev/bogo | |||
| docker run -i --rm tls-tris:bogo $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443 | |||
| ``` | |||
| ``` | |||
| docker build -t tls-tris:tstclnt _dev/tstclnt | |||
| docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443 | |||
+ 1
- 1
_dev/caddy/Dockerfile
Voir le fichier
| @@ -12,7 +12,7 @@ ADD https://mkcert.org/generate/ /etc/ssl/certs/ca-certificates.crt | |||
| EXPOSE 80 | |||
| EXPOSE 443 | |||
| ENV TLSDEBUG error | |||
| ENV TLSDEBUG short | |||
| ENV HOME /root/ | |||
| CMD [ "/caddy" ] | |||
+ 3
- 38
_dev/caddy/caddy.patch
Voir le fichier
| @@ -1,16 +1,8 @@ | |||
| diff --git a/caddytls/config.go b/caddytls/config.go | |||
| index 91c7451..c3e87d5 100644 | |||
| index 6632aed..767886c 100644 | |||
| --- a/caddytls/config.go | |||
| +++ b/caddytls/config.go | |||
| @@ -241,6 +241,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) { | |||
| if i > 0 && cfg.PreferServerCipherSuites != configs[i-1].PreferServerCipherSuites { | |||
| return nil, fmt.Errorf("cannot both use PreferServerCipherSuites and not use it") | |||
| } | |||
| + config.PreferServerCipherSuites = cfg.PreferServerCipherSuites | |||
| // Go with the widest range of protocol versions | |||
| if cfg.ProtocolMinVersion < config.MinVersion { | |||
| @@ -335,7 +336,7 @@ func SetDefaultTLSParams(config *Config) { | |||
| @@ -372,7 +372,7 @@ func SetDefaultTLSParams(config *Config) { | |||
| config.ProtocolMinVersion = tls.VersionTLS11 | |||
| } | |||
| if config.ProtocolMaxVersion == 0 { | |||
| @@ -19,7 +11,7 @@ index 91c7451..c3e87d5 100644 | |||
| } | |||
| // Prefer server cipher suites | |||
| @@ -357,6 +358,7 @@ var supportedProtocols = map[string]uint16{ | |||
| @@ -394,6 +394,7 @@ var supportedProtocols = map[string]uint16{ | |||
| "tls1.0": tls.VersionTLS10, | |||
| "tls1.1": tls.VersionTLS11, | |||
| "tls1.2": tls.VersionTLS12, | |||
| @@ -27,30 +19,3 @@ index 91c7451..c3e87d5 100644 | |||
| } | |||
| // Map of supported ciphers, used only for parsing config. | |||
| @@ -370,6 +372,8 @@ var supportedProtocols = map[string]uint16{ | |||
| // | |||
| // This map, like any map, is NOT ORDERED. Do not range over this map. | |||
| var supportedCiphersMap = map[string]uint16{ | |||
| + "ECDHE-ECDSA-CHACHA20-POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |||
| + "ECDHE-RSA-CHACHA20-POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |||
| "ECDHE-RSA-AES256-GCM-SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |||
| "ECDHE-ECDSA-AES256-GCM-SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |||
| "ECDHE-RSA-AES128-GCM-SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |||
| @@ -391,6 +395,8 @@ var supportedCiphersMap = map[string]uint16{ | |||
| // Note that TLS_FALLBACK_SCSV is not in this list since it is always | |||
| // added manually. | |||
| var supportedCiphers = []uint16{ | |||
| + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |||
| + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |||
| tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |||
| tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |||
| tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |||
| @@ -407,6 +413,8 @@ var supportedCiphers = []uint16{ | |||
| // List of all the ciphers we want to use by default | |||
| var defaultCiphers = []uint16{ | |||
| + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |||
| + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |||
| tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |||
| tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |||
| tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |||