tris: update README for public consumption
This commit is contained in:
rodzic
4f7b5988a3
commit
815d56e5a7
19
README.md
19
README.md
@ -9,7 +9,7 @@
|
||||
|
||||
crypto/tls, now with 100% more 1.3.
|
||||
|
||||
DO NOT USE THIS FOR THE SAKE OF EVERYTHING THAT'S GOOD AND JUST.
|
||||
THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.
|
||||
|
||||
[![Build Status](https://travis-ci.org/cloudflare/tls-tris.svg?branch=master)](https://travis-ci.org/cloudflare/tls-tris)
|
||||
|
||||
@ -23,7 +23,7 @@ So, to build with tls-tris, you need to use a custom GOROOT.
|
||||
A script is provided that will take care of it for you: `./_dev/go.sh`.
|
||||
Just use that instead of the `go` tool.
|
||||
|
||||
The script also transparently fetches the custom Cloudflare Go compiler with the required backports.
|
||||
The script also transparently fetches the custom Cloudflare Go 1.8rc3 compiler with the required backports.
|
||||
|
||||
```
|
||||
./_dev/go.sh build ./_dev/tris-localserver
|
||||
@ -32,7 +32,7 @@ TLSDEBUG=error ./tris-localserver 127.0.0.1:4443
|
||||
|
||||
## Debugging
|
||||
|
||||
When the environment variable `TLSDEBUG` is set to `error`, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs.
|
||||
When the environment variable `TLSDEBUG` is set to `error`, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is `short`, only the error and the first meaningful stack frame are printed.
|
||||
|
||||
## Building Caddy
|
||||
|
||||
@ -42,13 +42,7 @@ When the environment variable `TLSDEBUG` is set to `error`, Tris will print a he
|
||||
|
||||
*Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at `_dev/caddy/caddy.patch`.*
|
||||
|
||||
## Testing with Firefox
|
||||
|
||||
1. Download the latest Firefox Nightly
|
||||
1. Navigate to about:config and set `security.tls.version.max` to `4`
|
||||
1. Connect to https://tris.filippo.io/ or tris-localserver
|
||||
|
||||
## Testing with BoringSSL/BoGo/NSS/Mint
|
||||
## Testing with BoringSSL/NSS/Mint/...
|
||||
|
||||
```
|
||||
./_dev/tris-localserver/start.sh --rm
|
||||
@ -59,11 +53,6 @@ docker build -t tls-tris:boring _dev/boring
|
||||
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:bogo _dev/bogo
|
||||
docker run -i --rm tls-tris:bogo $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:tstclnt _dev/tstclnt
|
||||
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
|
@ -12,7 +12,7 @@ ADD https://mkcert.org/generate/ /etc/ssl/certs/ca-certificates.crt
|
||||
EXPOSE 80
|
||||
EXPOSE 443
|
||||
|
||||
ENV TLSDEBUG error
|
||||
ENV TLSDEBUG short
|
||||
ENV HOME /root/
|
||||
|
||||
CMD [ "/caddy" ]
|
||||
|
@ -1,16 +1,8 @@
|
||||
diff --git a/caddytls/config.go b/caddytls/config.go
|
||||
index 91c7451..c3e87d5 100644
|
||||
index 6632aed..767886c 100644
|
||||
--- a/caddytls/config.go
|
||||
+++ b/caddytls/config.go
|
||||
@@ -241,6 +241,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
|
||||
if i > 0 && cfg.PreferServerCipherSuites != configs[i-1].PreferServerCipherSuites {
|
||||
return nil, fmt.Errorf("cannot both use PreferServerCipherSuites and not use it")
|
||||
}
|
||||
+ config.PreferServerCipherSuites = cfg.PreferServerCipherSuites
|
||||
|
||||
// Go with the widest range of protocol versions
|
||||
if cfg.ProtocolMinVersion < config.MinVersion {
|
||||
@@ -335,7 +336,7 @@ func SetDefaultTLSParams(config *Config) {
|
||||
@@ -372,7 +372,7 @@ func SetDefaultTLSParams(config *Config) {
|
||||
config.ProtocolMinVersion = tls.VersionTLS11
|
||||
}
|
||||
if config.ProtocolMaxVersion == 0 {
|
||||
@ -19,7 +11,7 @@ index 91c7451..c3e87d5 100644
|
||||
}
|
||||
|
||||
// Prefer server cipher suites
|
||||
@@ -357,6 +358,7 @@ var supportedProtocols = map[string]uint16{
|
||||
@@ -394,6 +394,7 @@ var supportedProtocols = map[string]uint16{
|
||||
"tls1.0": tls.VersionTLS10,
|
||||
"tls1.1": tls.VersionTLS11,
|
||||
"tls1.2": tls.VersionTLS12,
|
||||
@ -27,30 +19,3 @@ index 91c7451..c3e87d5 100644
|
||||
}
|
||||
|
||||
// Map of supported ciphers, used only for parsing config.
|
||||
@@ -370,6 +372,8 @@ var supportedProtocols = map[string]uint16{
|
||||
//
|
||||
// This map, like any map, is NOT ORDERED. Do not range over this map.
|
||||
var supportedCiphersMap = map[string]uint16{
|
||||
+ "ECDHE-ECDSA-CHACHA20-POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
+ "ECDHE-RSA-CHACHA20-POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
"ECDHE-RSA-AES256-GCM-SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
"ECDHE-RSA-AES128-GCM-SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
@@ -391,6 +395,8 @@ var supportedCiphersMap = map[string]uint16{
|
||||
// Note that TLS_FALLBACK_SCSV is not in this list since it is always
|
||||
// added manually.
|
||||
var supportedCiphers = []uint16{
|
||||
+ tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
+ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
@@ -407,6 +413,8 @@ var supportedCiphers = []uint16{
|
||||
|
||||
// List of all the ciphers we want to use by default
|
||||
var defaultCiphers = []uint16{
|
||||
+ tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
+ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
|
Ładowanie…
Reference in New Issue
Block a user