Enable TLS 1.3 (draft-22) as default
* Also alignes some tests which were broken because of this change
This commit is contained in:
parent
7b3759576a
commit
c1206cd452
@ -40,7 +40,7 @@ const (
|
||||
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
|
||||
|
||||
minVersion = VersionTLS10
|
||||
maxVersion = VersionTLS12
|
||||
maxVersion = VersionTLS13Draft22
|
||||
)
|
||||
|
||||
// TLS record types.
|
||||
|
@ -71,7 +71,52 @@ yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
|
||||
conn.Close()
|
||||
}
|
||||
|
||||
func ExampleConfig_keyLogWriter() {
|
||||
func ExampleConfig_keyLogWriter_TLS12() {
|
||||
// Debugging TLS applications by decrypting a network traffic capture.
|
||||
|
||||
// WARNING: Use of KeyLogWriter compromises security and should only be
|
||||
// used for debugging.
|
||||
|
||||
// Dummy test HTTP server for the example with insecure random so output is
|
||||
// reproducible.
|
||||
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
|
||||
server.TLS = &tls.Config{
|
||||
Rand: zeroSource{}, // for example only; don't do this.
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
}
|
||||
server.StartTLS()
|
||||
defer server.Close()
|
||||
|
||||
// Typically the log would go to an open file:
|
||||
// w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
w := os.Stdout
|
||||
|
||||
client := &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
KeyLogWriter: w,
|
||||
|
||||
Rand: zeroSource{}, // for reproducible output; don't do this.
|
||||
InsecureSkipVerify: true, // test server certificate is not trusted.
|
||||
},
|
||||
},
|
||||
}
|
||||
resp, err := client.Get(server.URL)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to get URL: %v", err)
|
||||
}
|
||||
resp.Body.Close()
|
||||
|
||||
// The resulting file can be used with Wireshark to decrypt the TLS
|
||||
// connection by setting (Pre)-Master-Secret log filename in SSL Protocol
|
||||
// preferences.
|
||||
|
||||
// Output:
|
||||
// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
|
||||
}
|
||||
|
||||
|
||||
func ExampleConfig_keyLogWriter_TLS13() {
|
||||
// Debugging TLS applications by decrypting a network traffic capture.
|
||||
|
||||
// WARNING: Use of KeyLogWriter compromises security and should only be
|
||||
@ -111,5 +156,8 @@ func ExampleConfig_keyLogWriter() {
|
||||
// preferences.
|
||||
|
||||
// Output:
|
||||
// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
|
||||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 dd81138732f799edb6fbc3d99132544d7f9cfa324e06a870f54dcf7ae514f07a
|
||||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 7ded606632ac89e595f01a52228afe8e8f8833396ececf4e6e2196acda4a4eec
|
||||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 53f0129133343e630d989c0c8a30ca217d754f33e85787f07c06ebcfd3d333cb
|
||||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 c388383316a48082800ca08f8b8348fbb9039bda7569d51a93b397c83044344e
|
||||
}
|
||||
|
@ -660,6 +660,8 @@ func TestHandshakeClientCertECDSA(t *testing.T) {
|
||||
runClientTestTLS12(t, test)
|
||||
}
|
||||
|
||||
// This test is specific to TLS versions which support session tickets (TLSv1.2 and below).
|
||||
// Session tickets are obsolete in TLSv1.3 (see 2.2 of TLS RFC)
|
||||
func TestClientResumption(t *testing.T) {
|
||||
serverConfig := &Config{
|
||||
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
|
||||
@ -679,6 +681,7 @@ func TestClientResumption(t *testing.T) {
|
||||
ClientSessionCache: NewLRUClientSessionCache(32),
|
||||
RootCAs: rootCAs,
|
||||
ServerName: "example.golang",
|
||||
MaxVersion: VersionTLS12, // Enforce TLSv1.2
|
||||
}
|
||||
|
||||
testResumeState := func(test string, didResume bool) {
|
||||
|
@ -390,6 +390,8 @@ func TestSCTHandshake(t *testing.T) {
|
||||
PrivateKey: testRSAPrivateKey,
|
||||
SignedCertificateTimestamps: expected,
|
||||
}},
|
||||
// See GH#76
|
||||
MaxVersion: VersionTLS12,
|
||||
}
|
||||
clientConfig := &Config{
|
||||
InsecureSkipVerify: true,
|
||||
|
@ -356,7 +356,11 @@ func TestVerifyHostname(t *testing.T) {
|
||||
func TestVerifyHostnameResumed(t *testing.T) {
|
||||
config := &Config{
|
||||
ClientSessionCache: NewLRUClientSessionCache(32),
|
||||
// There is no "New ticket" sent in case TLS v1.3 is advertised.
|
||||
// Hence forcing TLSv12
|
||||
MaxVersion: VersionTLS12,
|
||||
}
|
||||
|
||||
for i := 0; i < 2; i++ {
|
||||
c, err := Dial("tcp", "www.google.com:https", config)
|
||||
if err != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user