kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enable TLS 1.3 (draft-22) as default

Browse Source 
* Also alignes some tests which were broken because of this
  change
This commit is contained in:
Henry Case 2018-03-19 22:03:23 +00:00 committed by Henry Dorsett Case
parent 7b3759576a
commit c1206cd452
5 changed files with 60 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common.go
View File

@ -40,7 +40,7 @@ const (
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
minVersion = VersionTLS10 minVersion = VersionTLS10
maxVersion = VersionTLS12 maxVersion = VersionTLS13Draft22
) )
// TLS record types. // TLS record types.

52
example_test.go
View File

@ -71,7 +71,52 @@ yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
conn.Close() conn.Close()
} }
func ExampleConfig_keyLogWriter() { func ExampleConfig_keyLogWriter_TLS12() {
// Debugging TLS applications by decrypting a network traffic capture.
// WARNING: Use of KeyLogWriter compromises security and should only be
// used for debugging.
// Dummy test HTTP server for the example with insecure random so output is
// reproducible.
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
server.TLS = &tls.Config{
Rand: zeroSource{}, // for example only; don't do this.
MaxVersion: tls.VersionTLS12,
}
server.StartTLS()
defer server.Close()
// Typically the log would go to an open file:
// w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
w := os.Stdout
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
Rand: zeroSource{}, // for reproducible output; don't do this.
InsecureSkipVerify: true, // test server certificate is not trusted.
},
},
}
resp, err := client.Get(server.URL)
if err != nil {
log.Fatalf("Failed to get URL: %v", err)
}
resp.Body.Close()
// The resulting file can be used with Wireshark to decrypt the TLS
// connection by setting (Pre)-Master-Secret log filename in SSL Protocol
// preferences.
// Output:
// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
}
func ExampleConfig_keyLogWriter_TLS13() {
// Debugging TLS applications by decrypting a network traffic capture. // Debugging TLS applications by decrypting a network traffic capture.
// WARNING: Use of KeyLogWriter compromises security and should only be // WARNING: Use of KeyLogWriter compromises security and should only be
@ -111,5 +156,8 @@ func ExampleConfig_keyLogWriter() {
// preferences. // preferences.
// Output: // Output:
// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80 // CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 dd81138732f799edb6fbc3d99132544d7f9cfa324e06a870f54dcf7ae514f07a
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 7ded606632ac89e595f01a52228afe8e8f8833396ececf4e6e2196acda4a4eec
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 53f0129133343e630d989c0c8a30ca217d754f33e85787f07c06ebcfd3d333cb
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 c388383316a48082800ca08f8b8348fbb9039bda7569d51a93b397c83044344e
} }

3
handshake_client_test.go
View File

@ -660,6 +660,8 @@ func TestHandshakeClientCertECDSA(t *testing.T) {
runClientTestTLS12(t, test) runClientTestTLS12(t, test)
} }
// This test is specific to TLS versions which support session tickets (TLSv1.2 and below).
// Session tickets are obsolete in TLSv1.3 (see 2.2 of TLS RFC)
func TestClientResumption(t *testing.T) { func TestClientResumption(t *testing.T) {
serverConfig := &Config{ serverConfig := &Config{
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
@ -679,6 +681,7 @@ func TestClientResumption(t *testing.T) {
ClientSessionCache: NewLRUClientSessionCache(32), ClientSessionCache: NewLRUClientSessionCache(32),
RootCAs: rootCAs, RootCAs: rootCAs,
ServerName: "example.golang", ServerName: "example.golang",
MaxVersion: VersionTLS12, // Enforce TLSv1.2
} }
testResumeState := func(test string, didResume bool) { testResumeState := func(test string, didResume bool) {

2
handshake_server_test.go
View File

@ -390,6 +390,8 @@ func TestSCTHandshake(t *testing.T) {
PrivateKey: testRSAPrivateKey, PrivateKey: testRSAPrivateKey,
SignedCertificateTimestamps: expected, SignedCertificateTimestamps: expected,
}}, }},
// See GH#76
MaxVersion: VersionTLS12,
} }
clientConfig := &Config{ clientConfig := &Config{
InsecureSkipVerify: true, InsecureSkipVerify: true,

4
tls_test.go
View File

@ -356,7 +356,11 @@ func TestVerifyHostname(t *testing.T) {
func TestVerifyHostnameResumed(t *testing.T) { func TestVerifyHostnameResumed(t *testing.T) {
config := &Config{ config := &Config{
ClientSessionCache: NewLRUClientSessionCache(32), ClientSessionCache: NewLRUClientSessionCache(32),
// There is no "New ticket" sent in case TLS v1.3 is advertised.
// Hence forcing TLSv12
MaxVersion: VersionTLS12,
} }
for i := 0; i < 2; i++ { for i := 0; i < 2; i++ {
c, err := Dial("tcp", "www.google.com:https", config) c, err := Dial("tcp", "www.google.com:https", config)
if err != nil { if err != nil {