Enable TLS 1.3 (draft-22) as default

* Also alignes some tests which were broken because of this
  change
This commit is contained in:
Henry Case 2018-03-19 22:03:23 +00:00 committed by Henry Dorsett Case
부모 7b3759576a
커밋 c1206cd452
5개의 변경된 파일60개의 추가작업 그리고 3개의 파일을 삭제

파일 보기

@ -40,7 +40,7 @@ const (
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
minVersion = VersionTLS10
maxVersion = VersionTLS12
maxVersion = VersionTLS13Draft22
)
// TLS record types.

파일 보기

@ -71,7 +71,52 @@ yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
conn.Close()
}
func ExampleConfig_keyLogWriter() {
func ExampleConfig_keyLogWriter_TLS12() {
// Debugging TLS applications by decrypting a network traffic capture.
// WARNING: Use of KeyLogWriter compromises security and should only be
// used for debugging.
// Dummy test HTTP server for the example with insecure random so output is
// reproducible.
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
server.TLS = &tls.Config{
Rand: zeroSource{}, // for example only; don't do this.
MaxVersion: tls.VersionTLS12,
}
server.StartTLS()
defer server.Close()
// Typically the log would go to an open file:
// w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
w := os.Stdout
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
Rand: zeroSource{}, // for reproducible output; don't do this.
InsecureSkipVerify: true, // test server certificate is not trusted.
},
},
}
resp, err := client.Get(server.URL)
if err != nil {
log.Fatalf("Failed to get URL: %v", err)
}
resp.Body.Close()
// The resulting file can be used with Wireshark to decrypt the TLS
// connection by setting (Pre)-Master-Secret log filename in SSL Protocol
// preferences.
// Output:
// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
}
func ExampleConfig_keyLogWriter_TLS13() {
// Debugging TLS applications by decrypting a network traffic capture.
// WARNING: Use of KeyLogWriter compromises security and should only be
@ -111,5 +156,8 @@ func ExampleConfig_keyLogWriter() {
// preferences.
// Output:
// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 dd81138732f799edb6fbc3d99132544d7f9cfa324e06a870f54dcf7ae514f07a
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 7ded606632ac89e595f01a52228afe8e8f8833396ececf4e6e2196acda4a4eec
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 53f0129133343e630d989c0c8a30ca217d754f33e85787f07c06ebcfd3d333cb
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 c388383316a48082800ca08f8b8348fbb9039bda7569d51a93b397c83044344e
}

파일 보기

@ -660,6 +660,8 @@ func TestHandshakeClientCertECDSA(t *testing.T) {
runClientTestTLS12(t, test)
}
// This test is specific to TLS versions which support session tickets (TLSv1.2 and below).
// Session tickets are obsolete in TLSv1.3 (see 2.2 of TLS RFC)
func TestClientResumption(t *testing.T) {
serverConfig := &Config{
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
@ -679,6 +681,7 @@ func TestClientResumption(t *testing.T) {
ClientSessionCache: NewLRUClientSessionCache(32),
RootCAs: rootCAs,
ServerName: "example.golang",
MaxVersion: VersionTLS12, // Enforce TLSv1.2
}
testResumeState := func(test string, didResume bool) {

파일 보기

@ -390,6 +390,8 @@ func TestSCTHandshake(t *testing.T) {
PrivateKey: testRSAPrivateKey,
SignedCertificateTimestamps: expected,
}},
// See GH#76
MaxVersion: VersionTLS12,
}
clientConfig := &Config{
InsecureSkipVerify: true,

파일 보기

@ -356,7 +356,11 @@ func TestVerifyHostname(t *testing.T) {
func TestVerifyHostnameResumed(t *testing.T) {
config := &Config{
ClientSessionCache: NewLRUClientSessionCache(32),
// There is no "New ticket" sent in case TLS v1.3 is advertised.
// Hence forcing TLSv12
MaxVersion: VersionTLS12,
}
for i := 0; i < 2; i++ {
c, err := Dial("tcp", "www.google.com:https", config)
if err != nil {