Alternative TLS implementation in Go
Go to file
Filippo Valsorda 5406418371 crypto/tls: fix panic in PSK binders parsing
BoGo: Resume-Server-ExtraPSKBinder
2017-09-05 21:06:35 +01:00
_dev tris: switch to Go 1.8beta1 2017-09-05 21:06:34 +01:00
testdata crypto/tls: enable ChaCha20-Poly1305 cipher suites by default. 2016-10-18 06:54:30 +00:00
.travis.yml crypto/tls: do not drain 0-RTT data on Close 2017-09-05 21:06:34 +01:00
13.go tris: tolerate NSS sending obfuscated_ticket_age as seconds 2017-09-05 21:06:34 +01:00
alert.go crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
cipher_suites.go [dev.tls] crypto/tls: implement TLS 1.3 cipher suites 2017-09-05 20:29:39 +01:00
common.go crypto/tls: make 1.3 version negotiation more robust 2017-09-05 21:06:34 +01:00
conn_test.go crypto/tls: use io.ReadFull in conn_test.go 2017-02-24 02:36:10 +00:00
conn.go crypto/tls: stop ConfirmHandshake from locking on any Read 2017-09-05 21:06:34 +01:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go tris: add picotls interop 2017-09-05 21:06:34 +01:00
handshake_client.go crypto/tls: fix Conn.phase data races 2017-09-05 21:06:34 +01:00
handshake_messages_test.go crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV 2017-09-05 21:06:34 +01:00
handshake_messages.go crypto/tls: fix panic in PSK binders parsing 2017-09-05 21:06:35 +01:00
handshake_server_test.go [dev.tls] crypto/tls: implement TLS 1.3 cipher suites 2017-09-05 20:29:39 +01:00
handshake_server.go crypto/tls: simplify supported points handling to match BoringSSL 2017-09-05 21:06:35 +01:00
handshake_test.go crypto/tls: switch to OpenSSL 1.1.0 for test data. 2016-10-12 17:03:46 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: return from Handshake before the Client Finished in 1.3 2017-09-05 21:06:34 +01:00
README.md tris: import go wrapper and interoperability tests 2017-09-05 20:29:43 +01:00
ticket.go crypto/tls: finish the session ticket state checks 2017-09-05 21:06:34 +01:00
tls_test.go crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
tls.go crypto/tls: disable CBC cipher suites with SHA-256 by default 2017-01-17 16:41:09 +00:00

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

DO NOT USE THIS FOR THE SAKE OF EVERYTHING THAT'S GOOD AND JUST.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with Firefox

  1. Download the latest Firefox Nightly
  2. Navigate to about:config and set security.tls.version.max to 4
  3. Connect to https://tris.filippo.io/ or tris-localserver

Testing with BoringSSL/BoGo/NSS/Mint

./_dev/tris-localserver/start.sh --rm
docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:bogo _dev/bogo
docker run -i --rm tls-tris:bogo $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.