kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Alternative TLS implementation in Go
449 Commits 3 Branches 0 Tags 2.6 MiB
Go 99.8%
Shell 0.2%
824987c5ad
Go to file
Peter Wu 824987c5ad tris: implement draft-22 middlebox compatibility mode 
Send/Skip CCS, set legacy record version to 3,3 and echo session ID.
CCS must be ignored while the handshake is running, but not thereafter:
https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5

Unconditionally send CCS as server because bogo requires it, even if no
session ID is included in the Client Hello. TLS 1.3 clients MUST ignore
it anyway, so it should not hurt.

Fixes interop with boringssl and openssl and passes bogo.
2017-12-13 20:16:48 +00:00
_dev tris: update Server Hello processing for D22 2017-12-13 20:15:00 +00:00
testdata crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
.travis.yml tris: add NSS server to client interop tests 2017-12-13 17:39:53 +00:00
13.go tris: implement draft-22 middlebox compatibility mode 2017-12-13 20:16:48 +00:00
alert.go tris: convert end_of_early_data to a handshake message 2017-12-13 17:49:25 +00:00
auth.go crypto/tls: enable certificate validation on the client 2017-12-13 17:39:53 +00:00
cipher_suites.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
common.go tris: update Server Hello processing for D22 2017-12-13 20:15:00 +00:00
conn_test.go crypto/tls: fix first byte test for 255 CBC padding bytes 2017-10-06 18:07:04 +00:00
conn.go tris: implement draft-22 middlebox compatibility mode 2017-12-13 20:16:48 +00:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_client.go tris: implement draft-22 middlebox compatibility mode 2017-12-13 20:16:48 +00:00
handshake_messages_test.go tris: update NewSessionTicket for draft -19 and -21 2017-12-13 17:49:25 +00:00
handshake_messages.go tris: update Server Hello processing for D22 2017-12-13 20:15:00 +00:00
handshake_server_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_server.go tris: implement draft-22 middlebox compatibility mode 2017-12-13 20:16:48 +00:00
handshake_test.go crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
README.md tris: update Go to 1.9 2017-09-07 17:40:17 +01:00
ticket.go tris: update NewSessionTicket for draft -19 and -21 2017-12-13 17:49:25 +00:00
tls_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
tls.go crypto/tls: disable CBC cipher suites with SHA-256 by default 2017-01-17 16:41:09 +00:00

README.md 

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm

docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.