998f77009e
To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites, remove the distinction between both suites. TLS 1.3 suites are now always included in the default cipher list (and the client will send it if MaxVersion allows for it). Since TLS 1.3 is expected to become the default MaxVersion and applications might have set only TLS 1.2 cipher suites in their configuration, TLS 1.3 cipher suites are added when none are present. Alternatively, I considered disallowing overriding the TLS 1.3 suites, but that requires more complexity and has not much benefits. Provide a mechanism and do not dictate policy, application developers might want to fix a cipher suite for testing other implementations for example. Fixes https://github.com/cloudflare/tls-tris/pull/22 |
||
|---|---|---|
| _dev | ||
| testdata | ||
| .travis.yml | ||
| 13.go | ||
| alert.go | ||
| cipher_suites.go | ||
| common.go | ||
| conn_test.go | ||
| conn.go | ||
| example_test.go | ||
| generate_cert.go | ||
| handshake_client_test.go | ||
| handshake_client.go | ||
| handshake_messages_test.go | ||
| handshake_messages.go | ||
| handshake_server_test.go | ||
| handshake_server.go | ||
| handshake_test.go | ||
| hkdf.go | ||
| key_agreement.go | ||
| prf_test.go | ||
| prf.go | ||
| README.md | ||
| ticket.go | ||
| tls_test.go | ||
| tls.go | ||
_____ _ ____ _ _
|_ _| | / ___| | |_ _ __(_)___
| | | | \___ \ _____| __| '__| / __|
| | | |___ ___) |_____| |_| | | \__ \
|_| |_____|____/ \__|_| |_|___/
crypto/tls, now with 100% more 1.3.
THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.
Usage
Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib,
tls-tris shouldn't be used as an external package. It is also impossible to vendor it
as crypto/tls because stdlib packages would import the standard one and mismatch.
So, to build with tls-tris, you need to use a custom GOROOT.
A script is provided that will take care of it for you: ./_dev/go.sh.
Just use that instead of the go tool.
The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.
./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443
Debugging
When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.
Building Caddy
./_dev/go.sh build github.com/mholt/caddy
Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.
Testing with BoringSSL/NSS/Mint/...
./_dev/tris-localserver/start.sh --rm
docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
To build a specific revision, use --build-arg REVISION=abcdef1234.