Alternative TLS implementation in Go
Go to file
Peter Wu 9eb1d7faf7 crypto/tls: skip session cache for TLS 1.3
Skip reading the session cache if TLS 1.3 is in use (the cache has no
use), skip storing a session if TLS 1.3 is in use (sessionCache can
still be set when TLS 1.2 is allowed).
2017-12-13 17:39:53 +00:00
_dev tris: enable TLS 1.3 for tris-localserver again. 2017-09-29 12:47:55 +01:00
testdata crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
.travis.yml tris: add proper BoGo tests 2017-09-05 21:06:35 +01:00
13.go tris: fix nonce length definition and actually use it 2017-12-04 19:17:56 +00:00
alert.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
auth.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
cipher_suites.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
common.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
conn_test.go crypto/tls: fix first byte test for 255 CBC padding bytes 2017-10-06 18:07:04 +00:00
conn.go tris: prevent sending 0.5-RTT data 2017-12-01 19:08:31 +00:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_client.go crypto/tls: skip session cache for TLS 1.3 2017-12-13 17:39:53 +00:00
handshake_messages_test.go tris: unify ServerHello processing in preparation for D22 2017-11-24 19:44:22 +00:00
handshake_messages.go tris: unify ServerHello processing in preparation for D22 2017-11-24 19:44:22 +00:00
handshake_server_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_server.go crypto/tls: consolidate signatures handling in SKE and CV 2017-12-13 17:34:03 +00:00
handshake_test.go crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
README.md tris: update Go to 1.9 2017-09-07 17:40:17 +01:00
ticket.go tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
tls_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
tls.go all: revert "all: prefer strings.LastIndexByte over strings.LastIndex" 2017-10-05 23:19:42 +00:00

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm
docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.