kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Alternative TLS implementation in Go
444 Commits 3 Branches 0 Tags 2.6 MiB
Go 99.8%
Shell 0.2%
ac01048c5e
Go to file
Peter Wu ac01048c5e tris: add NSS server to client interop tests 
Similar to boringssl, reuse the NSS client image for the NSS server test
against the tris client. Bump the NSS version to 3.34.1 gain support
for TLS 1.3 keylogging which is useful while debugging.

Adjust read check to fix intermittent NSS test failures:
https://github.com/cloudflare/tls-tris/issues/58
2017-12-13 17:39:53 +00:00
_dev tris: add NSS server to client interop tests 2017-12-13 17:39:53 +00:00
testdata crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
.travis.yml tris: add NSS server to client interop tests 2017-12-13 17:39:53 +00:00
13.go tris: process ALPN in EE received by client 2017-12-13 17:39:53 +00:00
alert.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
auth.go crypto/tls: enable certificate validation on the client 2017-12-13 17:39:53 +00:00
cipher_suites.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
common.go tris: advertise PSS in Client Hello for TLS 1.3 2017-12-13 17:39:53 +00:00
conn_test.go crypto/tls: fix first byte test for 255 CBC padding bytes 2017-10-06 18:07:04 +00:00
conn.go tris: prevent sending 0.5-RTT data 2017-12-01 19:08:31 +00:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_client.go tris: advertise PSS in Client Hello for TLS 1.3 2017-12-13 17:39:53 +00:00
handshake_messages_test.go tris: unify ServerHello processing in preparation for D22 2017-11-24 19:44:22 +00:00
handshake_messages.go tris: unify ServerHello processing in preparation for D22 2017-11-24 19:44:22 +00:00
handshake_server_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_server.go crypto/tls: consolidate signatures handling in SKE and CV 2017-12-13 17:34:03 +00:00
handshake_test.go crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
README.md tris: update Go to 1.9 2017-09-07 17:40:17 +01:00
ticket.go tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
tls_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
tls.go all: revert "all: prefer strings.LastIndexByte over strings.LastIndex" 2017-10-05 23:19:42 +00:00

README.md 

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm

docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.