Alternative TLS implementation in Go
Go to file
Filippo Valsorda c758567785 crypto/tls: detect unexpected leftover handshake data
There should be no data in the Handshake buffer on encryption state
changes (including implicit 1.3 transitions). Checking that also blocks
all Handshake messages fragmented across CCS.

BoGo: PartialClientFinishedWithClientHello
2017-09-05 21:06:35 +01:00
_dev tris: switch to Go 1.8beta1 2017-09-05 21:06:34 +01:00
testdata crypto/tls: enable ChaCha20-Poly1305 cipher suites by default. 2016-10-18 06:54:30 +00:00
.travis.yml crypto/tls: do not drain 0-RTT data on Close 2017-09-05 21:06:34 +01:00
13.go crypto/tls: detect unexpected leftover handshake data 2017-09-05 21:06:35 +01:00
alert.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
cipher_suites.go [dev.tls] crypto/tls: implement TLS 1.3 cipher suites 2017-09-05 20:29:39 +01:00
common.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
conn_test.go crypto/tls: use io.ReadFull in conn_test.go 2017-02-24 02:36:10 +00:00
conn.go crypto/tls: disallow handshake messages fragmented across CCS 2017-09-05 21:06:35 +01:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
handshake_client.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
handshake_messages_test.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
handshake_messages.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
handshake_server_test.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
handshake_server.go crypto/tls: detect unexpected leftover handshake data 2017-09-05 21:06:35 +01:00
handshake_test.go crypto/tls: switch to OpenSSL 1.1.0 for test data. 2016-10-12 17:03:46 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: return from Handshake before the Client Finished in 1.3 2017-09-05 21:06:34 +01:00
README.md tris: import go wrapper and interoperability tests 2017-09-05 20:29:43 +01:00
ticket.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
tls_test.go crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
tls.go crypto/tls: disable CBC cipher suites with SHA-256 by default 2017-01-17 16:41:09 +00:00

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

DO NOT USE THIS FOR THE SAKE OF EVERYTHING THAT'S GOOD AND JUST.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with Firefox

  1. Download the latest Firefox Nightly
  2. Navigate to about:config and set security.tls.version.max to 4
  3. Connect to https://tris.filippo.io/ or tris-localserver

Testing with BoringSSL/BoGo/NSS/Mint

./_dev/tris-localserver/start.sh --rm
docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:bogo _dev/bogo
docker run -i --rm tls-tris:bogo $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.