kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Alternative TLS implementation in Go
443 Commits 3 Branches 0 Tags 2.6 MiB
Go 99.8%
Shell 0.2%
c89a0a5f3a
Go to file
Peter Wu c89a0a5f3a tris: Add initial client interoperability tests 
Prepare framework for testing tls-tris as client against other servers.
Currently only boringssl is implemented, but the idea is to add support
for others too (NSS, OpenSSL, picotls, tris, ...).

To test multiple certificate types, copy ecdsa.pem and rsa.pem from
tris-localserver for boringssl. The boringssl image is reused for the
server since the binaries were built anyway. Revision is bumped to
something to fix a build error and make the -loop and -www options work.
2017-12-13 17:39:53 +00:00
_dev tris: Add initial client interoperability tests 2017-12-13 17:39:53 +00:00
testdata crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
.travis.yml tris: Add initial client interoperability tests 2017-12-13 17:39:53 +00:00
13.go tris: process ALPN in EE received by client 2017-12-13 17:39:53 +00:00
alert.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
auth.go crypto/tls: enable certificate validation on the client 2017-12-13 17:39:53 +00:00
cipher_suites.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
common.go tris: advertise PSS in Client Hello for TLS 1.3 2017-12-13 17:39:53 +00:00
conn_test.go crypto/tls: fix first byte test for 255 CBC padding bytes 2017-10-06 18:07:04 +00:00
conn.go tris: prevent sending 0.5-RTT data 2017-12-01 19:08:31 +00:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_client.go tris: advertise PSS in Client Hello for TLS 1.3 2017-12-13 17:39:53 +00:00
handshake_messages_test.go tris: unify ServerHello processing in preparation for D22 2017-11-24 19:44:22 +00:00
handshake_messages.go tris: unify ServerHello processing in preparation for D22 2017-11-24 19:44:22 +00:00
handshake_server_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_server.go crypto/tls: consolidate signatures handling in SKE and CV 2017-12-13 17:34:03 +00:00
handshake_test.go crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
README.md tris: update Go to 1.9 2017-09-07 17:40:17 +01:00
ticket.go tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
tls_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
tls.go all: revert "all: prefer strings.LastIndexByte over strings.LastIndex" 2017-10-05 23:19:42 +00:00

README.md 

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm

docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.