Alternative TLS implementation in Go
Go to file
2018-03-27 08:52:44 +01:00
_dev (tests) Refactor tris test server 2018-03-27 08:52:44 +01:00
testdata crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
.travis.yml (tests) Client Authentication: Tests against boringssl 2018-03-27 08:52:44 +01:00
13.go Client authentication 2018-03-27 08:52:44 +01:00
alert.go Adds 'certificate required' alert 2018-03-27 08:52:44 +01:00
auth.go crypto/tls: enable certificate validation on the client 2017-12-13 17:39:53 +00:00
cipher_suites.go Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77) 2018-03-21 14:27:31 +00:00
common.go Adds ID for CA's extension 2018-03-27 08:52:44 +01:00
conn_test.go crypto/tls: fix first byte test for 255 CBC padding bytes 2017-10-06 18:07:04 +00:00
conn.go Use certificate_request specific to TLS 1.3 2018-03-27 08:52:44 +01:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77) 2018-03-21 14:27:31 +00:00
handshake_client_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_client.go crypto/tls: optional "certificate_status" with OCSP 2018-03-21 16:26:26 +00:00
handshake_messages_test.go Adds structure for certificate_request in TLS 1.3 2018-03-27 08:52:44 +01:00
handshake_messages.go Adds structure for certificate_request in TLS 1.3 2018-03-27 08:52:44 +01:00
handshake_server_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
handshake_server.go tris: implement draft-22 middlebox compatibility mode 2017-12-13 20:16:48 +00:00
handshake_test.go crypto/tls: advertise support for SHA-512 signatures in 1.2 2017-11-08 22:39:36 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: add RSASSA-PSS support for handshake messages 2017-12-13 17:34:03 +00:00
README.md (tests) Refactor tris test server 2018-03-27 08:52:44 +01:00
ticket.go tris: update NewSessionTicket for draft -19 and -21 2017-12-13 17:49:25 +00:00
tls_test.go Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream 2017-11-14 14:26:20 +00:00
tls.go all: revert "all: prefer strings.LastIndexByte over strings.LastIndex" 2017-10-05 23:19:42 +00:00

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver -b 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm
docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.