Alternative TLS implementation in Go
Go to file
Peter Wu d16cde640d tris: enable TLS 1.3 for tris-localserver again.
The default version (TLS 1.2) is no longer overridden with TLS 1.3 so
the server must explicitly set it.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-09-29 12:47:55 +01:00
_dev tris: enable TLS 1.3 for tris-localserver again. 2017-09-29 12:47:55 +01:00
testdata crypto/tls: enable ChaCha20-Poly1305 cipher suites by default. 2016-10-18 06:54:30 +00:00
.travis.yml tris: add proper BoGo tests 2017-09-05 21:06:35 +01:00
13.go tris: implement SSLKEYLOGFILE for TLS 1.3 server 2017-09-21 15:37:34 +01:00
alert.go crypto/tls: use correct alerts 2017-09-05 21:06:35 +01:00
cipher_suites.go crypto/tls: remove TLS13CipherSuites. 2017-09-29 12:47:14 +01:00
common.go crypto/tls: allow client to pick TLS 1.3, do not enable it by default. 2017-09-29 12:47:55 +01:00
conn_test.go crypto/tls: use io.ReadFull in conn_test.go 2017-02-24 02:36:10 +00:00
conn.go crypto/tls: add ConnectionState.Unique0RTTToken 2017-09-05 21:06:35 +01:00
example_test.go crypto/tls: add example for Config KeyLogWriter 2016-11-17 03:24:31 +00:00
generate_cert.go crypto/tls: recommend P256 elliptic curve 2017-04-10 17:40:01 +00:00
handshake_client_test.go tris: whitespace fix 2017-09-21 12:59:48 +01:00
handshake_client.go crypto/tls: allow client to pick TLS 1.3, do not enable it by default. 2017-09-29 12:47:55 +01:00
handshake_messages_test.go crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3 2017-09-05 21:06:35 +01:00
handshake_messages.go crypto/tls: fix SCT extension wire format 2017-09-05 21:06:35 +01:00
handshake_server_test.go crypto/tls: remove TLS13CipherSuites. 2017-09-29 12:47:14 +01:00
handshake_server.go crypto/tls: remove TLS13CipherSuites. 2017-09-29 12:47:14 +01:00
handshake_test.go crypto/tls: switch to OpenSSL 1.1.0 for test data. 2016-10-12 17:03:46 +00:00
hkdf.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
key_agreement.go crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
prf_test.go crypto/tls: decouple handshake signatures from the handshake hash. 2015-04-30 03:47:02 +00:00
prf.go crypto/tls: return from Handshake before the Client Finished in 1.3 2017-09-05 21:06:34 +01:00
README.md tris: update Go to 1.9 2017-09-07 17:40:17 +01:00
ticket.go tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
tls_test.go crypto/tls: remove TLS13CipherSuites. 2017-09-29 12:47:14 +01:00
tls.go crypto/tls: disable CBC cipher suites with SHA-256 by default 2017-01-17 16:41:09 +00:00

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Build Status

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn't be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm
docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.