tls-tris

Filippo Valsorda a982da063d tris: allow failure of NSS interop tests at HEAD		pirms 6 gadiem
_dev	tris: make Travis-CI use Go 1.9	pirms 6 gadiem
testdata	crypto/tls: advertise support for SHA-512 signatures in 1.2	pirms 7 gadiem
.travis.yml	tris: allow failure of NSS interop tests at HEAD	pirms 6 gadiem
13.go	tris: implement draft-22 middlebox compatibility mode	pirms 6 gadiem
README.md	tris: update Go to 1.9	pirms 7 gadiem
alert.go	tris: convert end_of_early_data to a handshake message	pirms 6 gadiem
auth.go	crypto/tls: enable certificate validation on the client	pirms 6 gadiem
cipher_suites.go	crypto/tls: add RSASSA-PSS support for handshake messages	pirms 6 gadiem
common.go	tris: update Server Hello processing for D22	pirms 6 gadiem
conn.go	tris: implement draft-22 middlebox compatibility mode	pirms 6 gadiem
conn_test.go	crypto/tls: fix first byte test for 255 CBC padding bytes	pirms 7 gadiem
example_test.go	crypto/tls: add example for Config KeyLogWriter	pirms 8 gadiem
generate_cert.go	crypto/tls: recommend P256 elliptic curve	pirms 7 gadiem
handshake_client.go	tris: implement draft-22 middlebox compatibility mode	pirms 6 gadiem
handshake_client_test.go	Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream	pirms 7 gadiem
handshake_messages.go	tris: update Server Hello processing for D22	pirms 6 gadiem
handshake_messages_test.go	tris: update NewSessionTicket for draft -19 and -21	pirms 6 gadiem
handshake_server.go	tris: implement draft-22 middlebox compatibility mode	pirms 6 gadiem
handshake_server_test.go	Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream	pirms 7 gadiem
handshake_test.go	crypto/tls: advertise support for SHA-512 signatures in 1.2	pirms 7 gadiem
hkdf.go	crypto/tls: implement TLS 1.3 minimal server	pirms 7 gadiem
key_agreement.go	crypto/tls: add RSASSA-PSS support for handshake messages	pirms 6 gadiem
prf.go	crypto/tls: add RSASSA-PSS support for handshake messages	pirms 6 gadiem
prf_test.go	crypto/tls: decouple handshake signatures from the handshake hash.	pirms 9 gadiem
ticket.go	tris: update NewSessionTicket for draft -19 and -21	pirms 6 gadiem
tls.go	crypto/tls: disable CBC cipher suites with SHA-256 by default	pirms 7 gadiem
tls_test.go	Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream	pirms 7 gadiem

README.md

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn’t be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT. A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.

./_dev/go.sh build ./_dev/tris-localserver
TLSDEBUG=error ./tris-localserver 127.0.0.1:4443

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.

Building Caddy

./_dev/go.sh build github.com/mholt/caddy

Note: to get Caddy to use TLS 1.3 you’ll have to apply the patch at _dev/caddy/caddy.patch.

Testing with BoringSSL/NSS/Mint/...

./_dev/tris-localserver/start.sh --rm

docker build -t tls-tris:boring _dev/boring
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:tstclnt _dev/tstclnt
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

docker build -t tls-tris:mint _dev/mint
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443

To build a specific revision, use --build-arg REVISION=abcdef1234.