crypto/tls: add support for TLS 1.3 #9671
Comments
Huh?
Huh? This whole bug report seems to start on unfounded premises, or at least isn't clear. |
|
The draft is still being updated. We can talk about having TLS 1.3 once it's actually an RFC. [I have no idea what the text in the issue report body is supposed to mean, but the issue title is at least clear.] |
|
maybe it's time to consider this again? |
|
TLS 1.3 is still not approved, so I think we should delay this
a bit further.
|
|
https://go-review.googlesource.com/#/c/33115/ opened a branch for TLS 1.3 development. |
|
CL https://golang.org/cl/33164 mentions this issue. |
|
CL https://golang.org/cl/33416 mentions this issue. |
|
CL https://golang.org/cl/33419 mentions this issue. |
|
I see this is still "Unplanned" -- any possibility of getting this on track for Go 1.9? (Or is the final draft still too far out. I can never figure out where to find the status of these things.) |
|
@FiloSottile is working on this. Status? |
|
The server codebase we are using is pretty battle tested and complete now, so the commits starting If @agl has the review bandwidth, I can probably power through the client implementation in March. (Or maybe we can consider shipping server first?) BTW, @bradfitz it would be useful if I could submit for review on Gerrit commits I don't Author. There are a couple in there made by other people that agreed to have them submitted and signed the CLA. (Feel free to assign me this issue.) |
|
@FiloSottile, email me the list of author email addresses you wish to push forged commits to Gerrit with. I'll then check their CLAs and verify they're cool with you spoofing them. (Maybe cc them on your email to me and have them confirm?) |
bradfitz
added
FeatureRequest
NeedsFix
|
CL https://golang.org/cl/48455 mentions this issue. |
|
CL https://golang.org/cl/48454 mentions this issue. |
This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates golang#9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
PSS signatures in X509 certificates are already supported, and now that handshake messages also support PSS, let's advertise it in the client and enable it for the server. Add test that checks for PSS signatures in (1) handshake messages and (2) certificates. Updates golang#9671 Tested with: go test -race crypto/tls -v -test.run TestHandshakeClientCertRSAPSS -args -update TODO update many other tests since signature_algorithms is updated. RFC force s_server to disable PSS for other tests, and use PKCS#1 v1.5? RFC ok to change tests to require openssl from git? Change-Id: I1b2ce2d13a07f5dda98b918313f3c581ce1d7b1d
This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates golang#9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
PSS signatures in X509 certificates are already supported, and now that handshake messages also support PSS, let's advertise it in the client and enable it for the server. Add test that checks for PSS signatures in (1) handshake messages and (2) certificates. Updates golang#9671 Tested with: go test -race crypto/tls -v -test.run TestHandshakeClientCertRSAPSS -args -update TODO update many other tests since signature_algorithms is updated. RFC force s_server to disable PSS for other tests, and use PKCS#1 v1.5? RFC ok to change tests to require openssl from git? Change-Id: I1b2ce2d13a07f5dda98b918313f3c581ce1d7b1d
|
Change https://golang.org/cl/79738 mentions this issue: |
Looks like the introduction of CCS records in the client second flight gave time to s_server to send NewSessionTicket messages in between the client application data and close_notify. There seems to be no way of turning NewSessionTicket messages off, neither by not sending a psk_key_exchange_modes extension, nor by command line flag. Interleaving the client write like that tickled an issue akin to #18701: on Windows, the client reaches Close() before the last record is drained from the send buffer, the kernel notices and resets the connection, cutting short the last flow. There is no good way of synchronizing this, so we sleep for a RTT before calling close, like in CL 75210. Sigh. Updates #9671 Change-Id: I44dc1cca17b373695b5a18c2741f218af2990bd1 Reviewed-on: https://go-review.googlesource.com/c/147419 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
Also check original certificate validity when resuming TLS 1.0–1.2. Will refuse to resume a session if the certificate is expired or if the original connection had InsecureSkipVerify and the resumed one doesn't. Support only PSK+DHE to protect forward secrecy even with lack of a strong session ticket rotation story. Tested with NSS because s_server does not provide any way of getting the same session ticket key across invocations. Will self-test like TLS 1.0–1.2 once server side is implemented. Incorporates CL 128477 by @santoshankr. Fixes #24919 Updates #9671 Change-Id: Id3eaa5b6c77544a1357668bf9ff255f3420ecc34 Reviewed-on: https://go-review.googlesource.com/c/147420 Reviewed-by: Adam Langley <[email protected]>
Added some assertions to testHandshake, but avoided checking the error of one of the Close() because the one that would lose the race would write the closeNotify to a connection closed on the other side which is broken on js/wasm (#28650). Moved that Close() after the chan sync to ensure it happens second. Accepting a ticket with client certificates when NoClientCert is configured is probably not a problem, and we could hide them to avoid confusing the application, but the current behavior is to skip the ticket, and I'd rather keep behavior changes to a minimum. Updates #9671 Change-Id: I93b56e44ddfe3d48c2bef52c83285ba2f46f297a Reviewed-on: https://go-review.googlesource.com/c/147445 Reviewed-by: Adam Langley <[email protected]>
Note that the SignatureSchemes passed to GetClientCertificate in TLS 1.2 are now filtered by the requested certificate type. This feels like an improvement anyway, and the full list can be surfaced as well when support for signature_algorithms_cert is added, which actually matches the semantics of the CertificateRequest signature_algorithms in TLS 1.2. Also, note a subtle behavior change in server side resumption: if a certificate is requested but not required, and the resumed session did not include one, it used not to invoke VerifyPeerCertificate. However, if the resumed session did include a certificate, it would. (If a certificate was required but not in the session, the session is rejected in checkForResumption.) This inconsistency could be unexpected, even dangerous, so now VerifyPeerCertificate is always invoked. Still not consistent with the client behavior, which does not ever invoke VerifyPeerCertificate on resumption, but it felt too surprising to entirely change either. Updates #9671 Change-Id: Ib2b0dbc30e659208dca3ac07d6c687a407d7aaaf Reviewed-on: https://go-review.googlesource.com/c/147599 Reviewed-by: Adam Langley <[email protected]>
TLS_FALLBACK_SCSV is extremely fragile in the presence of sparse supported_version, but gave it the best try I could. Set the server random canaries but don't check them yet, waiting for the browsers to clear the way of misbehaving middleboxes. Updates #9671 Change-Id: Ie55efdec671d639cf1e716acef0c5f103e91a7ce Reviewed-on: https://go-review.googlesource.com/c/147617 Reviewed-by: Adam Langley <[email protected]>
|
@FiloSottile, thanks for your awesome work! I've looked through the commits and didn't find anything related to the encrypted SNI. Are there any plans on implementing the spec? Mozilla and Cloudflare have already implemented ESNI (though it's currently not enabled by default in Firefox). |
|
We generally wait for the browsers to experiment with new TLS features before implementing them, and anyway we are extremely unlikely to implement an Internet-Draft, so there are no plans for encrypted SNI. Also, crypto/tls has a high benefit/complexity bar, so we will want to wait until encrypted SNI is widely deployed before implementing it. |
|
hi @FiloSottile , does the current implement support the 0-RRT? |
|
@lvht, no, it does not. Not for Go 1.12. |
|
@bradfitz is there a roadmap to implement the 0-RRT? |
|
I can't find the email now, but I recall @FiloSottile saying somewhere it could come later once we have more time to think about the API for it. (For security reasons, it can't be automatic, but perhaps net/http's Transport could use it for idempotent requests on new connections...) |
ghost
mentioned this issue
|
@FiloSottile Is there any update on the 0-rtt earlydata progress? |
|
@henrocker It's not currently on the roadmap. It will also depend on how the ecosystem develops. |
|
@henrocker , did you mean to post that question to github.com/caddyserver/caddy ? They maintain their issues in their own repo. |
See https://tools.ietf.org/html/draft-ietf-tls-tls13.
Coexistence of IPv4 and IPv6 harms the net package.
Coexistence of HTTP/1.x and HTTP/2 will harm the net/http package.
For now looks coexistence of TLS 1.2 and 1.3 won't harm the crypto/tls package.
How about a variety of compositions on HTTP over TLS over IP?
The text was updated successfully, but these errors were encountered: