Support for TLS 1.3

[mildsunrise]

Starting with Node 11.10 (I think), Node.JS supports making TLS1.3 connections:
nodejs/node@7393e37af1 (commit on v11.x)
nodejs/node@42dbaed460 (commit on v12.x)

Info on TLS 1.3 secrets and how Wireshark decrypts them:
https://security.stackexchange.com/a/42350/5067 (would be nice adding to README)

All this means:

• The API changes, we should use session event if Node >= 11.10 is detected, instead of secureConnection or secureConnect.
• We should log secrets in a different format.

I'll try to work on this.

[kolontsov]

Thanks! It would be nice to support TLS 1.3 properly. I do have plans to work on it, but I didn't touched it yet, so any PRs/suggestions are welcome.

[kolontsov]

Reference: NodeJS/OpenSSL versions (from merged PR)

[mildsunrise]

Tracking nodejs/node#27419 for TLSv1.3 / keylog support in v10.

[mildsunrise]

I have started working on a PR to Node.JS, which exports the SSL_CTX_set_keylog_callback API as a keylog event which is emitted with the line of text.

So for instance:

const req = https.request("https://example.org")
req.on("socket", socket => {
  socket.on("keylog", console.log)
})

If it's accepted in Node.JS, we could then polyfill this API for older versions(?)

[kolontsov]

I have started working on a PR to Node.JS, which exports the SSL_CTX_set_keylog_callback API as a keylog event which is emitted with the line of text.

Very cool! This is a very right thing to do, good luck with that.

If it's accepted in Node.JS, we could then polyfill this API for older versions(?)

Agree. This implementation with events and handlers looks natural and flexible.

[mildsunrise]

Pull request created: nodejs/node#27654

[kolontsov]

Wow, it was fast. Nice work!

[mildsunrise]

It just landed on Node.JS 🎊 It was faster than I expected... I'm working on a polyfill for the API, do you think we could include it in this version?

[kolontsov]

Congratulations!

I'm working on a polyfill for the API, do you think we could include it in this version?

Yes. It would be great.

[mildsunrise]

Update: Node v12.3.0 was just released with the keylog API ✨

[mildsunrise]

In reference to #4 (comment), Node v10.16.0 was released 3 days ago, and it includes OpenSSL 1.1.1b, so keylog is available.

However it seems I misunderstood, TLSv1.3 has not been backported.
In fact, an exception is thrown if you attempt to use it (that's why 3060046 failed CI).

[mildsunrise]

I'll modify the tests to detect that exception and skip the test in that case.

[kolontsov]

Currently, I just skip TLS 1.3 test on Nodejs <11 (b47ba91), so it's not issue :)

[mildsunrise]

True! But I'd prefer to mark the test as skipped, rather than not registering it at all 🤔

[kolontsov]

It makes sense. I agree.

[mildsunrise]

We can close this now (unless I'm missing something)