Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upcrypto/tls: add support for TLS 1.3 #9671
Comments
This comment has been minimized.
This comment has been minimized.
Huh?
Huh? This whole bug report seems to start on unfounded premises, or at least isn't clear. |
This comment has been minimized.
This comment has been minimized.
|
The draft is still being updated. We can talk about having TLS 1.3 once it's actually an RFC. [I have no idea what the text in the issue report body is supposed to mean, but the issue title is at least clear.] |
This comment has been minimized.
This comment has been minimized.
|
maybe it's time to consider this again? |
This comment has been minimized.
This comment has been minimized.
|
TLS 1.3 is still not approved, so I think we should delay this
a bit further.
|
This comment has been minimized.
This comment has been minimized.
|
https://go-review.googlesource.com/#/c/33115/ opened a branch for TLS 1.3 development. |
This comment has been minimized.
This comment has been minimized.
|
CL https://golang.org/cl/33164 mentions this issue. |
This comment has been minimized.
This comment has been minimized.
|
CL https://golang.org/cl/33416 mentions this issue. |
This comment has been minimized.
This comment has been minimized.
|
CL https://golang.org/cl/33419 mentions this issue. |
This comment has been minimized.
This comment has been minimized.
|
I see this is still "Unplanned" -- any possibility of getting this on track for Go 1.9? (Or is the final draft still too far out. I can never figure out where to find the status of these things.) |
This comment has been minimized.
This comment has been minimized.
|
@FiloSottile is working on this. Status? |
This comment has been minimized.
This comment has been minimized.
|
The server codebase we are using is pretty battle tested and complete now, so the commits starting If @agl has the review bandwidth, I can probably power through the client implementation in March. (Or maybe we can consider shipping server first?) BTW, @bradfitz it would be useful if I could submit for review on Gerrit commits I don't Author. There are a couple in there made by other people that agreed to have them submitted and signed the CLA. (Feel free to assign me this issue.) |
This comment has been minimized.
This comment has been minimized.
|
@FiloSottile, email me the list of author email addresses you wish to push forged commits to Gerrit with. I'll then check their CLAs and verify they're cool with you spoofing them. (Maybe cc them on your email to me and have them confirm?) |
This comment has been minimized.
This comment has been minimized.
|
CL https://golang.org/cl/48455 mentions this issue. |
This comment has been minimized.
This comment has been minimized.
|
CL https://golang.org/cl/48454 mentions this issue. |
This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates golang#9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
PSS signatures in X509 certificates are already supported, and now that handshake messages also support PSS, let's advertise it in the client and enable it for the server. Add test that checks for PSS signatures in (1) handshake messages and (2) certificates. Updates golang#9671 Tested with: go test -race crypto/tls -v -test.run TestHandshakeClientCertRSAPSS -args -update TODO update many other tests since signature_algorithms is updated. RFC force s_server to disable PSS for other tests, and use PKCS#1 v1.5? RFC ok to change tests to require openssl from git? Change-Id: I1b2ce2d13a07f5dda98b918313f3c581ce1d7b1d
This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates golang#9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
PSS signatures in X509 certificates are already supported, and now that handshake messages also support PSS, let's advertise it in the client and enable it for the server. Add test that checks for PSS signatures in (1) handshake messages and (2) certificates. Updates golang#9671 Tested with: go test -race crypto/tls -v -test.run TestHandshakeClientCertRSAPSS -args -update TODO update many other tests since signature_algorithms is updated. RFC force s_server to disable PSS for other tests, and use PKCS#1 v1.5? RFC ok to change tests to require openssl from git? Change-Id: I1b2ce2d13a07f5dda98b918313f3c581ce1d7b1d
This comment has been minimized.
This comment has been minimized.
|
Change https://golang.org/cl/79738 mentions this issue: |
This comment has been minimized.
This comment has been minimized.
|
@FiloSottile With this last commit, is TLS 1.3 support ready for testing? |
This comment has been minimized.
This comment has been minimized.
|
Once it gets merged (and this issue closed), you are very welcome to test TLS 1.3 by using Go master. Please file feedback and bugs as new GitHub issues and tag me. Note that the codebase will undergo much more testing before we are ok with shipping it in 1.12, so you shouldn't rely on its security the same way you shouldn't rely on master to be bug free. |
Also, add support for the SSLKEYLOGFILE environment variable to the tests, to simplify debugging of unexpected failures. Updates #9671 Change-Id: I20a34a5824f083da93097b793d51e796d6eb302b Reviewed-on: https://go-review.googlesource.com/c/147417 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
Since TLS 1.3 delivers handshake messages (including KeyUpdate) after the handshake, the want argument to readRecord had became almost pointless: it only meant something when set to recordTypeChangeCipherSpec. Replaced it with a bool to reflect that, and added two shorthands to avoid anonymous bools in calls. Took the occasion to simplify and formalize the invariants of readRecord. The maxConsecutiveEmptyRecords loop became useless when readRecord started retrying on any non-advancing record in CL 145297. Replaced panics with errors, because failure is better than undefined behavior, but contained failure is better than a DoS vulnerability. For example, I suspect the panic at the top of readRecord was reachable from handleRenegotiation, which calls readHandshake with handshakeComplete false. Thankfully it was not a panic in 1.11, and it's allowed now. Removed Client-TLSv13-RenegotiationRejected because OpenSSL isn't actually willing to ask for renegotiation over TLS 1.3, the expected error was due to NewSessionTicket messages, which didn't break the rest of the tests because they stop too soon. Updates #9671 Change-Id: I297a81bde5c8020a962a92891b70d6d70b90f5e3 Reviewed-on: https://go-review.googlesource.com/c/147418 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
Looks like the introduction of CCS records in the client second flight gave time to s_server to send NewSessionTicket messages in between the client application data and close_notify. There seems to be no way of turning NewSessionTicket messages off, neither by not sending a psk_key_exchange_modes extension, nor by command line flag. Interleaving the client write like that tickled an issue akin to #18701: on Windows, the client reaches Close() before the last record is drained from the send buffer, the kernel notices and resets the connection, cutting short the last flow. There is no good way of synchronizing this, so we sleep for a RTT before calling close, like in CL 75210. Sigh. Updates #9671 Change-Id: I44dc1cca17b373695b5a18c2741f218af2990bd1 Reviewed-on: https://go-review.googlesource.com/c/147419 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
Also check original certificate validity when resuming TLS 1.0–1.2. Will refuse to resume a session if the certificate is expired or if the original connection had InsecureSkipVerify and the resumed one doesn't. Support only PSK+DHE to protect forward secrecy even with lack of a strong session ticket rotation story. Tested with NSS because s_server does not provide any way of getting the same session ticket key across invocations. Will self-test like TLS 1.0–1.2 once server side is implemented. Incorporates CL 128477 by @santoshankr. Fixes #24919 Updates #9671 Change-Id: Id3eaa5b6c77544a1357668bf9ff255f3420ecc34 Reviewed-on: https://go-review.googlesource.com/c/147420 Reviewed-by: Adam Langley <agl@golang.org>
Added some assertions to testHandshake, but avoided checking the error of one of the Close() because the one that would lose the race would write the closeNotify to a connection closed on the other side which is broken on js/wasm (#28650). Moved that Close() after the chan sync to ensure it happens second. Accepting a ticket with client certificates when NoClientCert is configured is probably not a problem, and we could hide them to avoid confusing the application, but the current behavior is to skip the ticket, and I'd rather keep behavior changes to a minimum. Updates #9671 Change-Id: I93b56e44ddfe3d48c2bef52c83285ba2f46f297a Reviewed-on: https://go-review.googlesource.com/c/147445 Reviewed-by: Adam Langley <agl@golang.org>
Note that the SignatureSchemes passed to GetClientCertificate in TLS 1.2 are now filtered by the requested certificate type. This feels like an improvement anyway, and the full list can be surfaced as well when support for signature_algorithms_cert is added, which actually matches the semantics of the CertificateRequest signature_algorithms in TLS 1.2. Also, note a subtle behavior change in server side resumption: if a certificate is requested but not required, and the resumed session did not include one, it used not to invoke VerifyPeerCertificate. However, if the resumed session did include a certificate, it would. (If a certificate was required but not in the session, the session is rejected in checkForResumption.) This inconsistency could be unexpected, even dangerous, so now VerifyPeerCertificate is always invoked. Still not consistent with the client behavior, which does not ever invoke VerifyPeerCertificate on resumption, but it felt too surprising to entirely change either. Updates #9671 Change-Id: Ib2b0dbc30e659208dca3ac07d6c687a407d7aaaf Reviewed-on: https://go-review.googlesource.com/c/147599 Reviewed-by: Adam Langley <agl@golang.org>
TLS_FALLBACK_SCSV is extremely fragile in the presence of sparse supported_version, but gave it the best try I could. Set the server random canaries but don't check them yet, waiting for the browsers to clear the way of misbehaving middleboxes. Updates #9671 Change-Id: Ie55efdec671d639cf1e716acef0c5f103e91a7ce Reviewed-on: https://go-review.googlesource.com/c/147617 Reviewed-by: Adam Langley <agl@golang.org>
This comment has been minimized.
This comment has been minimized.
|
@FiloSottile, thanks for your awesome work! I've looked through the commits and didn't find anything related to the encrypted SNI. Are there any plans on implementing the spec? Mozilla and Cloudflare have already implemented ESNI (though it's currently not enabled by default in Firefox). |
This comment has been minimized.
This comment has been minimized.
|
We generally wait for the browsers to experiment with new TLS features before implementing them, and anyway we are extremely unlikely to implement an Internet-Draft, so there are no plans for encrypted SNI. Also, crypto/tls has a high benefit/complexity bar, so we will want to wait until encrypted SNI is widely deployed before implementing it. |
This comment has been minimized.
This comment has been minimized.
|
hi @FiloSottile , does the current implement support the 0-RRT? |
This comment has been minimized.
This comment has been minimized.
|
@lvht, no, it does not. Not for Go 1.12. |
This comment has been minimized.
This comment has been minimized.
|
@bradfitz is there a roadmap to implement the 0-RRT? |
This comment has been minimized.
This comment has been minimized.
|
I can't find the email now, but I recall @FiloSottile saying somewhere it could come later once we have more time to think about the API for it. (For security reasons, it can't be automatic, but perhaps net/http's Transport could use it for idempotent requests on new connections...) |
This comment has been minimized.
This comment has been minimized.
|
@FiloSottile Is there any update on the 0-rtt earlydata progress? |
This comment has been minimized.
This comment has been minimized.
|
@Henrocker It's not currently on the roadmap. It will also depend on how the ecosystem develops. |
This comment has been minimized.
This comment has been minimized.
|
@Henrocker , did you mean to post that question to github.com/caddyserver/caddy ? They maintain their issues in their own repo. |
See https://tools.ietf.org/html/draft-ietf-tls-tls13.
Coexistence of IPv4 and IPv6 harms the net package.
Coexistence of HTTP/1.x and HTTP/2 will harm the net/http package.
For now looks coexistence of TLS 1.2 and 1.3 won't harm the crypto/tls package.
How about a variety of compositions on HTTP over TLS over IP?