Skip to content

Upgrade TLS1.2 to TLS1.3#1101

Closed
lbarman wants to merge 7 commits intocloudflare:masterfrom
lbarman:tls1.3-cleaner
Closed

Upgrade TLS1.2 to TLS1.3#1101
lbarman wants to merge 7 commits intocloudflare:masterfrom
lbarman:tls1.3-cleaner

Conversation

@lbarman
Copy link
Copy Markdown

@lbarman lbarman commented Apr 22, 2020
edited
Loading

Hello, this is a work in progress which aims at upgrading the TLS version to 1.3 in the scan functionality. This follows issue #1089.

I'll update this PR with the relevant info as I progress. Comments along the way are welcome !

This superseeds #1098

Warning

This PR updates replaces the current TLS1.2 implementation with the TLS1.3 implementation from Go 1.13.9. It is enabled by default.

It adds the following modules:

  • golang.org/x/crypto/hkdf
  • golang.org/x/crypto/curve25519
  • golang.org/x/crypto/chacha20poly1305

Roadmap

My goal: cfssl scan -family TLSHandshake google.com works and uses TLS1.3 instead of 1.2

Status

cfssl scan -family TLSSession google.com:
a

TODOs:

  • Fix tests (that were coded for TLS1.2) and make sure they pass
  • Upgrade cfsslscan to work with the interface of TLS1.3 (slightly different than 1.2)
  • Upgrade the Grading algorithms to use/reflect TLS1.3, which includes:
  • Scanning with both TLS1.2 and TLS1.3
  • Rewiring some version-specific checks (e.g., SessionResumption in 1.2) to be done only with their version

Questions / Decisions to be made

Add a CLI option to explicitly scan in 1.2 or 1.3 ?

lbarman added 5 commits April 22, 2020 18:01
@lbarman
Add golang.org/x/crypto/hkdf to the modules
7c16f81 
(Seems unavoidable since HKDF is used in TLS1.3's key schedule)
@lbarman
Add dependency to golang.org/x/crypto/chacha20poly1305
56d56c3
@lbarman
Bit-for-bit copy of Reference implementation 1.13.9
aaa0cce
@lbarman
Fix import to golang.org/x/crypto/ed25519
afefda5
@lbarman
Update cfsslscan_common/handshake.go to work with TLS1.3
2d8a3ac 
Note: this is the commit that was really needed to swap for TLS1.3; all
previous commits were an attempt to patch the current implementation
towards 1.3, but that was long and error-prone. This is a clean change
on top of the copy-pasted reference implementation

Note2: Grading is still not updated to 1.3
Note3: I didn't update/run the tests (which the reference implementation
do not have)
@lbarman lbarman marked this pull request as draft April 22, 2020 16:20
This was referenced Apr 22, 2020
Closed
Closed
@lbarman lbarman changed the title Tls1.3 cleaner Upgrade TLS1.2 to TLS1.3 Apr 22, 2020
@lukevalenta lukevalenta mentioned this pull request May 27, 2020
Closed
@claucece
Copy link
Copy Markdown
Contributor

claucece commented Jul 22, 2020

Hi, @lbarman ! I'll probably will start working on these tasks to finish this PR.. is it ok with you?

@lbarman
Copy link
Copy Markdown
Author

lbarman commented Jul 22, 2020

Hey @claucece, absolutely! thanks :)

@claucece claucece mentioned this pull request Jul 27, 2020
Open
6 tasks
@claucece
Copy link
Copy Markdown
Contributor

claucece commented Jul 27, 2020
edited
Loading

This is now superseded by: #1120

@lbarman , small question, why do you change to use x/crypto/ed25519 and x/crypto/chacha20poly1305?

@claucece
Copy link
Copy Markdown
Contributor

claucece commented Jul 27, 2020

@lbarman I see why is needed now: because of go 1.12

@lbarman lbarman closed this Sep 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lbarman @claucece