Skip to content

[WIP] Upgrade TLS1.2 to TLS1.3#1120

Open
claucece wants to merge 14 commits intocloudflare:masterfrom
claucece:tls_upgrade
Open

[WIP] Upgrade TLS1.2 to TLS1.3#1120
claucece wants to merge 14 commits intocloudflare:masterfrom
claucece:tls_upgrade

Conversation

@claucece
Copy link
Copy Markdown
Contributor

@claucece claucece commented Jul 27, 2020
edited
Loading

This takes the code done in PR #1101

TODOs:

  • Fix tests (that were coded for TLS1.2) and make sure they pass
  • Upgrade cfsslscan to work with the interface of TLS1.3 (slightly different than 1.2)
    • Check if some parts of the commons file should be omitted.
  • Upgrade the Grading algorithms to use/reflect TLS1.3, which includes:
    • Scanning with both TLS1.2 and TLS1.3
    • Rewiring some version-specific checks (e.g., SessionResumption in 1.2) to be done only with their version

lbarman and others added 9 commits April 22, 2020 18:01
@lbarman
Add golang.org/x/crypto/hkdf to the modules
7c16f81 
(Seems unavoidable since HKDF is used in TLS1.3's key schedule)
@lbarman
Add dependency to golang.org/x/crypto/chacha20poly1305
56d56c3
@lbarman
Bit-for-bit copy of Reference implementation 1.13.9
aaa0cce
@lbarman
Fix import to golang.org/x/crypto/ed25519
afefda5
@lbarman
Update cfsslscan_common/handshake.go to work with TLS1.3
2d8a3ac 
Note: this is the commit that was really needed to swap for TLS1.3; all
previous commits were an attempt to patch the current implementation
towards 1.3, but that was long and error-prone. This is a clean change
on top of the copy-pasted reference implementation

Note2: Grading is still not updated to 1.3
Note3: I didn't update/run the tests (which the reference implementation
do not have)
@lbarman
Tests compile but fail
fc6ae87
@lbarman
Add dependency to golang.org/x/crypto/curve25519
1b4d7f6
@claucece
Fix vendor
ff17640
@claucece
Update to go.1.14 TLS
bd32607
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jul 27, 2020
edited
Loading

Codecov Report

Merging #1120 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1120   +/-   ##
=======================================
  Coverage   56.27%   56.27%           
=======================================
  Files          77       77           
  Lines        7309     7309           
=======================================
  Hits         4113     4113           
  Misses       2727     2727           
  Partials      469      469
Impacted Files Coverage Δ
scan/tls_handshake.go 0.00% <ø> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b49bea...be042d1. Read the comment docs.

@claucece claucece mentioned this pull request Jul 27, 2020
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@claucece @codecov-commenter @lbarman