Skip to content

Upgrade TLS1.2 to TLS1.3 #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Upgrade TLS1.2 to TLS1.3 #1101

wants to merge 7 commits into from

Conversation

lbarman
Copy link

@lbarman lbarman commented Apr 22, 2020
edited
Loading

Hello, this is a work in progress which aims at upgrading the TLS version to 1.3 in the scan functionality. This follows issue #1089.

I'll update this PR with the relevant info as I progress. Comments along the way are welcome !

This superseeds #1098

Warning

This PR updates replaces the current TLS1.2 implementation with the TLS1.3 implementation from Go 1.13.9. It is enabled by default.

It adds the following modules:

  • golang.org/x/crypto/hkdf
  • golang.org/x/crypto/curve25519
  • golang.org/x/crypto/chacha20poly1305

Roadmap

My goal: cfssl scan -family TLSHandshake google.com works and uses TLS1.3 instead of 1.2

Status

cfssl scan -family TLSSession google.com:
a

TODOs:

  • Fix tests (that were coded for TLS1.2) and make sure they pass
  • Upgrade cfsslscan to work with the interface of TLS1.3 (slightly different than 1.2)
  • Upgrade the Grading algorithms to use/reflect TLS1.3, which includes:
  • Scanning with both TLS1.2 and TLS1.3
  • Rewiring some version-specific checks (e.g., SessionResumption in 1.2) to be done only with their version

Questions / Decisions to be made

Add a CLI option to explicitly scan in 1.2 or 1.3 ?

lbarman added 5 commits April 22, 2020 18:01
@lbarman
Add golang.org/x/crypto/hkdf to the modules
7c16f81 
(Seems unavoidable since HKDF is used in TLS1.3's key schedule)
@lbarman
Add dependency to golang.org/x/crypto/chacha20poly1305
56d56c3
@lbarman
Bit-for-bit copy of Reference implementation 1.13.9
aaa0cce
@lbarman
Fix import to golang.org/x/crypto/ed25519
afefda5
@lbarman
Update cfsslscan_common/handshake.go to work with TLS1.3
2d8a3ac 
Note: this is the commit that was really needed to swap for TLS1.3; all
previous commits were an attempt to patch the current implementation
towards 1.3, but that was long and error-prone. This is a clean change
on top of the copy-pasted reference implementation

Note2: Grading is still not updated to 1.3
Note3: I didn't update/run the tests (which the reference implementation
do not have)
@lbarman lbarman marked this pull request as draft April 22, 2020 16:20
This was referenced Apr 22, 2020
Closed
Closed
@lbarman lbarman changed the title Tls1.3 cleaner Upgrade TLS1.2 to TLS1.3 Apr 22, 2020
@lukevalenta lukevalenta mentioned this pull request May 27, 2020
Closed
@claucece
Copy link
Contributor

Hi, @lbarman ! I'll probably will start working on these tasks to finish this PR.. is it ok with you?

@lbarman
Copy link
Author

lbarman commented Jul 22, 2020

Hey @claucece, absolutely! thanks :)

@claucece claucece mentioned this pull request Jul 27, 2020
Open
6 tasks
@claucece
Copy link
Contributor

claucece commented Jul 27, 2020
edited
Loading

This is now superseded by: #1120

@lbarman , small question, why do you change to use x/crypto/ed25519 and x/crypto/chacha20poly1305?

@claucece
Copy link
Contributor

@lbarman I see why is needed now: because of go 1.12

@lbarman lbarman closed this Sep 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lbarman @claucece