ginuerzh
02f1d099c4
|
8 years ago | |
|---|---|---|
| .. | ||
| syntax | 8 years ago | |
| LICENSE.md | 8 years ago | |
| README.md | 8 years ago | |
| alert.go | 8 years ago | |
| client-state-machine.go | 8 years ago | |
| common.go | 8 years ago | |
| conn.go | 8 years ago | |
| cookie-protector.go | 8 years ago | |
| crypto.go | 8 years ago | |
| dtls.go | 8 years ago | |
| extensions.go | 8 years ago | |
| ffdhe.go | 8 years ago | |
| frame-reader.go | 8 years ago | |
| handshake-layer.go | 8 years ago | |
| handshake-messages.go | 8 years ago | |
| log.go | 8 years ago | |
| mint.svg | 8 years ago | |
| negotiation.go | 8 years ago | |
| record-layer.go | 8 years ago | |
| server-state-machine.go | 8 years ago | |
| state-machine.go | 8 years ago | |
| timer.go | 8 years ago | |
| tls.go | 8 years ago | |
README.md
mint - A Minimal TLS 1.3 stack
This project is primarily a learning effort for me to understand the TLS 1.3 protocol. The goal is to arrive at a pretty complete implementation of TLS 1.3, with minimal, elegant code that demonstrates how things work. Testing is a priority to ensure correctness, but otherwise, the quality of the software engineering might not be at a level where it makes sense to integrate this with other libraries. Backward compatibility is not an objective.
We borrow liberally from the Go TLS library, especially where TLS 1.3 aligns with earlier TLS versions. However, unnecessary parts will be ruthlessly cut off.
DTLS Support
Mint has partial support for DTLS, but that support is not yet complete and may still contain serious defects.
Quickstart
Installation is the same as for any other Go package:
go get github.com/bifurcation/mint
The API is pretty much the same as for the TLS module, with Dial and Listen
methods wrapping the underlying socket APIs.
conn, err := mint.Dial("tcp", "localhost:4430", &mint.Config{...})
...
listener, err := mint.Listen("tcp", "localhost:4430", &mint.Config{...})
Documentation is available on godoc.org
Interoperability testing
The mint-client and mint-server executables are included to make it easy to
do basic interoperability tests with other TLS 1.3 implementations. The steps
for testing against NSS are as follows.
# Install mint
go get github.com/bifurcation/mint
# Environment for NSS (you'll probably want a new directory)
NSS_ROOT=<whereever you want to put NSS>
mkdir $NSS_ROOT
cd $NSS_ROOT
export USE_64=1
export ENABLE_TLS_1_3=1
export HOST=localhost
export DOMSUF=localhost
# Build NSS
hg clone https://hg.mozilla.org/projects/nss
hg clone https://hg.mozilla.org/projects/nspr
cd nss
make nss_build_all
export PLATFORM=`cat $NSS_ROOT/dist/latest`
export DYLD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib
export LD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib
# Run NSS tests (this creates data for the server to use)
cd tests/ssl_gtests
./ssl_gtests.sh
# Test with client=mint server=NSS
cd $NSS_ROOT
./dist/$PLATFORM/bin/selfserv -d tests_results/security/$HOST.1/ssl_gtests/ -n rsa -p 4430
# if you get `NSS_Init failed.`, check the path above, particularly around $HOST
# ...
go run $GOPATH/src/github.com/bifurcation/mint/bin/mint-client/main.go
# Test with client=NSS server=mint
go run $GOPATH/src/github.com/bifurcation/mint/bin/mint-server/main.go
# ...
cd $NSS_ROOT
dist/$PLATFORM/bin/tstclnt -d tests_results/security/$HOST/ssl_gtests/ -V tls1.3:tls1.3 -h 127.0.0.1 -p 4430 -o