sslsplit icon indicating copy to clipboard operation
sslsplit copied to clipboard
verified publisher icon droe

TLS 1.3 (minimal)

Open droe opened this issue 7 years ago • 1 comments

Preflight checklist:

  • [ ] Read up on changes in OpenSSL 1.1.1 and TLS 1.3
  • [ ] Specifically investigate how encrypted SNI is handled by the OpenSSL 1.1.1 API.
  • [ ] Investigate if any other intercepting proxies already handle encrypted SNI, and if so, what approach has been chosen.

Tasks:

  • [x] Achieve minimal support for TLS 1.3 by supporting normal build against OpenSSL 1.1.1 and latest BoringSSL
  • [ ] Adapt all SSL/TLS configuration options (like -r, -R, -s, -g, -G etc) to fully work with new TLS 1.3 concepts, add TLS 1.3 examples to documentation where there are differences vs TLS 1.2 (such as cipher suites); disable TLS 1.3 specific code on LibreSSL and old OpenSSL/BoringSSL
  • [ ] If necessary, adjust our own ClientHello parser to deal with TLS 1.3, including failing gracefully with encrypted SNI (w/any TLS version)
  • [ ] Test with different SSL libraries and different clients

Out of scope:

  • #208 Handle encrypted SNI

Useful references:

  • https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
  • https://www.openssl.org/blog/blog/2018/09/11/release111/

droe avatar Sep 04 '18 01:09 droe

Build against OpenSSL 1.1.1 now works and unit tests pass, but there has not been much testing. In particular, TLS 1.3 has not been tested yet.

droe avatar Oct 29 '18 19:10 droe