Caddy: TLS 1.3

Created on 23 Mar 2018 · 16Comments · Source: caddyserver/caddy

I could not find an open issue, and I hope it is not already implemented, but TLS 1.3 support should be added!

TLS 1.3 is finalized AFAIK, browsers are soon going to implement the latest "draft" (not a draft now anymore, don't know the name).

feature request upstream

Source

rugk

👍18

Most helpful comment

To get it in 1.11 we would have to mail it all by the end of the month, which was deemed way too tight. https://github.com/golang/go/wiki/Go-Release-Cycle

FiloSottile on 25 Apr 2018

👍12 ❤3

All 16 comments

Waiting for Go to implement it into their standard library.

Fortunately, @FiloSottile -- who already implemented an earlier draft of TLS 1.3 in Go -- now works on the Go team doing cryptography. Sooooo I'm pretty confident it could happen by Go 1.11 or definitely Go 1.12. (Right? :wink:)

mholt on 23 Mar 2018

👍6

They seem to be aiming for go 1.12

faradaytrs on 25 Apr 2018

👍1

Yep. We're looking at ~Feb. 2019 I think.

mholt on 25 Apr 2018

😕2 👍2

Uuh, so late??

rugk on 25 Apr 2018

Stability over speed, when it comes to things like this...

mholt on 25 Apr 2018

To get it in 1.11 we would have to mail it all by the end of the month, which was deemed way too tight. https://github.com/golang/go/wiki/Go-Release-Cycle

FiloSottile on 25 Apr 2018

👍12 ❤3

I've compiled Caddy together with the tls-tris lib from cloudflare and released a how to here:

https://www.hnrk.io/md/2._caddy+TLS1.3.md.

Patch of caddy (pretty-printed) is here.

TLS1.3 version is RFC8446.

PoC is https://www.hnrk.io/ (SSLLabs)

Henrocker on 21 Sep 2018

❤8

I've compiled Caddy together with the tls-tris lib from cloudflare and released a how to here:

https://www.henrock.net/md/2._caddy+TLS1.3.md.

Patch of caddy (pretty-printed) is here.

TLS1.3 version is RFC8446.

PoC is https://www.henrock.net/

Hi, Matt, sorry for chatting in caddy repo, but @Henrocker seems there is no https://golang.org/src/crypto/internal/ now.
GOARCH=amd64 GOROOT="/root/tls-tris/_dev/GOROOT/linux_amd64" go install -v std
_dev/GOROOT/linux_amd64/src/crypto/tls/common.go:10:2: cannot find package "crypto/internal/cipherhw" in any of:
/root/tls-tris/_dev/GOROOT/linux_amd64/src/vendor/crypto/internal/cipherhw (vendor tree)
/root/tls-tris/_dev/GOROOT/linux_amd64/src/crypto/internal/cipherhw (from $GOROOT)
/root/go/src/crypto/internal/cipherhw (from $GOPATH)

vladbondarenko on 8 Oct 2018

@vladbondarenko This is why here, I stated, that golang 1.10.4 is needed for this.

Henrocker on 8 Oct 2018

Updated the tutorial in regards to the golang upgrade 1.11.1 in tls-tris, as well as edited my comment above.

Henrocker on 18 Oct 2018

Thanks. That works on Centos7 also.
but @Henrocker please fix domain and urls in https://github.com/mholt/caddy/issues/2080#issuecomment-427800326
from henrock.net to hnrk.io, I'm tired of being a telepath ))

vladbondarenko on 29 Oct 2018

@vladbondarenko Done!

Henrocker on 29 Oct 2018

The official patch for TLS1.3 support has been merged: https://github.com/golang/go/issues/9671.

htfy96 on 16 Nov 2018

👍5

If you don't want to wait for a new version of Caddy with TLS1.3 support, you just have to install golang from the source code (git) and then build caddy with the patch of @Henrocker:

go get github.com/mholt/caddy
go get github.com/caddyserver/builds
cd $GOPATH/src/github.com/mholt/caddy
wget https://www.hnrk.io/md/caddy.patch
patch -p1 < caddy.patch
cd $GOPATH/src/github.com/mholt/caddy/caddy
go run build.go