The goal of this project is to better understand TLS 1.3 by creating a pure python implementation. Let's see how this goes!
Some resources that will be useful to us when learning about TLS 1.3
- The Transport Layer Security (TLS) Protocol Version 1.3 RFC 8446
- Test for TLS 1.3 Support
- TLS 1.3 illustrated
We want a server that we can make TLS 1.3 requests to and also enable 0-RTT (because I couldn't find a server that supports this...)
Client:
echo -e "GET / HTTP/1.1\r\nHost: $host\r\nConnection: close\r\n\r\n" > request.txt
openssl s_client -connect host.docker.internal:4433 -tls1_3 -sess_out session.pem -ign_eof < request.txt
openssl s_client -connect host.docker.internal:4433 -tls1_3 -sess_in session.pem -early_data request.txt
Server:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout myPKey.pem \
-out myCert.crt \
-subj '/CN=US'
openssl s_server -accept portNum -cert myCert.pem -key myPKey.pem
To test tls1.3 on our own endpoint (couldn't find one with 0-RTT enabled) we will use an instance made by us.
To build:
cd ./test_server
docker build . -t nginxtls13:latest
To run:
docker run -p4433:443 -it nginxtls13
When working on session resumption, there were some issues. To debug these issues I edited openssl (added some print statements) so that I could see what openssl was looking at and compare that to my code. This was some pretty hard debugging...
You can see the diffs to openssl in resources/openssl.diff
The setup to make openssl compile is pretty simple. Just install it from git
git clone <openssl>
cd openssl
# apply changes
make install
openssl s_server -accept portNum -cert myCert.pem -key myPKey.pem
- Send an HTTP GET request to a TLS 1.3 server.
- Clean up code a bunch!!!
- Get a decent code review
- Session resumption (0-RTT)