make the TLS cipher suites configurable

2025-04-03 20:27:35 +03:00 · 2020-02-01 15:58:40 +07:00 · 2020-02-01 15:58:40 +07:00 · f91dfda8c3
commit f91dfda8c3
parent 54b38cac0f
6 changed files with 50 additions and 3 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -4,6 +4,7 @@

 - Add support for 0-RTT.
 - Remove `Session.Close()`. Applications need to pass an application error code to the transport using `Session.CloseWithError()`.
+- Make the TLS Cipher Suites configurable (via `tls.Config.CipherSuites`).

 ## v0.14.0 (2019-12-04)

--- a/client.go
+++ b/client.go
@ -59,6 +59,7 @@ var (
 // DialAddr establishes a new QUIC connection to a server.
 // It uses a new UDP connection and closes this connection when the QUIC session is closed.
 // The hostname for SNI is taken from the given address.
+// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites.
 func DialAddr(
 	addr string,
 	tlsConf *tls.Config,
@ -70,6 +71,7 @@ func DialAddr(
 // DialAddrEarly establishes a new 0-RTT QUIC connection to a server.
 // It uses a new UDP connection and closes this connection when the QUIC session is closed.
 // The hostname for SNI is taken from the given address.
+// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites.
 func DialAddrEarly(
 	addr string,
 	tlsConf *tls.Config,
--- a/go.mod
+++ b/go.mod
@ -9,7 +9,7 @@ require (
 	github.com/golang/protobuf v1.3.0
 	github.com/marten-seemann/chacha20 v0.2.0
 	github.com/marten-seemann/qpack v0.1.0
-	github.com/marten-seemann/qtls v0.6.1
+	github.com/marten-seemann/qtls v0.7.0
 	github.com/onsi/ginkgo v1.11.0
 	github.com/onsi/gomega v1.8.1
 	golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472
--- a/go.sum
+++ b/go.sum
@ -15,8 +15,8 @@ github.com/marten-seemann/chacha20 v0.2.0 h1:f40vqzzx+3GdOmzQoItkLX5WLvHgPgyYqFF
 github.com/marten-seemann/chacha20 v0.2.0/go.mod h1:HSdjFau7GzYRj+ahFNwsO3ouVJr1HFkWoEwNDb4TMtE=
 github.com/marten-seemann/qpack v0.1.0 h1:/0M7lkda/6mus9B8u34Asqm8ZhHAAt9Ho0vniNuVSVg=
 github.com/marten-seemann/qpack v0.1.0/go.mod h1:LFt1NU/Ptjip0C2CPkhimBz5CGE3WGDAUWqna+CNTrI=
-github.com/marten-seemann/qtls v0.6.1 h1:N82hlQA7hMhikLjmx6BCJ/ey4zMc9ioHQmjXWwNu6is=
-github.com/marten-seemann/qtls v0.6.1/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPXTCZLQQunvRc=
+github.com/marten-seemann/qtls v0.7.0 h1:5orVe49aOr4ykvip1sxSEnN37nNjgxB7xTCrySLwN3E=
+github.com/marten-seemann/qtls v0.7.0/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPXTCZLQQunvRc=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
--- a/integrationtests/self/handshake_test.go
+++ b/integrationtests/self/handshake_test.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"time"

@ -135,6 +136,48 @@ var _ = Describe("Handshake tests", func() {
 		})
 	}

+	Context("using different cipher suites", func() {
+		for n, id := range map[string]uint16{
+			"TLS_AES_128_GCM_SHA256":       tls.TLS_AES_128_GCM_SHA256,
+			"TLS_AES_256_GCM_SHA384":       tls.TLS_AES_256_GCM_SHA384,
+			"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
+		} {
+			name := n
+			suiteID := id
+
+			It(fmt.Sprintf("using %s", name), func() {
+				tlsServerConf.CipherSuites = []uint16{suiteID}
+				ln, err := quic.ListenAddr("localhost:0", tlsServerConf, serverConfig)
+				Expect(err).ToNot(HaveOccurred())
+
+				go func() {
+					defer GinkgoRecover()
+					sess, err := ln.Accept(context.Background())
+					Expect(err).ToNot(HaveOccurred())
+					str, err := sess.OpenStream()
+					Expect(err).ToNot(HaveOccurred())
+					defer str.Close()
+					_, err = str.Write(PRData)
+					Expect(err).ToNot(HaveOccurred())
+				}()
+
+				sess, err := quic.DialAddr(
+					fmt.Sprintf("localhost:%d", ln.Addr().(*net.UDPAddr).Port),
+					getTLSClientConfig(),
+					nil,
+				)
+				Expect(err).ToNot(HaveOccurred())
+				str, err := sess.AcceptStream(context.Background())
+				Expect(err).ToNot(HaveOccurred())
+				data, err := ioutil.ReadAll(str)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(data).To(Equal(PRData))
+				Expect(sess.ConnectionState().CipherSuite).To(Equal(suiteID))
+				Expect(sess.CloseWithError(0, "")).To(Succeed())
+			})
+		}
+	})
+
 	Context("Certifiate validation", func() {
 		for _, v := range protocol.SupportedVersions {
 			version := v
--- a/server.go
+++ b/server.go
@ -132,6 +132,7 @@ func listenAddr(addr string, tlsConf *tls.Config, config *Config, acceptEarly bo
 // The PacketConn can be used for simultaneous calls to Dial.
 // QUIC connection IDs are used for demultiplexing the different connections.
 // The tls.Config must not be nil and must contain a certificate configuration.
+// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites.
 // Furthermore, it must define an application control (using NextProtos).
 // The quic.Config may be nil, in that case the default values will be used.
 func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, error) {