Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes.
A big shout out to @3andne for spending time on major refactoring/revision in the Session Resumption for both TLS 1.2 (SessionTicket-based) and TLS 1.3 (PreSharedKey-based)!
type ISessionTicketExtension interface {
TLSExtension
// If false is returned, utls will invoke `InitializeByUtls()` for the necessary initialization.
Initializable
// InitializeByUtls is invoked when IsInitialized() returns false.
// It initializes the extension using a real and valid TLS 1.2 session.
InitializeByUtls(session *SessionState, ticket []byte)
GetSession() *SessionState
GetTicket() []byte
}
// SetSessionTicket sets the session ticket extension.
// If extension is nil, this will be a no-op.
func (uconn *UConn) SetSessionTicketExtension(sessionTicketExt ISessionTicketExtension)
type PreSharedKeyExtension interface {
// TLSExtension must be implemented by all PreSharedKeyExtension implementations.
TLSExtension
// If false is returned, utls will invoke `InitializeByUtls()` for the necessary initialization.
Initializable
SetOmitEmptyPsk(val bool)
// InitializeByUtls is invoked when IsInitialized() returns false.
// It initializes the extension using a real and valid TLS 1.3 session.
InitializeByUtls(session *SessionState, earlySecret []byte, binderKey []byte, identities []PskIdentity)
// GetPreSharedKeyCommon retrieves the final PreSharedKey-related states as defined in PreSharedKeyCommon.
GetPreSharedKeyCommon() PreSharedKeyCommon
// PatchBuiltHello is called once the hello message is fully applied and marshaled.
// Its purpose is to update the binders of PSK (Pre-Shared Key) identities.
PatchBuiltHello(hello *PubClientHelloMsg) error
mustEmbedUnimplementedPreSharedKeyExtension() // this works like a type guard
}
// SetPskExtension sets the psk extension for tls 1.3 resumption. This is a no-op if the psk is nil.
func (uconn *UConn) SetPskExtension(pskExt PreSharedKeyExtension) error
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.4.3...v1.5.0
Fixed a previous bug causing PSK-resumption to fail.
Now UtlsPreSharedKeyExtension
does not contain any externally-set states -- user MUST set Config.ClientSessionCache
for resumption.
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.5.0-beta.3...v1.5.0-beta.4
Some minor changes and now we got PSK examples!
There's a bug: setting tls.Config.ClientSessionCache
will cause PSK to fail. Currently users must set only tls.UtlsPreSharedKeyExtension.ClientSessionCacheOverride
.
This is not an intended behavior and requires further investigation...
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.5.0-beta.2...v1.5.0-beta.3
We are finally supporting pre_shared_key
! I mean, with REAL support.
To use it, you must provide a type interfacing ClientSessionCache
:
// ClientSessionCache is a cache of ClientSessionState objects that can be used
// by a client to resume a TLS session with a given server. ClientSessionCache
// implementations should expect to be called concurrently from different
// goroutines. Up to TLS 1.2, only ticket-based resumption is supported, not
// SessionID-based resumption. In TLS 1.3 they were merged into PSK modes, which
// are supported via this interface.
type ClientSessionCache interface {
// Get searches for a ClientSessionState associated with the given key.
// On return, ok is true if one was found.
Get(sessionKey string) (session *ClientSessionState, ok bool)
// Put adds the ClientSessionState to the cache with the given key. It might
// get called multiple times in a connection if a TLS 1.3 server provides
// more than one session ticket. If called with a nil *ClientSessionState,
// it should remove the cache entry.
Put(sessionKey string, cs *ClientSessionState)
}
Where the sessionKey
is the ServerName
(or IP Address if no ServerName
).
This update could possibly break TLS 1.2 session resumption support from older versions, so please report any bugs you encountered.
This update includes a breaking change of PreShareKeyExtension
: it is now an interface
.
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.5.0-beta.1...v1.5.0-beta.2
Duck Goes Quack, Cow Goes Moo, Parrot Goes Post-Quantum!
† Set chrome://flags/#enable-tls13-kyber
to enable in Chrome 115. To be generally available (perhaps default ON?) in Chrome 116.
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.5.0-alpha...v1.5.0-beta.1
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.4.3...v1.5.0-alpha
Retract v1.4.0, v1.4.1 for a breaking change made by crypto/tls
in client handshake. This tag contains no code change from v1.4.2 since v1.4.2 patches the exact bug in the retracted versions.
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.4.2...v1.4.3
Provide a dirty fix for a bug(?) triggered when Config.ClientSessionCache
is nil
and session_ticket
is received from a server.
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.3.3...v1.4.1
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.3.2...v1.3.3