TLS 1.3 (minimal)

[droe]

Preflight checklist:

• [ ] Read up on changes in OpenSSL 1.1.1 and TLS 1.3
• [ ] Specifically investigate how encrypted SNI is handled by the OpenSSL 1.1.1 API.
• [ ] Investigate if any other intercepting proxies already handle encrypted SNI, and if so, what approach has been chosen.

Tasks:

• [x] Achieve minimal support for TLS 1.3 by supporting normal build against OpenSSL 1.1.1 and latest BoringSSL
• [ ] Adapt all SSL/TLS configuration options (like -r, -R, -s, -g, -G etc) to fully work with new TLS 1.3 concepts, add TLS 1.3 examples to documentation where there are differences vs TLS 1.2 (such as cipher suites); disable TLS 1.3 specific code on LibreSSL and old OpenSSL/BoringSSL
• [ ] If necessary, adjust our own ClientHello parser to deal with TLS 1.3, including failing gracefully with encrypted SNI (w/any TLS version)
• [ ] Test with different SSL libraries and different clients

Out of scope:

• 208 Handle encrypted SNI

Useful references:

• https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
• https://www.openssl.org/blog/blog/2018/09/11/release111/

[droe]

Build against OpenSSL 1.1.1 now works and unit tests pass, but there has not been much testing. In particular, TLS 1.3 has not been tested yet.