Open jaysoncena opened 4 years ago
Is there a mandatory requirement for full TLS? Noise strictly only supports the following handshake protocol:
Nodes have ephemeral Ed25519 keys established. To communicate with each other, they:
noise.ECDH
; Elliptic-Curve Diffie Hellman) by feeding in their private Curve25519 private key and their peers Curve25519 public key,The handshake overall is very much similar to TLS v1.3 but is simpler and more straightforward.
Should you have the need to implement a custom handshake, it would for the time being require forking the repository and modifying a single function here.
Happy to assist should this be the case.
Unfortunately, it is a requirement to use CA cert to validate peer client cert.
If there's no straightforward way, I'll probably use tls.Conn in place of net.TCPConn
and tls.Listen in place of net.Listen
Aside from deriving shared secret and the encryption provided by default, do you have any other tips?
Unfortunately, it is a requirement to use CA cert to validate peer client cert.
If there's no straightforward way, I'll probably use tls.Conn in place of
net.TCPConn
and tls.Listen in place of net.ListenAside from deriving shared secret and the encryption provided by default, do you have any other tips?
tls.Client
and tls.Server
may also be used and plugged in directly in (*Client).handshake()
.
In pseudocode, it would resemble:
if c.side == clientSideInbound {
conn := tls.Server(c.conn, &tls.Config{...})
if err := conn.Handshake(); err != nil { return err }
} else {
conn := tls.Client(c.conn, &tls.Config{...})
if err := conn.Handshake(); err != nil { return err }
}
To help support these types of use cases, in the next patch I'll make it a medium priority to provide options to allow for disabling the default handshake + session encryption/decryption, and to optionally provide your own customary handshake function that will be injected into (*Client).handshake()
.
For the time being, please do keep me posted on how your TLS implementation goes :) It will help when it comes the time I work on a PR to make these options available.
Thanks for the feedback, that really helps.
Will definitely keep you posted. Thank you!
Is there any existing implementation of TLS? Our current infrastructure uses CA auth and I would like to use the same. Is there any example on how to do that? If there isn't, can anyone point me where to start on implementing a plugin for TLS?