-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Adaptation to New Specifications (TLS 1.3 and HTTP 2)
TL;DR: Although there are some problems with TLS 1.3 session resumption, the current version of trojan should be able to adapt to new specifications (TLS 1.3 and HTTP 2) without modifying any code.
With the release of OpenSSL 1.1.1, trojan now fully supports TLS 1.3.
According to this article, OpenSSL 1.1.1 will be supporting TLS 1.3, and it's binary and API compatible with OpenSSL 1.1.0, which means that all you need to do is to update your OpenSSL to 1.1.1, and you'll magically utilize TLS 1.3, but there are still some issues. I recommend you to read the article first.
TLS 1.3 introduces several new cipher suites, and according to the article, you need to at least include one in the cipher list. Modify the server config to add the ciphers you want to use and you are good to go. (Under my experiment it's not a necessity but just follow the official instructions.)
According to the article, TLS 1.3 session tickets are sent some time after handshake, which means that the current code getting the session immediately after handshake will not work. The article recommends to use a new API to do session resumption, but that will make trojan incompatible with older versions of OpenSSL, so I won't implement that, and so session resumption will not work with OpenSSL 1.1.1. Anyway, session resumption is not recommended in TLS 1.3, because it's considered unsafe.
Which underlying protocol to use is not a part and not in control of trojan, you can have any protocol behind it, including HTTP 2. Just remember to prioritize "h2" in the ALPN section of server config.