Encrypting the Internet with Go

Explore the implementation of TLS 1.3 at Cloudflare using Go's crypto/tls package in this 42-minute GopherCon 2017 talk. Dive into the intricacies of TLS 1.2 and 1.3 handshakes, record layers, and state management. Learn about API changes, interoperability testing, and standard library patching. Discover solutions for keyless operations, session tickets, and assembly crypto optimization. Examine file descriptor passing, timeout handling in Go 1.8, and TCP keep-alive mechanisms. Gain insights on managing open connections, http.Server and tls.Conn interactions, and HTTP/2 Push implementation.

Intro
TLS 1.2 ECDHE
Initial Handshake
Late Handshake
Handshake Complete
TLS record layer
TLS 1.3 handshake states
just a Config knob
a separate function
a check function
a Connection State field
Confirm Handshake
Exposing it to the HTTP handler
Other API changes
Interoperability testing
Patching the standard library
Keyless and GetCertificate
Where GetCertificate can't go
Enter GetConfigForClient
Last remaining: session tickets
Only use assembly crypto
File descriptor passing
Timeouts in Go 1.8
What about TCP keep-alives?
Keeping an eye on open connections
http.Server and tls.Conn
Dial and pool to nginx
HTTP/2 Push