From f14cd20a02e69265c38f100136159a62760a9220 Mon Sep 17 00:00:00 2001
From: Jeff Hodges <jeff@somethingsimilar.com>
Date: Tue, 26 Jul 2016 02:34:35 -0700
Subject: [PATCH] make TLS 1.3 okay (#120)

Fixes #118

Updates #119
---
 all_suites.go        | 13 +++++++++----
 client_info.go       |  3 +++
 templates/index.html |  4 ++--
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/all_suites.go b/all_suites.go
index 3dcbb3bc..8061cb56 100644
--- a/all_suites.go
+++ b/all_suites.go
@@ -4,10 +4,8 @@ package main
 // Generated with:
 //   curl -s https://www.iana.org/assignments/tls-parameters/tls-parameters.txt | grep '0x.* TLS_' | awk '{ print $1":","\""$2"\","}' | sed 's/,0x//'
 //
-// Plus appending the new ChaCha20/Poly1305 curve ciphers from Chrome 33.0 and
-// the fallback SCSV if the client had to degrade its version of TLS in order
-// to talk to the server. This is currently only in Chrome, and may one day be
-// useful to call out.
+// Plus appending the quantum resistant ones that Chrome is testing if the
+// client had to degrade its version of TLS in order to talk to the server.
 var allCipherSuites = map[uint16]string{
 	0x0000: "TLS_NULL_WITH_NULL_NULL",
 	0x0001: "TLS_RSA_WITH_NULL_MD5",
@@ -341,4 +339,11 @@ var allCipherSuites = map[uint16]string{
 	0x0064: "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",
 	0x0065: "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
 	0x0066: "TLS_DHE_DSS_WITH_RC4_128_SHA", // 128-bit RC4, not 56-bit
+
+	// Chrome is testing out some quantum computer resistant cipher suites. We,
+	// for now, assume they are safe.
+	0x16b7: "TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256",
+	0x16b8: "TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+	0x16b9: "TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384",
+	0x16ba: "TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384",
 }
diff --git a/client_info.go b/client_info.go
index eb22ef79..a4acb87e 100644
--- a/client_info.go
+++ b/client_info.go
@@ -86,6 +86,9 @@ func ClientInfo(c *conn) *clientInfo {
 		d.TLSVersion = "TLS 1.1"
 	case tls.VersionTLS12:
 		d.TLSVersion = "TLS 1.2"
+	case 0x0304: // TODO(#119): use crypto/tls's constant when it has it
+		d.TLSVersion = "TLS 1.3"
+
 	default:
 		d.TLSVersion = "an unknown version of SSL/TLS"
 	}
diff --git a/templates/index.html b/templates/index.html
index b42895fb..97264a8b 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -84,10 +84,10 @@ <h1>Your SSL client is <span class="hero-unit-{{ratingSpan .Rating}}">{{.Rating}
       <div class="row">
         <div class="span4">
           <h2>Version</h2>
-          {{if eq .TLSVersion "TLS 1.2"}}
+          {{if eq .TLSVersion "TLS 1.2" "TLS 1.3"}}
 
           <p><span class="label okay">Good</span> Your client is using
-          TLS 1.2, the most modern version of the encryption
+          {{ .TLSVersion }}, the most modern version of the encryption
           protocol. It gives you access to the fastest, most secure
           encryption possible on the web.</p>