PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Implement a full SSL/TLS library

https://www.purebasic.fr/english/viewtopic.php?t=78631

Page 2 of 6

Re: Implement a full SSL/TLS library

Posted: Tue Feb 15, 2022 9:15 pm
by Kwai chang caine
+1

Re: Implement a full SSL/TLS library

Posted: Tue Feb 15, 2022 9:22 pm
by RichAlgeni
I would also pay extra for this.

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 10:20 am
by idle
I've just tested making an ssl connection with openssl on the raspberry pi to purebasic.com with incline c, it works though its still a bit of a mess and needs more work as it fails on some other websites perhaps because of redirection or maybe I'm just using the wrong methods?

Asking for a full ssl / tls lib is one thing, using it is another! It's a complex library

Anyway while we can use c libs without much hassle on linux and raspberry pi, I still can't get it working on windows. so no bananas yet.

but it boils down to

Code: Select all

sslcon = OpenSSLConnection("www.purebasic.com")
CloseSSLConnection(sslcon)
how hard can it be !

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 8:39 pm
by infratec
@idle

you are showing the 'easy' way: a client connection.
What I need, and maybe others, is also the server side.

This is a way more difficult.

But it needs to be done and it should be possible in PB.

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 9:00 pm
by skywalk
Yes, I find the Fossil server meets my needs. But I have not wrapped it for PB use.
Did you browse the code I mentioned earlier?

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 9:39 pm
by idle
infratec wrote: Wed Feb 16, 2022 8:39 pm @idle

you are showing the 'easy' way: a client connection.
What I need, and maybe others, is also the server side.

This is a way more difficult.

But it needs to be done and it should be possible in PB.
Yes I understand we want and need it for server side as well. I was just seeing if it was doable with inline c and yes it is which is encouraging, the issue isn't importing openssl it's using it, it's a complicated library, While the client side is piece of cake the server side is a little harder to do as a black box but It's totally doable, the hard part in my opinion is managing the certificates and if you go with a monthly CA it needs to be automated or it will drive you nuts.

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 9:55 pm
by idle
skywalk wrote: Wed Feb 16, 2022 9:00 pm Yes, I find the Fossil server meets my needs. But I have not wrapped it for PB use.
Did you browse the code I mentioned earlier?
not sure if that was directed at me but I just took a look. It's really a case of understanding how to use the library that's the limiting factor here. its complicated.

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 10:11 pm
by infratec
The complexity of OpenSSL was one of the reasons why I prefer mbedTLS.
It is much easier to use and the footprint is much smaller.
I know it already as PolarSSL, which I tried with some microcontrollers.

Re: Implement a full SSL/TLS library

Posted: Wed Feb 16, 2022 10:30 pm
by skywalk
Yes,
Following the Fossil OpenSSL implementation is not easy as it's customized for their Distributed Version Control System.
I only offer it as a suggestion since the author of SQLite/Fossil usually makes tight, robust decisions on libs.

Re: Implement a full SSL/TLS library

Posted: Thu Feb 17, 2022 9:29 pm
by idle
They both looks fairly complex. Mbedtls is at least portable c which is a bonus and maybe if it has nice examples.

Re: Implement a full SSL/TLS library

Posted: Sat Feb 19, 2022 3:05 pm
by the.weavster
+1

Re: Implement a full SSL/TLS library

Posted: Wed Mar 02, 2022 5:30 am
by idle
LibreSSL appears to be the best option for integration into PB, as It simplifies the use of the library but we really need to define what we're asking for as it's still fairly complicated.

These are the functions presented from libtls
tls_init() ;
tls_config_error(*config) ;
tls_error(*ctx) ;
tls_config_new() ;
tls_config_free(*config) ;
tls_default_ca_cert_file() ;
tls_config_add_keypair_file(*config,*_cert_file.const,*_key_file.const) ;
tls_config_add_keypair_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i) ;
tls_config_add_keypair_ocsp_file(*config,*_cert_file.const,*_key_file.const,*_ocsp_staple_file.const);
tls_config_add_keypair_ocsp_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i,*_staple.const,_staple_len.i);
tls_config_set_alpn(*config,*_alpn.const) ;
tls_config_set_ca_file(*config,*_ca_file.const) ;
tls_config_set_ca_path(*config,*_ca_path.const) ;
tls_config_set_ca_mem(*config,*_ca.const,_len.i) ;
tls_config_set_cert_file(*config,*_cert_file.const) ;
tls_config_set_cert_mem(*config,*_cert.const,_len.i) ;
tls_config_set_ciphers(*config,*_ciphers.const) ;
tls_config_set_crl_file(*config,*_crl_file.const) ;
tls_config_set_crl_mem(*config,*_crl.const,_len.i) ;
tls_config_set_dheparams(*config,*_params.const) ;
tls_config_set_ecdhecurve(*config,*_curve.const) ;
tls_config_set_ecdhecurves(*config,*_curves.const) ;
tls_config_set_key_file(*config,*_key_file.const) ;
tls_config_set_key_mem(*config,*_key.const,_len.i) ;
tls_config_set_keypair_file(*config,*_cert_file.const,*_key_file.const) ;
tls_config_set_keypair_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i) ;
tls_config_set_keypair_ocsp_file(*config,*_cert_file.const,*_key_file.const,*_staple_file.const) ;
tls_config_set_keypair_ocsp_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i,*_staple.const,staple_len.i) ;
tls_config_set_ocsp_staple_mem(*config,*_staple.const,_len.i) ;
tls_config_set_ocsp_staple_file(*config,*_staple_file.const) ;
tls_config_set_protocols(*config,_protocols.l) ;
tls_config_set_session_fd(*config,_session_fd.l) ;
tls_config_set_verify_depth(*config,_verify_depth.l) ;
tls_config_prefer_ciphers_client(*config) ;
tls_config_prefer_ciphers_server(*config) ;
tls_config_insecure_noverifycert(*config) ;
tls_config_insecure_noverifyname(*config) ;
tls_config_insecure_noverifytime(*config) ;
tls_config_verify(*config) ;
tls_config_ocsp_require_stapling(*config) ;
tls_config_verify_client(*config) ;
tls_config_verify_client_optional(*config) ;
tls_config_clear_keys(*config) ;
tls_config_parse_protocols(*_protocols,*_protostr.const) ;
tls_config_set_session_id(*config,*_session_id.const,_len.i) ;
tls_config_set_session_lifetime(*config,_lifetime.l) ;
tls_config_add_ticket_key(*config,_keyrev.i,*_key,_keylen.i) ;
tls_client() ;
tls_server() ;
tls_configure(*ctx,*config) ;
tls_reset(*ctx) ;
tls_free(*ctx) ;
tls_accept_fds(*ctx,*_cctx,_fd_read.l,_fd_write.l) ;
tls_accept_socket(*ctx,*_cctx,_socket.l) ;
tls_accept_cbs(*ctx,*_cctx,*_read_cb.tls_read_cb,*_write_cb.tls_write_cb,*_cb_arg) ;
tls_connect(*ctx,*_host.const,*_port.const) ;
tls_connect_fds(*ctx,_fd_read.l,_fd_write.l,*_servername.const) ;
tls_connect_servername(*ctx,*_host.const,*_port.const,*_servername.const) ;
tls_connect_socket(*ctx,_s.l,*_servername.const) ;
tls_connect_cbs(*ctx,*_read_cb.tls_read_cb,*_write_cb.tls_write_cb,*_cb_arg,*_servername.const) ;
tls_handshake(*ctx) ;
tls_read(*ctx,*_buf,_buflen.i) ;
tls_write(*ctx,*_buf.const,_buflen.i) ;
tls_close(*ctx) ;
tls_peer_cert_provided(*ctx) ;
tls_peer_cert_contains_name(*ctx,*_name.const) ;
tls_peer_cert_hash(*ctx) ;
tls_peer_cert_issuer(*ctx) ;
tls_peer_cert_subject(*ctx) ;
tls_peer_cert_notbefore(*ctx) ;
tls_peer_cert_notafter(*ctx) ;
tls_peer_cert_chain_pem(*ctx,*_len) ;
tls_conn_alpn_selected(*ctx) ;
tls_conn_cipher(*ctx) ;
tls_conn_cipher_strength(*ctx) ;
tls_conn_servername(*ctx) ;
tls_conn_session_resumed(*ctx) ;
tls_conn_version(*ctx) ;
tls_load_file(*_file.const,*_len,*_password) ;
tls_unload_file(*_buf,len.i) ;
tls_ocsp_process_response(*ctx,*_response.const,_size.i) ;
tls_peer_ocsp_cert_status(*ctx) ;
tls_peer_ocsp_crl_reason(*ctx) ;
tls_peer_ocsp_next_update(*ctx) ;
tls_peer_ocsp_response_status(*ctx) ;
tls_peer_ocsp_result(*ctx) ;
tls_peer_ocsp_revocation_time(*ctx) ;
tls_peer_ocsp_this_update(*ctx) ;
tls_peer_ocsp_url(*ctx) ;
EndImport
So it's not really a case of saying +1, we need to be specific about what we're asking for in regards to making this opaque to users as it depends upon what the end use is.

Re: Implement a full SSL/TLS library

Posted: Wed Mar 02, 2022 8:28 am
by Rinzwind
Another example where one-man-show just doesn't work. Why mr PB can not delegate tasks in some way for the core product? Paid or voluntary or mixed? Again, don't hold your breath for anything official as even the current libraries don't get pretty important bug fixes/enhancements (looking at the mail lib as example). Anyway, a big thanks for the community here to offer workarounds where possible.

Re: Implement a full SSL/TLS library

Posted: Wed Mar 02, 2022 10:02 am
by idle
The problem here is clearly one of defining what you want. Fred has and will delegate when appropriate. Anyway I think Libre is the best choice I've built it on Linux and windows and it should build easy on osx, What I want to know here is what do we expect from it.

Re: Implement a full SSL/TLS library

Posted: Wed Mar 02, 2022 8:38 pm
by plouf
if ever implemend i would also prefer to be external or as option external

the reason is that ssl changes so fast, and just replacing external libs, is easier for a numebr of ways, including user itself
All times are UTC+01:00
Page 2 of 6

Powered by phpBB® Forum Software © phpBB Limited