TLS transport encryption
With --tls, the authentication handshake and all data now travel inside an encrypted
session — completing the security story: an encrypted, authenticated transport for
single-node use. See the Security page.
Highlights
- TLS 1.2 (ECDHE + AES-GCM) via Mbed-TLS 3.6, vendored through FetchContent so the
binaries stay dependency-free. (TLS 1.3 is deferred behind a config wrinkle.) - Server:
bisond --tls --tls-cert <pem> --tls-key <pem>, or--tls-self-signed(prints
a SHA-256 fingerprint to pin). The handshake runs in a worker thread under a timeout, so a
stalled/malicious handshake can't block accepting. - Clients:
bisonshandbisoncgain--tls/--tls-ca/--tls-pin/
--tls-insecure; verification is secure by default (OS trust store + hostname). The shell
shows a transport indicator (verified / ENCRYPTED-but-UNVERIFIED / not-encrypted). - Tooling:
bisonc tls gen-cert --out-dir <dir>writescert.pem+ a0600key.pem. - Private keys are never logged; a plaintext↔TLS mismatch fails fast with a guiding message.
Secure quickstart
bisonc tls gen-cert --out-dir ./tls --cn localhost
BISONDB_ADMIN_PASSWORD=secret bisond --dir data/db --tls \
--tls-cert ./tls/cert.pem --tls-key ./tls/key.pem --init-admin admin
bisonsh --connect localhost:27027 --tls-ca ./tls/cert.pem --username admin
Download
bisondb-1.2.0-windows-x64.zip — statically linked bisond / bisonsh / bisonc (only
Windows system DLLs; no runtime to install).
The wire protocol stays v2 (TLS is transport-layer). Without --tls the socket is plain TCP.