-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add BearSSL vtls implementation #4597
Conversation
95f0024
to
ad6252d
Compare
Thanks! Now I can build and I've tested it out a little bit. I think a major feature (I think it needs to be considered mandatory) that doesn't work is curl's The other larger problem I found, that might be related to the above issue, is that it can't connect with TLS to a site specified with IP address only - so all FTPS tests fail. Run test 400 or just invoke A more minor thing I found that is lacking in the curl adaptation is ALPN support, so curl will not use HTTP/2 with BearSSL at this point - it seems there is ALPN support in the library so its only a matter of using it correctly. Finally, BearSSL lacks for example TLS 1.3 support which is pretty significant these days, so I can't see how we can recommend this backend to any new users... |
6aee72f
to
84b966b
Compare
Thanks for testing it out!
BearSSL makes you go a bit out of your way to skip certificate verification, but this is done now.
Should be fixed now, I needed to pass a NULL hostname to
I added ALPN support, and it looks like HTTP/2 is working now.
It is definitely on the roadmap (see https://bearssl.org/tls13.html), which I think is slightly out of date (it looks like RSA/PSS is already implemented in the latest git version). |
Thanks! But it seems something is still off though with the cert checks.
|
158847b
to
70ce89a
Compare
Both of these issues are related to hostname handling. I've made a few changes, outlined below. In BearSSL, when you initialize a client with Right now, things work as follows:
Does this seem like correct behavior of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Will merge within soon.
70ce89a
to
ed2f9e8
Compare
Thanks for reviewing. I made a couple last tweaks related to closing the context. I added a boolean Also, the loaded certificates are now freed in all cases, even if we didn't make it very far when connecting. |
Thanks a lot for your hard work on this! |
I saw in the curl user survey 2017 that you were open to adding support for BearSSL:
So, here it is :)
Right now it is just the basics and doesn't support any optional vtls features. I've done some basic tests with a few different websites, but am looking for feedback for how to verify behavior in corner cases (EOF, close_notify, TCP RST, etc).
I've used the
sread
andswrite
functions for reading and writing to the socket, so I believe there is no reason this shouldn't work on Windows, but I don't have access to a Windows machine to test.