Add BearSSL vtls implementation #4597
Conversation
Thanks! Now I can build and I've tested it out a little bit. I think a major feature (I think it needs to be considered mandatory) that doesn't work is curl's The other larger problem I found, that might be related to the above issue, is that it can't connect with TLS to a site specified with IP address only - so all FTPS tests fail. Run test 400 or just invoke A more minor thing I found that is lacking in the curl adaptation is ALPN support, so curl will not use HTTP/2 with BearSSL at this point - it seems there is ALPN support in the library so its only a matter of using it correctly. Finally, BearSSL lacks for example TLS 1.3 support which is pretty significant these days, so I can't see how we can recommend this backend to any new users... |
6aee72f
to
84b966b
Thanks for testing it out!
BearSSL makes you go a bit out of your way to skip certificate verification, but this is done now.
Should be fixed now, I needed to pass a NULL hostname to
I added ALPN support, and it looks like HTTP/2 is working now.
It is definitely on the roadmap (see https://bearssl.org/tls13.html), which I think is slightly out of date (it looks like RSA/PSS is already implemented in the latest git version). |
Thanks! But it seems something is still off though with the cert checks.
|
158847b
to
70ce89a
Both of these issues are related to hostname handling. I've made a few changes, outlined below. In BearSSL, when you initialize a client with Right now, things work as follows:
Does this seem like correct behavior of |
Looks good! Will merge within soon. |
Thanks for reviewing. I made a couple last tweaks related to closing the context. I added a boolean Also, the loaded certificates are now freed in all cases, even if we didn't make it very far when connecting. |
Thanks a lot for your hard work on this! |
I saw in the curl user survey 2017 that you were open to adding support for BearSSL:
So, here it is :)
Right now it is just the basics and doesn't support any optional vtls features. I've done some basic tests with a few different websites, but am looking for feedback for how to verify behavior in corner cases (EOF, close_notify, TCP RST, etc).
I've used the
sread
andswrite
functions for reading and writing to the socket, so I believe there is no reason this shouldn't work on Windows, but I don't have access to a Windows machine to test.