BearSSL is an excellent TLS library: it is small, secure by default, flexible, consistent, performs no memory allocation, and the code is as clean and well documented as any I've ever seen.
However, due to some of its constraints, it is not the easiest TLS library to use. Things like loading trust anchors, server-side SNI, and I/O with non-blocking sockets actually involve quite a bit of work.
libtls shares some of the same goals as BearSSL: it is also consistent, secure by default, and well documented. However, it is also a higher-level API that is designed to be easy to use for many common situations.
This project aims to get the best of both worlds by implementing the libtls API on top of BearSSL.
libtls-bearssl implements nearly all features of the libtls API (version 3.3.3). However, there are some that are missing, since they are not supported by BearSSL.
- OCSP stapling. Attempts to configure this will fail.
- Certificate revocation list (CRL). Attempts to configure this will fail.
- Inspecting peer certificate issuer name.
- Inspecting peer certificate notBefore and notAfter times.
- Encrypted key files. If
tls_load_fileis passed a password string, it will return
- Session caching. BearSSL does implement this (though not session tickets, RFC 5077), so this may be added in the future.
- Keys and certificates using CRLF as the line ending are not supported. They must first be converted to use unix-style line endings (LF).
Feel free to use the mailing list at https://lists.sr.ht/~mcf/libtls-bearssl for patches, questions, or general discussion.
Please report any issues to https://todo.sr.ht/~mcf/libtls-bearssl.