Skip to content
libtls implemented on top of BearSSL
C Makefile
Branch: master
Clone or download

Latest commit

michaelforney Treat write_cb() == 0 as an error
Otherwise, we'll end up infinite looping when trying to write a

ffmpeg will return 0 if the connection is interrupted via the AVIO
interrupt callback, triggering this behavior.
Latest commit 99e1f3a Jan 29, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
.builds Port to BearSSL 0.6 Dec 4, 2019
compat Port to BearSSL 0.6 Dec 4, 2019
man Import libtls from LibreSSL 3.0.2 Dec 3, 2019
.gitignore Port to BearSSL 0.6 Dec 4, 2019
LICENSE Port to BearSSL 0.6 Dec 4, 2019
Makefile Use explicit .c.o rule in Makefile Dec 4, 2019 tls_peer_cert_subject now works Dec 6, 2019
bearssl.c Rework bearssl_parse_ciphers Dec 6, 2019
compat.h Port to BearSSL 0.6 Dec 4, 2019
tls.c Treat write_cb() == 0 as an error Jan 30, 2020
tls_bio_cb.c Port to BearSSL 0.6 Dec 4, 2019
tls_client.c Port to BearSSL 0.6 Dec 4, 2019
tls_config.c Set error message when we couldn't parse the cipher list Dec 4, 2019
tls_conninfo.c Retrieve certificate subject string Dec 5, 2019
tls_internal.h Make tls_write save buffered length, and attempt to write the full re… Dec 10, 2019
tls_keypair.c Remove trailing whitespace Dec 10, 2019
tls_ocsp.c Port to BearSSL 0.6 Dec 4, 2019
tls_server.c Port to BearSSL 0.6 Dec 4, 2019
tls_util.c Avoid unnecessary asprintf Dec 4, 2019
tls_verify.c Port to BearSSL 0.6 Dec 4, 2019

libtls-bearssl status

libtls-bearssl is an implementation of libtls on top of BearSSL.

BearSSL is an excellent TLS library: it is small, secure by default, flexible, consistent, performs no memory allocation, and the code is as clean and well documented as any I've ever seen.

However, due to some of its constraints, it is not the easiest TLS library to use. Things like loading trust anchors, server-side SNI, and I/O with non-blocking sockets actually involve quite a bit of work.

libtls shares some of the same goals as BearSSL: it is also consistent, secure by default, and well documented. However, it is also a higher-level API that is designed to be easy to use for many common situations.

This project aims to get the best of both worlds by implementing the libtls API on top of BearSSL.


libtls-bearssl implements nearly all features of the libtls API (version 3.0.2). However, there are some that are missing, since they are not supported by BearSSL.

  • OCSP stapling. Attempts to configure this will fail.
  • Certificate revocation list (CRL). Attempts to configure this will fail.
  • Inspecting peer certificate issuer name. tls_peer_cert_issuer always returns NULL.
  • Inspecting peer certificate notBefore and notAfter times. tls_peer_cert_notbefore and tls_peer_cert_notafter always return -1.
  • Encrypted key files. If tls_load_file is passed a password string, it will return NULL.
  • Session caching. BearSSL does implement this (though not session tickets, RFC 5077), so this may be added in the future.

Mailing list

Feel free to use the mailing list at for patches, questions, or general discussion.

Issue tracker

Please report any issues to

You can’t perform that action at this time.