Implement a full SSL/TLS library

Got an idea for enhancing PureBasic? New command(s) you'd like to see?
User avatar
Kwai chang caine
Always Here
Always Here
Posts: 5342
Joined: Sun Nov 05, 2006 11:42 pm
Location: Lyon - France

Re: Implement a full SSL/TLS library

Post by Kwai chang caine »

+1
ImageThe happiness is a road...
Not a destination
User avatar
RichAlgeni
Addict
Addict
Posts: 914
Joined: Wed Sep 22, 2010 1:50 am
Location: Bradenton, FL

Re: Implement a full SSL/TLS library

Post by RichAlgeni »

I would also pay extra for this.
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Implement a full SSL/TLS library

Post by idle »

I've just tested making an ssl connection with openssl on the raspberry pi to purebasic.com with incline c, it works though its still a bit of a mess and needs more work as it fails on some other websites perhaps because of redirection or maybe I'm just using the wrong methods?

Asking for a full ssl / tls lib is one thing, using it is another! It's a complex library

Anyway while we can use c libs without much hassle on linux and raspberry pi, I still can't get it working on windows. so no bananas yet.

but it boils down to

Code: Select all

sslcon = OpenSSLConnection("www.purebasic.com")
CloseSSLConnection(sslcon)
how hard can it be !
infratec
Always Here
Always Here
Posts: 6817
Joined: Sun Sep 07, 2008 12:45 pm
Location: Germany

Re: Implement a full SSL/TLS library

Post by infratec »

@idle

you are showing the 'easy' way: a client connection.
What I need, and maybe others, is also the server side.

This is a way more difficult.

But it needs to be done and it should be possible in PB.
User avatar
skywalk
Addict
Addict
Posts: 3972
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: Implement a full SSL/TLS library

Post by skywalk »

Yes, I find the Fossil server meets my needs. But I have not wrapped it for PB use.
Did you browse the code I mentioned earlier?
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Implement a full SSL/TLS library

Post by idle »

infratec wrote: Wed Feb 16, 2022 8:39 pm @idle

you are showing the 'easy' way: a client connection.
What I need, and maybe others, is also the server side.

This is a way more difficult.

But it needs to be done and it should be possible in PB.
Yes I understand we want and need it for server side as well. I was just seeing if it was doable with inline c and yes it is which is encouraging, the issue isn't importing openssl it's using it, it's a complicated library, While the client side is piece of cake the server side is a little harder to do as a black box but It's totally doable, the hard part in my opinion is managing the certificates and if you go with a monthly CA it needs to be automated or it will drive you nuts.
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Implement a full SSL/TLS library

Post by idle »

skywalk wrote: Wed Feb 16, 2022 9:00 pm Yes, I find the Fossil server meets my needs. But I have not wrapped it for PB use.
Did you browse the code I mentioned earlier?
not sure if that was directed at me but I just took a look. It's really a case of understanding how to use the library that's the limiting factor here. its complicated.
infratec
Always Here
Always Here
Posts: 6817
Joined: Sun Sep 07, 2008 12:45 pm
Location: Germany

Re: Implement a full SSL/TLS library

Post by infratec »

The complexity of OpenSSL was one of the reasons why I prefer mbedTLS.
It is much easier to use and the footprint is much smaller.
I know it already as PolarSSL, which I tried with some microcontrollers.
User avatar
skywalk
Addict
Addict
Posts: 3972
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: Implement a full SSL/TLS library

Post by skywalk »

Yes,
Following the Fossil OpenSSL implementation is not easy as it's customized for their Distributed Version Control System.
I only offer it as a suggestion since the author of SQLite/Fossil usually makes tight, robust decisions on libs.
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Implement a full SSL/TLS library

Post by idle »

They both looks fairly complex. Mbedtls is at least portable c which is a bonus and maybe if it has nice examples.
User avatar
the.weavster
Addict
Addict
Posts: 1536
Joined: Thu Jul 03, 2003 6:53 pm
Location: England

Re: Implement a full SSL/TLS library

Post by the.weavster »

+1
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Implement a full SSL/TLS library

Post by idle »

LibreSSL appears to be the best option for integration into PB, as It simplifies the use of the library but we really need to define what we're asking for as it's still fairly complicated.

These are the functions presented from libtls
tls_init() ;
tls_config_error(*config) ;
tls_error(*ctx) ;
tls_config_new() ;
tls_config_free(*config) ;
tls_default_ca_cert_file() ;
tls_config_add_keypair_file(*config,*_cert_file.const,*_key_file.const) ;
tls_config_add_keypair_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i) ;
tls_config_add_keypair_ocsp_file(*config,*_cert_file.const,*_key_file.const,*_ocsp_staple_file.const);
tls_config_add_keypair_ocsp_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i,*_staple.const,_staple_len.i);
tls_config_set_alpn(*config,*_alpn.const) ;
tls_config_set_ca_file(*config,*_ca_file.const) ;
tls_config_set_ca_path(*config,*_ca_path.const) ;
tls_config_set_ca_mem(*config,*_ca.const,_len.i) ;
tls_config_set_cert_file(*config,*_cert_file.const) ;
tls_config_set_cert_mem(*config,*_cert.const,_len.i) ;
tls_config_set_ciphers(*config,*_ciphers.const) ;
tls_config_set_crl_file(*config,*_crl_file.const) ;
tls_config_set_crl_mem(*config,*_crl.const,_len.i) ;
tls_config_set_dheparams(*config,*_params.const) ;
tls_config_set_ecdhecurve(*config,*_curve.const) ;
tls_config_set_ecdhecurves(*config,*_curves.const) ;
tls_config_set_key_file(*config,*_key_file.const) ;
tls_config_set_key_mem(*config,*_key.const,_len.i) ;
tls_config_set_keypair_file(*config,*_cert_file.const,*_key_file.const) ;
tls_config_set_keypair_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i) ;
tls_config_set_keypair_ocsp_file(*config,*_cert_file.const,*_key_file.const,*_staple_file.const) ;
tls_config_set_keypair_ocsp_mem(*config,*_cert.const,_cert_len.i,*_key.const,_key_len.i,*_staple.const,staple_len.i) ;
tls_config_set_ocsp_staple_mem(*config,*_staple.const,_len.i) ;
tls_config_set_ocsp_staple_file(*config,*_staple_file.const) ;
tls_config_set_protocols(*config,_protocols.l) ;
tls_config_set_session_fd(*config,_session_fd.l) ;
tls_config_set_verify_depth(*config,_verify_depth.l) ;
tls_config_prefer_ciphers_client(*config) ;
tls_config_prefer_ciphers_server(*config) ;
tls_config_insecure_noverifycert(*config) ;
tls_config_insecure_noverifyname(*config) ;
tls_config_insecure_noverifytime(*config) ;
tls_config_verify(*config) ;
tls_config_ocsp_require_stapling(*config) ;
tls_config_verify_client(*config) ;
tls_config_verify_client_optional(*config) ;
tls_config_clear_keys(*config) ;
tls_config_parse_protocols(*_protocols,*_protostr.const) ;
tls_config_set_session_id(*config,*_session_id.const,_len.i) ;
tls_config_set_session_lifetime(*config,_lifetime.l) ;
tls_config_add_ticket_key(*config,_keyrev.i,*_key,_keylen.i) ;
tls_client() ;
tls_server() ;
tls_configure(*ctx,*config) ;
tls_reset(*ctx) ;
tls_free(*ctx) ;
tls_accept_fds(*ctx,*_cctx,_fd_read.l,_fd_write.l) ;
tls_accept_socket(*ctx,*_cctx,_socket.l) ;
tls_accept_cbs(*ctx,*_cctx,*_read_cb.tls_read_cb,*_write_cb.tls_write_cb,*_cb_arg) ;
tls_connect(*ctx,*_host.const,*_port.const) ;
tls_connect_fds(*ctx,_fd_read.l,_fd_write.l,*_servername.const) ;
tls_connect_servername(*ctx,*_host.const,*_port.const,*_servername.const) ;
tls_connect_socket(*ctx,_s.l,*_servername.const) ;
tls_connect_cbs(*ctx,*_read_cb.tls_read_cb,*_write_cb.tls_write_cb,*_cb_arg,*_servername.const) ;
tls_handshake(*ctx) ;
tls_read(*ctx,*_buf,_buflen.i) ;
tls_write(*ctx,*_buf.const,_buflen.i) ;
tls_close(*ctx) ;
tls_peer_cert_provided(*ctx) ;
tls_peer_cert_contains_name(*ctx,*_name.const) ;
tls_peer_cert_hash(*ctx) ;
tls_peer_cert_issuer(*ctx) ;
tls_peer_cert_subject(*ctx) ;
tls_peer_cert_notbefore(*ctx) ;
tls_peer_cert_notafter(*ctx) ;
tls_peer_cert_chain_pem(*ctx,*_len) ;
tls_conn_alpn_selected(*ctx) ;
tls_conn_cipher(*ctx) ;
tls_conn_cipher_strength(*ctx) ;
tls_conn_servername(*ctx) ;
tls_conn_session_resumed(*ctx) ;
tls_conn_version(*ctx) ;
tls_load_file(*_file.const,*_len,*_password) ;
tls_unload_file(*_buf,len.i) ;
tls_ocsp_process_response(*ctx,*_response.const,_size.i) ;
tls_peer_ocsp_cert_status(*ctx) ;
tls_peer_ocsp_crl_reason(*ctx) ;
tls_peer_ocsp_next_update(*ctx) ;
tls_peer_ocsp_response_status(*ctx) ;
tls_peer_ocsp_result(*ctx) ;
tls_peer_ocsp_revocation_time(*ctx) ;
tls_peer_ocsp_this_update(*ctx) ;
tls_peer_ocsp_url(*ctx) ;
EndImport
So it's not really a case of saying +1, we need to be specific about what we're asking for in regards to making this opaque to users as it depends upon what the end use is.
Rinzwind
Enthusiast
Enthusiast
Posts: 636
Joined: Wed Mar 11, 2009 4:06 pm
Location: NL

Re: Implement a full SSL/TLS library

Post by Rinzwind »

Another example where one-man-show just doesn't work. Why mr PB can not delegate tasks in some way for the core product? Paid or voluntary or mixed? Again, don't hold your breath for anything official as even the current libraries don't get pretty important bug fixes/enhancements (looking at the mail lib as example). Anyway, a big thanks for the community here to offer workarounds where possible.
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Implement a full SSL/TLS library

Post by idle »

The problem here is clearly one of defining what you want. Fred has and will delegate when appropriate. Anyway I think Libre is the best choice I've built it on Linux and windows and it should build easy on osx, What I want to know here is what do we expect from it.
plouf
Enthusiast
Enthusiast
Posts: 250
Joined: Fri Apr 25, 2003 6:35 pm
Location: Athens,Greece

Re: Implement a full SSL/TLS library

Post by plouf »

if ever implemend i would also prefer to be external or as option external

the reason is that ssl changes so fast, and just replacing external libs, is easier for a numebr of ways, including user itself
Christos
Post Reply