SSL/TLS client command line API?

Denys Vlasenko vda.linux at googlemail.com
Fri Jan 20 14:02:07 UTC 2017 

On Fri, Jan 20, 2017 at 1:38 AM, Laurent Bercot
<ska-dietlibc at skarnet.org> wrote:
>> In order to add a real applet, I looked for an SSL/TLS client tool
>> in widespread use to emulate, and did not find one with a suitable API.
>>
>> "openssl s_client" is not a production tool, it's a debug thing.
>> Bigger problem is, it can't be handed a fd to perform TLS on,
>> it takes hostname. Meaning, wget can't launch it saying "here's
>> a socket I already opened, please wrap it in TLS".
>>
>> This second problem is shared by stunnel, various flavors of
>> "enhanced netcats" with --ssl options etc: none of them will wrap
>> a given fd.
>>
>> Do you know a tool whose command line is suitable for us?
>
>
>  I have written one a couple months ago:
>  http://skarnet.org/software/s6-networking/s6-tlsc.html
>
>  The goal was to do the exact thing you want, i.e. use an existing fd
> instead of connecting to the host.
> (There is also the "easy to use" interface that connects to the host,
> http://skarnet.org/software/s6-networking/s6-tlsclient.html , but it's
> just a wrapper around s6-tlsc.)

Basically, a "ncat --ssl".

I'm leaning towards just adding that to our netcat instead of inventing
Yet Another Tool.

>  Since I'm here, let me use the opportunity to fanboy over BearSSL
> (https://bearssl.org/), which is a SSL library still being developed
> and considered experimental by its author, but already incredibly good.
> s6-tlsc can be linked against it and it makes for a very small executable
> - the static binary is seven times smaller than the same program linked
> against LibreSSL - and an even smaller memory footprint.

Thanks, but it's a bit too late... I bit the bullet and wrote one
(rudimentary one, yes) from scratch:

https://git.busybox.net/busybox/tree/networking/tls.c

I did not check BearSSL, but libraries which I did check tended to be
way, way too big for bbox's very limited goals of
"make HTTPS work so that I can wget a kernel, dammit".

They link in something like 150 kb of code.
This is against wolfSSL, for example:
$ size ssl_helper
   text       data        bss        dec        hex    filename
 178991        696      13424     193111      2f257    ssl_helper

More information about the busybox mailing list