SSL/TLS client command line API?
vda.linux at googlemail.com
Fri Jan 20 14:02:07 UTC 2017
On Fri, Jan 20, 2017 at 1:38 AM, Laurent Bercot
<ska-dietlibc at skarnet.org> wrote:
>> In order to add a real applet, I looked for an SSL/TLS client tool
>> in widespread use to emulate, and did not find one with a suitable API.
>> "openssl s_client" is not a production tool, it's a debug thing.
>> Bigger problem is, it can't be handed a fd to perform TLS on,
>> it takes hostname. Meaning, wget can't launch it saying "here's
>> a socket I already opened, please wrap it in TLS".
>> This second problem is shared by stunnel, various flavors of
>> "enhanced netcats" with --ssl options etc: none of them will wrap
>> a given fd.
>> Do you know a tool whose command line is suitable for us?
> I have written one a couple months ago:
> The goal was to do the exact thing you want, i.e. use an existing fd
> instead of connecting to the host.
> (There is also the "easy to use" interface that connects to the host,
> http://skarnet.org/software/s6-networking/s6-tlsclient.html , but it's
> just a wrapper around s6-tlsc.)
Basically, a "ncat --ssl".
I'm leaning towards just adding that to our netcat instead of inventing
Yet Another Tool.
> Since I'm here, let me use the opportunity to fanboy over BearSSL
> (https://bearssl.org/), which is a SSL library still being developed
> and considered experimental by its author, but already incredibly good.
> s6-tlsc can be linked against it and it makes for a very small executable
> - the static binary is seven times smaller than the same program linked
> against LibreSSL - and an even smaller memory footprint.
Thanks, but it's a bit too late... I bit the bullet and wrote one
(rudimentary one, yes) from scratch:
I did not check BearSSL, but libraries which I did check tended to be
way, way too big for bbox's very limited goals of
"make HTTPS work so that I can wget a kernel, dammit".
They link in something like 150 kb of code.
This is against wolfSSL, for example:
$ size ssl_helper
text data bss dec hex filename
178991 696 13424 193111 2f257 ssl_helper
More information about the busybox