On Fri, Jan 20, 2017 at 1:38 AM, Laurent Bercot <[email protected]> wrote: >> In order to add a real applet, I looked for an SSL/TLS client tool >> in widespread use to emulate, and did not find one with a suitable API. >> >> "openssl s_client" is not a production tool, it's a debug thing. >> Bigger problem is, it can't be handed a fd to perform TLS on, >> it takes hostname. Meaning, wget can't launch it saying "here's >> a socket I already opened, please wrap it in TLS". >> >> This second problem is shared by stunnel, various flavors of >> "enhanced netcats" with --ssl options etc: none of them will wrap >> a given fd. >> >> Do you know a tool whose command line is suitable for us? > > > I have written one a couple months ago: > http://skarnet.org/software/s6-networking/s6-tlsc.html > > The goal was to do the exact thing you want, i.e. use an existing fd > instead of connecting to the host. > (There is also the "easy to use" interface that connects to the host, > http://skarnet.org/software/s6-networking/s6-tlsclient.html , but it's > just a wrapper around s6-tlsc.)
Basically, a "ncat --ssl". I'm leaning towards just adding that to our netcat instead of inventing Yet Another Tool. > Since I'm here, let me use the opportunity to fanboy over BearSSL > (https://bearssl.org/), which is a SSL library still being developed > and considered experimental by its author, but already incredibly good. > s6-tlsc can be linked against it and it makes for a very small executable > - the static binary is seven times smaller than the same program linked > against LibreSSL - and an even smaller memory footprint. Thanks, but it's a bit too late... I bit the bullet and wrote one (rudimentary one, yes) from scratch: https://git.busybox.net/busybox/tree/networking/tls.c I did not check BearSSL, but libraries which I did check tended to be way, way too big for bbox's very limited goals of "make HTTPS work so that I can wget a kernel, dammit". They link in something like 150 kb of code. This is against wolfSSL, for example: $ size ssl_helper text data bss dec hex filename 178991 696 13424 193111 2f257 ssl_helper _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
