I use www/links+ often as a nice lightweight browser. However, I realized it didn't do any SSL certificate validation. I found a patch that added basic validation (while silently allowing self signed certs) but still didn't do hostname verification.
I went in search of some examples of hostname verification with SSL and, of course, found myself in the libtls code. Awesome! Why do it myself? It's already written for me. So I replaced the SSL code with libtls and got a light, functional web browser with cert verification and hostname verification. I have a few things to clean up, but I wonder if people would be interesting in using this? It was just a "can I do it?" project for me as I haven't written more than a few lines of C code in ~15 years and I really wanted to use links+ safely. It helped to have libtls available that just gets the job done. I don't think libressl is ported as widely as links+ so wouldn't expect this to go upstream, though I'll try to get their feedback. Maybe they'll be encouraged to implement the solution they want to support. As an aside, I also added an option to enable/disable cookies. It was hardcoded to allow them, but the code to turn it off was there, except the UI for it. Some TODOs: Optionally allow self signed certs (not sure how to do this with libtls). Add a useful error message when there is an SSL error. Test failure cases. With SSL, links+ would retry or abort a connection depending on errors libtls seem to hide. (Maybe they never matter?) Tim.
