| Age | Commit message (Collapse) | Author |
|---|
|
|
|
sbearssl_server_init_and_run is yet unchanged, the next step
is to rewrite it using the new primitives.
|
|
|
|
Also send a bit more environment with libtls
|
|
|
|
|
|
That includes:
- new architecture: the tls binary is now a child of the app
instead of the other way around
- the sbearssl_run engine now takes a post-handshake callback.
This allows s6-tlsc and s6-tlsd to only exec into the app when
the handshake succeeds (which was already the case with libressl).
- new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto
code; they init and run the engine, connecting to 4 already open
fds (stdin/stdout = network, argv[1] and argv[2] = local)
- s6-tlsc is now a simple wrapper around s6-tlsc-io
- s6-tlsd is now a simple wrapper around s6-tlsd-io
- new binary: s6-ucspitlsd, which is also a wrapper around
s6-tlsd-io, but differently: the parent execs the app which should
be ucspi-tls-aware, the child waits for a command from the parent
and execs into s6-tlsd-io if it receives it.
|
|
remain there forever with its zombie, both condemned to err in limbo for all eternity, the living and the dead, hand in hand
|
|
XXX marks what must change when skalibs changes.
Also started writing functions for client certificate support
in sbearssl, but it's not working yet (need more high-level
support from BearSSL before it can work)
|
|
easier.
|
|
|
|
Two things remain to do:
- how to pass SNI information to libtls
- how to detect cert issuer key type for ECC in bearssl
|
|
Doesn't build yet, but I'm scared of losing it, so using git as
storage.
Will fix the stupid bugs now, the tricky bugs later.
|
