* * * * *
                                        
         A sane and easy to use TLS library! Will wonders never cease!
                                        
I'm still fighting the stupidity [1] at work, but it's becoming aparent that
it's a fait accompli and we're looking at a bunch of REST (REpresentational
State Transfer)/HTTPS (HyperText Transfer Protocol-Secure) über alles Kool-
Aid™ in an area where time is critical.

Sigh.

So I'm looking around at what I can use to support the “S” in HTTPS that
doesn't involve diving into the horror show that is OpenSSL (Open Secure
Sockets Layer) [2]. A library that can still encrypt and decrypt data when it
**isn't** managing the network connections on the program's behalf (because
the program is **already** managing the network connections). It can be
complicated, but it must be sane to use.

I was pointed to libtls [3], which comes with LibreSSL [4]. Not only is this
sane, but it's **easy** to use. I'm simply amazed at how easy.

In just an hour, and only reading the man pages [5], I was able to write a
simple program that fetches a page from a secure website [6]. And most of the
code is just there to report any errors that happen. It's a very straight
forward program.

Another hour or two, and I had a program [7] where the library does **not**
control the network connection. Which means we can (probably) use this in our
existing architecture.

A few more hours, and I was able to replicate the initial C program in Lua
[8]:

-----[ Lua ]-----
local tls = require "org.flummux.tls"

-- *****************************************************************

local function okay(v,err)
  if not v then
    print(">>>",err)
    os.exit(1)
  end
  return v
end

-- *****************************************************************

if #arg == 0 then
  io.stderr:write(string.format("usage: %s host resource\n",arg[0]))
  os.exit(1)
end

local config = tls.config()
local ctx    = tls.client()

okay(config:set_protocols "all")
okay(ctx:configure(config))
okay(ctx:connect(arg[1],"https"))
okay(ctx:write(string.format(
     "GET %s HTTP/1.1\r\n"
  .. "Host: %s\r\n"
  .. "User-Agent: TLSTester/1.0 (TLS Testing Program Lua)\r\n"
  .. "Connection: close\r\n"
  .. "Accept: */*\r\n"
  .. "\r\n",
     arg[2],
     arg[1]
)))

while true do
  local bytes = okay(ctx:read(1024))
  if bytes == "" then break end
  io.stdout:write(bytes)
end
-----[ END OF LINE ]-----

I had to write my own Lua wrapper for LibreSSL. The existing ones (and I
found only [9] two [10]) weren't up to my standards for use, but it wasn't
terribly hard to get the above working.

The next step is expanding the Lua module to see if I can get it working with
our networking code we use. I am optimistic about this.

But I am not optimistic about having to use this at work.

[1] gopher://gopher.conman.org/0Phlog:2018/05/29.1
[2] https://www.openbsd.org/papers/bsdcan14-libressl/mgp00005.html
[3] https://man.openbsd.org/tls_init.3
[4] https://www.libressl.org/
[5] https://en.wikipedia.org/wiki/Man_page
[6] https://github.com/spc476/libtls-examples/blob/master/get1.c
[7] https://github.com/spc476/libtls-examples/blob/master/get3.c
[8] https://www.lua.org/
[9] https://github.com/mah0x211/lua-libtls
[10] https://github.com/snimmagadda/luatls

Email Sean Conner at sean@conman.org

.