I'm still fighting the stupidity [1] at work, but it's becoming aparent that it's a fait accompli and we're looking at a bunch of REST (REpresentational State Transfer)/HTTPS (HyperText Transfer Protocol-Secure) über alles Kool-Aid™ in an area where time is critical.
Sigh.
So I'm looking around at what I can use to support the “S” in HTTPS that doesn't involve diving into the horror show that is OpenSSL (Open Secure Sockets Layer) [2]. A library that can still encrypt and decrypt data when it **isn't** managing the network connections on the program's behalf (because the program is **already** managing the network connections). It can be complicated, but it must be sane to use.
I was pointed to libtls [3], which comes with LibreSSL [4]. Not only is this sane, but it's **easy** to use. I'm simply amazed at how easy.
In just an hour, and only reading the man pages [5], I was able to write a simple program that fetches a page from a secure website [6]. And most of the code is just there to report any errors that happen. It's a very straight forward program.
Another hour or two, and I had a program [7] where the library does **not** control the network connection. Which means we can (probably) use this in our existing architecture.
A few more hours, and I was able to replicate the initial C program in Lua [8]:
local tls = require "org.flummux.tls"
-- *****************************************************************
local function okay(v,err)
if not v then
print(">>>",err)
os.exit(1)
end
return v
end
-- *****************************************************************
if #arg == 0 then
io.stderr:write(string.format("usage: %s host resource\n",arg[0]))
os.exit(1)
end
local config = tls.config()
local ctx = tls.client()
okay(config:set_protocols "all")
okay(ctx:configure(config))
okay(ctx:connect(arg[1],"https"))
okay(ctx:write(string.format(
"GET %s HTTP/1.1\r\n"
.. "Host: %s\r\n"
.. "User-Agent: TLSTester/1.0 (TLS Testing Program Lua)\r\n"
.. "Connection: close\r\n"
.. "Accept: */*\r\n"
.. "\r\n",
arg[2],
arg[1]
)))
while true do
local bytes = okay(ctx:read(1024))
if bytes == "" then break end
io.stdout:write(bytes)
end
I had to write my own Lua wrapper for LibreSSL. The existing ones (and I found only [9] two [10]) weren't up to my standards for use, but it wasn't terribly hard to get the above working.
The next step is expanding the Lua module to see if I can get it working with our networking code we use. I am optimistic about this.
But I am not optimistic about having to use this at work.
[2] https://www.openbsd.org/papers/bsdcan14-libressl/mgp00005.html
[3] https://man.openbsd.org/tls_init.3
[5] https://en.wikipedia.org/wiki/Man_page
[6] https://github.com/spc476/libtls-examples/blob/master/get1.c
[7] https://github.com/spc476/libtls-examples/blob/master/get3.c
[9] https://github.com/mah0x211/lua-libtls