1
0
Fork
You've already forked libtls-bearssl
0
libtls implemented on top of BearSSL https://sr.ht/~mcf/libtls-bearssl
  • C 98%
  • Makefile 1.9%
  • Shell 0.1%
2026年04月18日 20:12:16 -07:00
.builds builds/freebsd: Set CC for x509cert as well 2026年04月14日 02:12:18 -07:00
compat Include compat.h for explicit_bzero 2022年07月25日 13:38:54 -07:00
man .Lb libtls libssl libcrypto 2025年07月07日 10:54:00 +00:00
test Fix memory leaks in tests 2026年04月18日 16:12:22 -07:00
.gitignore Port verifytest to BearSSL and libx509cert 2026年04月14日 01:38:46 -07:00
bearssl.c Ignore errno for out of memory errors 2026年04月18日 16:05:37 -07:00
compat.h Add explicit_bzero to compat 2020年11月30日 16:41:57 -08:00
libtls.pc.in Add pkg-config file 2020年05月06日 15:28:11 -07:00
LICENSE Update LICENSE 2026年04月12日 17:14:55 -07:00
Makefile Release 0.6 2026年04月18日 20:12:16 -07:00
README.md README: Update libtls version 2026年04月18日 15:06:48 -07:00
shlib_version bump lib{crypto,ssl,tls} minors after symbol addition 2025年10月24日 11:38:06 +00:00
Symbols.list Merge branch 'libtls-4.1' 2026年04月12日 17:12:59 -07:00
tls.c Protect against invalid write retry 2026年04月18日 20:12:16 -07:00
tls.h Provide tls_peer_cert_common_name() 2024年12月10日 08:40:30 +00:00
tls_bio_cb.c Fix some includes 2026年04月12日 17:14:04 -07:00
tls_client.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
tls_config.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
tls_conninfo.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
tls_internal.h Use time callback to retrieve certificate validity period for tls_conninfo 2026年04月14日 22:52:47 -07:00
tls_keypair.c Fix memory leak when certificate is replaced 2026年04月18日 16:08:37 -07:00
tls_ocsp.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
tls_peer.c Merge branch 'libtls-4.1' 2026年04月12日 17:12:59 -07:00
tls_server.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
tls_util.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
tls_verify.c Merge branch 'libtls-4.3' 2026年04月18日 15:06:11 -07:00
version-script.sed Add support for building a shared library 2020年11月30日 16:37:00 -08:00

libtls-bearssl

builds.sr.ht status

libtls-bearssl is an implementation of libtls on top of BearSSL.

BearSSL is an excellent TLS library: it is small, secure by default, flexible, consistent, performs no memory allocation, and the code is as clean and well documented as any I've ever seen.

However, due to some of its constraints, it is not the easiest TLS library to use. Things like loading trust anchors, server-side SNI, and I/O with non-blocking sockets actually involve quite a bit of work.

libtls shares some of the same goals as BearSSL: it is also consistent, secure by default, and well documented. However, it is also a higher-level API that is designed to be easy to use for many common situations.

This project aims to get the best of both worlds by implementing the libtls API on top of BearSSL.

Status

libtls-bearssl implements nearly all features of the libtls API (version 4.3.0). However, there are some that are missing, since they are not supported by BearSSL.

  • OCSP stapling. Attempts to configure this will fail.
  • Certificate revocation list (CRL). Attempts to configure this will fail.
  • Inspecting peer certificate issuer name. tls_peer_cert_issuer always returns NULL.
  • Inspecting peer certificate notBefore and notAfter times requires a BearSSL version supporting BR_FEATURE_X509_TIME_CALLBACK. This is currently not available in any released version of BearSSL, and if it is missing, tls_peer_cert_notbefore and tls_peer_cert_notafter always return -1.
  • Encrypted key files. If tls_load_file is passed a password string, it will return NULL.
  • Session caching. BearSSL does implement this (though not session tickets, RFC 5077), so this may be added in the future.
  • Keys and certificates using CRLF as the line ending are not supported. They must first be converted to use unix-style line endings (LF).
  • The signer API (currently not public) is not implemented since it is not yet finalized. This shouldn't be too hard to implement with BearSSL; for the client, we need to use a custom br_ssl_client_certificate_class and for the server, we need to extend our br_ssl_server_policy_class to use the sign callback.

Tests

libtls-bearssl uses the regress tests from LibreSSL, modified to work with BearSSL. They can be run with make check.

keypairtest was changed to use a header generated by brssl, keypairdata.h, containing C structures with the certificate and private key in test/server1-rsa.pem.

tlstest was changed to disable version negotiation tests involving TLS 1.3 because it is not supported by BearSSL.

verifytest was ported to use x509cert, a library to create X.509 certificates based on BearSSL. Cases that involve IP addresses in certificates were disabled since they aren't supported by BearSSL. Finally, two cases were disabled (empty wildcard and wildcard under TLD) since BearSSL does not reject these in the br_x509_minimal engine.

Mailing list

Feel free to use the mailing list at https://lists.sr.ht/~mcf/libtls-bearssl for patches, questions, or general discussion.

Issue tracker

Please report any issues to https://todo.sr.ht/~mcf/libtls-bearssl.