TLS client

[dworkin]

TLS client sessions are managed by ~TLS/api/lib/ClientSession. Only connections to servers with RSA certificates are currently supported, and client certificates don't work at all, yet.

There is also a TLS-enabled HTTP client in ~HTTP/api/obj/tls_client1.

Example code for a HTTP TLS client:

# include <String.h>
# include "~HTTP/HttpConnection.h"
# include "~HTTP/HttpRequest.h"
# include "~HTTP/HttpResponse.h"
# include "~HTTP/HttpField.h"

object connection;

void create()
{
    connection = clone_object(HTTP1_TLS_CLIENT, this_object(), "localhost",
                              8443);
}

void connected()
{
    HttpRequest request;
    HttpFields fields;

    request = new HttpRequest(1.1, "GET", "https://", "localhost:8443", "/");
    fields = new HttpFields;
    fields->add(new HttpField("Host", "localhost:8443"));
    request->setHeaders(fields);

    connection->sendRequest(request);
}

void receiveResponse(HttpResponse response)
{
    int length;

    length = response->headerValue("Content-length");
    connection->expectEntity(length);
}

void receiveEntity(StringBuffer entity)
{
    connection->doneResponse();
}

void disconnect()
{
}

[dworkin]

TLS requires the crypto extension module.

This TLS implementation keeps all state in LPC, which means that TLS connections are fully persistent across upgrades and hotbooting. It is probably the first implementation worldwide to have that.

[dworkin]

TLS server support has now been implemented, as well.

[geirpg]

We have recently made use of the TLS extension on VikingMud, however, we notice that the error messages provided by the various tls_* functions are a bit... unclear. Is it possitble to make them more informative?

The messages we se are: "TLS: http request", and "TLS: wrong version number".

[dworkin]

What you are seeing is the original OpenSSL error strings, with "TLS: " in front. The first one means that it saw what looked like a HTTP request instead of a TLS starting sequence, and the second one signifies that it could not make sense of the input at all.

There are a few options for making those messages more clear. The first one is to catch those errors, and to replace them with more informative ones based on the above information. The second possibility is to change the messages in OpenSSL.

An alternative you may want to consider is to use the TLS implementation in LPC from cloud-server instead. It is not perfect, but at least it throws standard TLS errors.

[geirpg]

Thanks. We'll have a look at it. It's good to get a 35 year old MUD up to date :)