Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I implemented TLS without any external deps by supporting only mandatory stuff from the RFC specifications.

DER parsing here: https://github.com/mateuszb/tls1.3/blob/master/der.lisp

Elliptic curves here: https://github.com/mateuszb/tls1.3/blob/master/elliptic-curv...

Protocol records: https://github.com/mateuszb/tls1.3/blob/master/record.lisp

At the time I implemented TLS1.3 there was very little support for it and it seemed like a fun project. The parsing wasn’t the difficult part



Does supporting only the mandatory stuff give you acceptable compatibility in the real world, or do too many people rely on things that were supposed to be optional?


It works most of the time unless the "endpoint" employs an engineer who is prone to customizing things too much :) In TLS 1.3 "mandatory" really means it.


der.lisp is only loading a PKCS1/DER-encoded private RSA key, which is a far cry from certificate parsing. (And certificate.lisp just loads a blob.) Granted, for a server which doesn't support mTLS you don't need to parse certificates, or any other complex DER-encoded structures.


I don't know much Lisp, but your code is wonderfully readable! Great job!


Thanks. It was a really fun project. There were a lot of things to keep track of so readability of the code was a big help to not lose the big picture.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: