SSL/TLS client command line API?

Denys Vlasenko vda.linux at googlemail.com
Thu Jan 19 14:17:35 UTC 2017 

Hi folks,

So far bbox is completely SSL/TLS-illiterate.
wget can't talk HTTPS. sendmail groks neither
smtps not STARTTLS command.
nc can't do TLS either.

Now that I have some code reaching a state where
it does talk TLS 1.2, the question is how to integrate it.

TLS i/o entails some buffering. I feel it would be better
if we don't complicate other applets code with changes to
accomodate that. Even if at first it looks "easy",
just replace

    write(fd, buf, len)
with
    tls_write(tls, buf, len)

it quickly becomes much more difficult when you need a proper
bidirectional piping, not a simple synchronous blocking reads
and writes.

wget already has a solution. It forks a child which does TLS magic,
and talks to it over an ordinary socketpair.
Right now it launched either "openssl s_client" or our own separate
helper utility linked against a SSL library.

Our helper works like this:

ssl_helper -d N

it talks TLS over fd N, passing plaintext from/to stdin/out.

In order to add a real applet, I looked for an SSL/TLS client tool
in widespread use to emulate, and did not find one with a suitable API.

"openssl s_client" is not a production tool, it's a debug thing.
Bigger problem is, it can't be handed a fd to perform TLS on,
it takes hostname. Meaning, wget can't launch it saying "here's
a socket I already opened, please wrap it in TLS".

This second problem is shared by stunnel, various flavors of
"enhanced netcats" with --ssl options etc: none of them will wrap
a given fd.

Do you know a tool whose command line is suitable for us?

If bbox has to invent its own, how about this:

ssl_client -sN [-rM] [--sni HOST]

    send/recv TLS data over fds N and M
    --sni NAME: send SNI in TLS handshake (wget needs this for vhosts)

This can be used by wget, sendmail (, ftps?)

ssl_client HOST[:PORT] [-e PROG] [other nc-like opts]

    netcat-like operation

Possible later we can add "ssl_server" applet, if necessary.
(SSL client and server handshake is not particularly symmetrical,
for coder sanity it makes sense to keep them separate.
See tftp.c for a nightmarish entangled code which does both at once
for a rather simple TFTP protocol).

More information about the busybox mailing list