On Fri, Feb 11, 2022 at 09:13:05PM +0000, Joseph Chen via openssl-users wrote: > Could someone point me to some good reads or C code examples for > creating a TLS client/server with best practices? Best practices vary between application applications. For example, a Web browser retrieving an HTTPS URL and an MTA SMTP client doing opportunistic STARTTLS face rather different requirements. In Postfix, you'll find clean, well commented code that handles the SMTP use-case, and supports strict verification modes, but defaults to unauthenticated TLS. So you'd have to understand which knobs to set to get the behaviour you want. The upside is that the range of possible behaviours is broad, so it can be tuned to meet the needs of most applications. The downside, is that there's a lot of application code there above OpenSSL to support all those options. In particular the resumption support depends on a peer application service that caches serialised sessions and handles session ticket rollover. The SNI support uses key/value lookup tables, where the table value is a serialised PEM file with the private key and cert chain. Loading of private key and cert chain is atomic when both are in the same file (file opened just once)... All this requires custom code. So this codebase is a "maximal viable" variant. If you want "minimal viable", you'll need to look elsewhere. https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c -- Viktor.