On Fri, Feb 11, 2022 at 09:13:05PM +0000, Joseph Chen via openssl-users wrote:
> Could someone point me to some good reads or C code examples for
> creating a TLS client/server with best practices?
Best practices vary between application applications. For example, a
Web browser retrieving an HTTPS URL and an MTA SMTP client doing
opportunistic STARTTLS face rather different requirements.
In Postfix, you'll find clean, well commented code that handles
the SMTP use-case, and supports strict verification modes, but
defaults to unauthenticated TLS. So you'd have to understand
which knobs to set to get the behaviour you want.
The upside is that the range of possible behaviours is broad, so it can
be tuned to meet the needs of most applications. The downside, is that
there's a lot of application code there above OpenSSL to support all
those options.
In particular the resumption support depends on a peer application
service that caches serialised sessions and handles session ticket
rollover. The SNI support uses key/value lookup tables, where the table
value is a serialised PEM file with the private key and cert chain.
Loading of private key and cert chain is atomic when both are in the
same file (file opened just once)... All this requires custom code.
So this codebase is a "maximal viable" variant. If you want "minimal
viable", you'll need to look elsewhere.
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c
--
Viktor.
