Nim: Make SSL/TLS implementation pluggable

Created on 18 Jun 2020  路  7Comments  路  Source: nim-lang/Nim

Summary

Nim's TLS/SSL support is currently hardwired to use OpenSSL. Some programs may want to use alternate APIs (mbedTLS, wolfSSL, bearSSL, SecureTransport, etc.) for reasons of footprint, compatibility, security, etc. This should be possible without having to modify code in the standard library.

Description

Refactor Nim's socket implementation to split out the OpenSSL-dependent code and put a well-defined API in between, with a mechanism to swap in different implementations of that API, whether in the standard library or application-defined.

Additional Information

Forum comment by leorize:

the [TLS] implementation is currently integrated with net.Socket. You can open an issue on GitHub requesting a pluggable mechanism and I might look into it. It's not really that hard to replace the current system with a pluggable one, it's just that there aren't enough interest to go for it atm.

Stdlib
Source
picture snej
👍6

Most helpful comment

FYI, I'm motivated to work on this. If my team ends up choosing Nim to implement a project I'm speccing, we will probably need to use mbedTLS. I'm new to Nim but have a lot of experience with networking in C/C++.

picture snej on 18 Jun 2020
🚀33

All 7 comments

FYI, I'm motivated to work on this. If my team ends up choosing Nim to implement a project I'm speccing, we will probably need to use mbedTLS. I'm new to Nim but have a lot of experience with networking in C/C++.

snej picture snej on 18 Jun 2020
🚀33

Go for it. Just make sure changes are well tested.

dom96 picture dom96 on 19 Jun 2020

We will probably want #14556 in before getting started on this.

alaviss picture alaviss on 20 Jun 2020

After OpenSSL, GnuTLS appears to be relatively popular, followed by mbedTLS, according to statistics on Debian.
Yet, supporting multiple implementations, doing extensive testing, and maintaining them for whole lifetime of the libraries is quite a big amount of work. Are there other programming languages doing that as part of the stdlib?

FedericoCeratto picture FedericoCeratto on 24 Jun 2020

We really just need to make it pluggable. External implementations can be provided by 3rd party packages.

alaviss picture alaviss on 24 Jun 2020
👍2

Are there other programming languages doing that as part of the stdlib?

Go implemented its own TLS package, in keeping with its extreme NIH tendency.

Rust has native_tls which wraps the platform's TLS library, "SChannel on Windows (via the schannel crate), Secure Transport on OSX (via the security-framework crate), and OpenSSL (via the openssl crate) on all other platforms". But it does not appear to be part of the standard library as its repo is outside the Rust org on Github.

snej picture snej on 1 Jul 2020

Please support this issue.

AZ-X picture AZ-X on 19 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

koki-koba picture koki-koba  路  3Comments
SolitudeSF picture SolitudeSF  路  3Comments
Vindaar picture Vindaar  路  3Comments
zzz125 picture zzz125  路  4Comments
teroz picture teroz  路  3Comments