Open bannsec opened 1 year ago
jart
commented
1 year ago Cosmopolitan Libc has MbedTLS in the mono repo. Would you need us to export that to be part of the amalgamation so you could depend on it like Redbean? Or would you rather copy our third_party/mbedtls folder into your project?
bannsec
commented
1 year ago To be honest, I still need to research how to accomplish tls with cosmopolitan. Is there a preferred method?
jart
commented
1 year ago The preferred method is to use MbedTLS. If you want to see the simplest possible example of something that uses pre-shared key TLS to secure its communications, check out runit:
To see something that does full-blown TLS, check out Redbean:
To see an example of how certificates can be generated:
To checkout my crypto optimizations that make it wicked fast:
While I'm here, I also want to strongly recommend using pledge() and unveil() in your server. It can function like a sandbox on Linux and OpenBSD. On other platforms it does nothing. This will help keep your server safe in case it has any bugs. We also have MODE=asan which is good for security too, since it adds another ring to your defense in the sense that if a security issue is discovered, it should result in the server crashing with a report rather than being compromised. To see an example pledge() unveil() policy that I recommend to redbean users, just translate this from Lua to C code:
function OnWorkerStart()
db = sqlite3.open("db.sqlite3")
db:busy_timeout(1000)
db:exec[[PRAGMA journal_mode=WAL]]
db:exec[[PRAGMA synchronous=NORMAL]]
db:exec[[SELECT x FROM warmup WHERE x = 1]]
assert(unix.setrlimit(unix.RLIMIT_RSS, 100 * 1024 * 1024))
assert(unix.setrlimit(unix.RLIMIT_CPU, 4))
assert(unix.unveil("/var/tmp", "rwc"))
assert(unix.unveil("/tmp", "rwc"))
assert(unix.unveil(nil, nil))
assert(unix.pledge("stdio flock rpath wpath cpath", nil,
unix.PLEDGE_PENALTY_RETURN_EPERM))
end
cosmopolitan libc has been improving ssl support. An option to have the listener be ssl/tls would be interesting.