search

jawj / subtls

A proof-of-concept TypeScript TLS 1.3 client
https://bytebybyte.dev
MIT License
351 stars 15 forks source link

Any chance of a server implementation? #3

Open anderspitman opened 9 months ago

anderspitman commented 9 months ago

Hi @jawj, awesome project. I especially like that you're leveraging SubtleCrypto as much as possible.

I'm looking for a pure JS TLS server, and forge a) apparently doesn't support TLS 1.2/1.3 and b) looks pretty unmaintained in general.

Any chance you'll add a server implementation at some point? If not, any tips for if I were to attempt such a thing myself?

jawj commented 9 months ago

Interesting. I didn't have imminent plans to implement the server side of TLS. Can you outline how you'd find this useful?

anderspitman commented 9 months ago

For sure. The concept is actually very similar to your subtls-wsproxy script, but running a server instead of a client. I do a lot of work with tunneling. I'm working on a replacement for boringproxy that instead of running over SSH, works with several different transports including WebSockets. This opens up the possibility of running a web server in your browser. A few years ago I built a similar (but less generic) tool for work.

With a pure JS TLS 1.3 implementation (and ACME as well, which should be much simpler), it would be possible to run an end-to-end encrypted server.

In terms of uses, this is primarily useful for making files on your local machine available over URLs. What I'm planning to use it for next is integrating HTTP Signatures in the browser. This should enable me to build a browser app for exploring ActivityPub posts, even if the server requires signatures.

Sorry, that kind of ended up being a lot. Don't feel obligated to look too deeply into this unless you're curious. I don't think I'll be pushing the e2ee angle anytime soon. The tech works fine with server-side TLS termination. Downside is it requires the user to trust the tunnel provider/VPS it's running on.

jawj commented 9 months ago

Thanks, that's helpful detail. I'll keep this issue open and in the unlikely event I'm at a loose end one of these days I might have a look.

I don't have any particular tips on doing it yourself, except I suppose that what the client here expects and parses might be a good (and very concrete) guide to what the server should send.