Setting TLS options

[karnal222]

What kind of TLS/crypto library does websocat use under the hood? I guess it is something rust based and not the OS library? Would it be possible to get access to some lower functions like setting ciphers and the likes? Or at least some sane defaults like forcing use of TLS 1.3 and disable insecure stuff?

[vi]

Currently it does use native-tls library, which delegates to OpenSSL on GNU/Linux, FreeBSD and Android and respective platform-specific API on Mac and Win.

TLS options for clients and servers can probably be implemented (unlikely before I migrate the codebase to modern dependencies).

---

If you want to set TLS options for client and don't require performance, you can use socat/openssl s_client workaround, delegating TLS work from Websocat to external program.

If you want to set TLS options for server, just use Nginx as frontend, delegating algorithm selection to it, pointing already decrypted traffic to Websocat.

[karnal222]

When I set custom parameters in openssl.cnf it works using socat. Without it the file is ignored. Is there maybe some way to tell native-tls about the config file? I see some options for setting TLS versions here: https://docs.rs/native-tls/0.2.6/src/native_tls/lib.rs.html#1-689 However, I'm not familiar with Rust and I guess you'd at least need to rebuild websocat or even native-tls?