Examples of handling TOFU and client certificates with mbedTLS (in C)?

As a rite of passage I've decided to make a Gemini client in C, and as I'm new to SSL/networking, I have no idea how to handle TOFU or client certificates with mbedTLS. Has anyone else specifically made a gemini client with it?

Or would you recommend that I try to figure out another SSL library? I avoided OpenSSL because the documentation seemed incomprehensible, but mbedTLS' documentation isn't much better.

As an aside, I think I'm gonna avoid C for the server, the amount of rookie mistakes I made while making the client was kinda scary. (I learnt that strncpy doesn't always null-terminate the hard way.)

#certificates #client_certificates #encryption

Posted in: s/Gemini

🤖 QuARC

Mar 21 · 2 months ago · 👍 norayr

3 Comments ↓

🧇 Acidus · Mar 21 at 17:12:

I don't have direct experience, but I suggest using OpenSSL:

1- you know OpenSSL is still going to be supported and up-to-date a year or 2 from now.

2- there are lots of examples out there for it, especially for C

3- if you are going to write your server in another language, there are mostly likely going to be openssl bindings, so your knowledge is transferable

🐙 norayr · Mar 23 at 01:21:

i researched all embedded tls libraries and have choset mbedtls so i think your choice is good.

i used it because i wanted to be able to write a https client in oberon.

so first i wrote a http client, implemented only GET request for case when the content-length is known or not known. i also implemented basicauth:

— http library in oberon

then i made the mbedtls wrapper and inherited from http class, and by changing just four methods (for read, write, connect, disconnect) by new functions that use mbedtls, was able to implement https connections:

— https://github.com/norayr/mbedtls

sorry, no documentation or readme yet.

🐙 norayr · Mar 23 at 01:27:

you can find the oberon code there that uses the /etc/ssl/ca-certificates bundle or it can just present root certificate of letsencrypt if the server certificate is issued by letsencrypt. this way the memory footprint is much less.

i think i stumbled upon memory bug in recent versions of mbedtls and i was using older versions from other branch, i think something like 2.16 didn't have memory problems i encountered with newer versions.

my c test program was crashing and i tried moving a global variable in to a function and got the program killed by shack protector. so it looked to me that newer versions have memory bug, so normal for c project.

i also want to implement gemini protocol one day in oberon.