[botan-devel] New TLS implementation
lloyd at randombit.net
Fri Jan 27 22:33:58 EST 2012
I've been spending a bit of time working on botan's TLS implementation
in a branch. It seems like the higher level APIs have settled in at
this point, though there are number of new features I still want to
add and a lot of refactoring before I'd consider it stable. But at
this point it adds (vs the version in 1.10.1):
* Event driven I/O. A TLS server using ASIO and a select-driven TLS
client are included in the examples. The interface is a bit unusual;
I think it works well, but I'd love some feedback.
* Client certificate authentication
* Renegotiation support (including the secure renegotiation extension)
* TLS 1.2 including SHA-256/SHA-384 ciphersuites and SHA-2 signing
* ECDH key exchange
* Session resumption for clients and servers. Currently the only
implemented session manager is one that stores in-memory but a
version using flat files or sqlite would be easy to write and plug in.
* PSK key exchange (including DHE_PSK and ECDHE_PSK)
* About half of SRP key exchange (not working yet but will be there soon)
* Support for multiple certificates in servers (application can choose
based on hostname or other logic)
* Maximum fragment length extension
* Next protocol negotiation extension
You can find the work in the net.randombit.botan.tls-state-machine branch.
I've put up a tarball of a recent version at
Be warned that all APIs in this release are subject to change in
Comments/bug reports most welcome.
More information about the botan-devel