Adding TLS to Zap

I like Zap, but I would like a blazingly secure backend. I am willing to put in legwork to extract out the underlying components. However, I am an idiot, and I have no idea what I’m doing.

So far I have added the fio_tls header and c files (as well as include path) to the patched implementation. When moving to define(declare?) the fio_tls_s struct within Zap proper, it has a member -or several- which seem to pull from the system library. Notably these are structs: alpn_list_s, cert_ary_s, trust_ary_s, and SSL_CTX (I think).

I am now overwhelmed by where to onboard the openssl system library, and if that is even the proper move. Using multiple @cImport()s is not good behavior, and butchering how the project is laid out to naively implement changes is probably also not good behavior. If access to these structs are already exposed through then how would I be able to access them?

I admit I am an amateur hobbyist, not experienced, seasoned, or a professional by any stretch of the imagination. If there is a better way to approach this problem from a communication standpoint, please let me know.

Hi, welcome to the community! That’s great, I really like Zap, too! Just started looking into it, though, so I don’t think I’d be much help. Also, since it’s a Zap-specific question you should try asking it on the Zap’s Discord as well.

1 Like

Why using OpenSSL rather than another TLS library? GnuTLS, for instance, is simpler for the programmer.

I am trying to expose the TLS system already available in facilio, by simply pulling it through into Zap. I am uncertain how to safely or reliably bypass/supplant facilio’s TLS operations. (I don’t even know that facilio uses openssl explicitly, just started hunting for what alpn_list_s was.)

1 Like

Sadly, OpenSSL is the best for most use cases, especially the production environments. GNU TLS at least attempt had a fairly poor non-blocking mode where you couldn’t get rid of some of the internal buffering.

OpenSSL isn’t much better. It has a few (too many) all poorly documented ways all built for various customers, but at least you can rewrite the internal buffering to use your buffers. Still a monumental pain from lack of documentation.

I saw a bunch of pre-main TLS stuff go by yesterday and got a little worried about it, but I don’t know what it did.

1 Like