lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Phone sent before I was ready :-) At end of text below I meant to say ‘LuaSec says in its changelog “added integration with luaossl” at release 0.7.’

The code is there (use a precreated luaossl context for the session instead of a LuaSec initialised one) but it doesn’t work.

I wanted that feature so I could use LuaSec with certificates expressed as data already loaded into memory, whereas LuaSec’s own context-creation API only allows you to specify certificates via the name of an already existing file. 

I can dig out those fixes too if anyone would like them.

(I also added a keylog callback function to LuaSec that can be used to emulate Firefox’s and Chrome’s behaviour when used with the SSLKEYLOGFILE environment variable. Dangerous but useful for research purposes: dumps all TLS key material for every TLS connection, even TLS 1.3, so you can decrypt sniffed traffic later on like Wireshark does.)

 

On 17 Feb 2021, at 01:28, Paul Ducklin <pducklin@outlook.com> wrote:

>>> Why not send patches upstream?
>> 
> Do you or William accept suggested patches by email? (I’m not a GitHub user.)
> 
> Bodges I made to my own build include: 
> 
> * Change to allow a digest of NULL without which Ed25519 signatures cannot [?] be specified
> 
> * That Y2K bug you guys already fixed.
> 
> * Code to make # work with X509 chains due to no more ipairs() metamethod, so you can use a loop to  go through the chain.
> 
> * Very basic (incomplete) code to call AEAD gettag and settag functions. (No support for additional data or IVs other than 12 bytes.)
> 
> Er, that’s it.
> 
>> Which integration is that? (how can it both be claimed *and* undocumented?)
> 
> If you say “this code has X” but then you don’t tell anyone how to use X (and, indeed, X is broken anyway), that is claimed, undocumented and broken :-)
> 
> You can 
> LuaSec’s changelig mentioned somewhere (and included code, might