Hey! This is mine, and thanks to whoever posted it. I'm usually over on 68kmla and had to create an account here and have it approved, otherwise I would have replied earlier.
what does certificate validation look like? Do developers need to maintain a copy of root certs at all?
Getting the certs working was fun. Or rather not so much. I have two certs in my code, the ISRG Root X1 root cert, and a Let's Encrypt R11 intermediate cert. These are literally pasted back to back in the SSLWrapper file, and the code verifies the chain of trust from the server given by 640by480.com.
This isn't an ideal solution for a few reasons. First, I'm only concerned about getting data from _my_ server. So as long as I can get the chain of trust from my server, everything's cool. But I don't know if it would work with other servers. I mean it's a normal Let's Encrypt cert so it probably works with the vast majority of servers, but....
Secondly, storing the servers in the code isn't a great idea for maintainability or updates, and eventually this will stop working in a decade when the ISRG cert expires. But that can be fixed by storing the certs in a file (or resource, I guess) and issuing patches or something.
it's worth noting the readme implies it doesn't support TLS 1.2 yet (just 1.1). It shouldn't take a great deal to add that. TLS 1.3 will be a heavier lift, though.
Yes! You're right. The proof of concept is TLS 1.1, although most of the work to get 1.2 is in there. I literally just stopped when it worked with TLS 1.1 because I was already burnt out on the project (I just wanted to get data from my server over HTTPS). But the framework is there and I've already ported a lot of the 1.2 libraries. The CHACHA20 and POLY1305 stuff works, and I think getting TLS 1.2 is just a matter of getting the configs right.
I have some pretty high hopes for this. Last night I was talking with someone on the bay area retrocomputing discord that tried this
WITH A MACINTOSH II. It actually initialized the SSL stuff, but I'm pretty sure it's timing out in one or two areas. It might just work if I increase the SSL read timeout or the Open Transport socket timeout.
The fact that it runs at all is astonishing. The Mac II this was testing on had 68882 onboard, but it worked well enough that I'm trying to find a Mac LC with Ethernet to use as a low-end box for testing.
github.com
