LuaSec -- TLS/SSL Support for Lua

LuaSec – TLS/SSL Support for Lua

LuaSec is a binding for OpenSSL library to provide TLS/SSL communication. This version delegates to LuaSocket the TCP connection establishment between the client and server, and, since the connection is performed, it is used to start a secure TLS/SSL session.

For example, this is an implementation of a client and a server using LuaSec:

Client	Server
require("socket") require("ssl") -- TLS/SSL client parameters (omitted) local params local conn = socket.tcp() conn:connect("127.0.0.1", 8888) -- TLS/SSL initialization conn = ssl.wrap(conn, params) conn:dohandshake() -- print(conn:receive("*l")) conn:close()	require("socket") require("ssl") -- TLS/SSL server parameters (omitted) local params local server = socket.tcp() server:bind("127.0.0.1", 8888) server:listen() local conn = server:accept() -- TLS/SSL initialization conn = ssl.wrap(conn, params) conn:dohandshake() -- conn:send("one line\n") conn:close()

Client

Server

 require("socket")
 require("ssl")

 -- TLS/SSL client parameters (omitted)
 local params

 local conn = socket.tcp()
 conn:connect("127.0.0.1", 8888)

 -- TLS/SSL initialization
 conn = ssl.wrap(conn, params)
 conn:dohandshake()
 --

 print(conn:receive("*l"))
 conn:close()

 require("socket")
 require("ssl")

 -- TLS/SSL server parameters (omitted)
 local params 

 local server = socket.tcp()
 server:bind("127.0.0.1", 8888)
 server:listen()
 local conn = server:accept()

 -- TLS/SSL initialization
 conn = ssl.wrap(conn, params)
 conn:dohandshake()
 --

 conn:send("one line\n")
 conn:close()

To start the secure connection, LuaSec must know some connection parameters, such as the protocol to be used, key, certificate, etc. These parameters can be passed directly to ssl.wrap, or they can be used to create a context, which is more appropriated for the server side.

The parameters are provided throught a Lua table. For example, in the above we can use these tables:

Client	Server
-- TLS/SSL client parameters local params = { mode = "client", protocol = "sslv3", key = "/etc/certs/clientkey.pem", certificate = "/etc/certs/client.pem", cafile = "/etc/certs/CA.pem", verify = "peer", options = "all", }	-- TLS/SSL server parameters local params = { mode = "server", protocol = "sslv3", key = "/etc/certs/serverkey.pem", certificate = "/etc/certs/server.pem", cafile = "/etc/certs/CA.pem", verify = {"peer", "fail_if_no_peer_cert"}, options = {"all", "no_sslv2"}, ciphers = "ALL:!ADH:@STRENGTH", }

Client

Server

 -- TLS/SSL client parameters
 local params = {
    mode = "client",
    protocol = "sslv3",
    key = "/etc/certs/clientkey.pem",
    certificate = "/etc/certs/client.pem",
    cafile = "/etc/certs/CA.pem",
    verify = "peer",
    options = "all",
 }

 -- TLS/SSL server parameters
 local params = {
    mode = "server",
    protocol = "sslv3",
    key = "/etc/certs/serverkey.pem",
    certificate = "/etc/certs/server.pem",
    cafile = "/etc/certs/CA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    options = {"all", "no_sslv2"},
    ciphers = "ALL:!ADH:@STRENGTH",
 }

Download

luasec-0.2.tar.gz

LuaSec no more provides the LuaSocket API, i.e., you must download and install the LuaSocket yourself.

All the tests were performed on Linux, Windows XP, and BSD; using Lua 5.1, LuaSocket 2.0.2, and OpenSSL 0.9.7/0.9.8.

License

The module uses part of LuaSocket 2.0.2, and it is available under the same terms and conditions as the Lua language and LuaSocket 2.0.2, the MIT license.

Contact

Bruno Silvestre – brunoos at inf . puc-rio . br

Last update: 15-Jan-2009 10:15

SSL Lua SSL Lua OpenSSL Lua OpenSSL