Swiftpack.co - Package - apple/swift-nio-ssl

SwiftNIO SSL

SwiftNIO SSL is a Swift package that contains an implementation of TLS based on BoringSSL. This package allows users of SwiftNIO to write protocol clients and servers that use TLS to secure data in flight.

The name is inspired primarily by the names of the library this package uses (BoringSSL), and not because we don't know the name of the protocol. We know the protocol is TLS!

To get started, check out the API docs.

Using SwiftNIO SSL

SwiftNIO SSL provides two ChannelHandlers to use to secure a data stream: the NIOSSLClientHandler and the NIOSSLServerHandler. Each of these can be added to a Channel to secure the communications on that channel.

Additionally, we provide a number of low-level primitives for configuring your TLS connections. These will be shown below.

To secure a server connection, you will need a X.509 certificate chain in a file (either PEM or DER, but PEM is far easier), and the associated private key for the leaf certificate. These objects can then be wrapped up in a TLSConfiguration object that is used to initialize the ChannelHandler.

For example:

let configuration = TLSConfiguration.forServer(certificateChain: try NIOSSLCertificate.fromPEMFile("cert.pem").map { .certificate($0) },
                                               privateKey: .file("key.pem"))
let sslContext = try NIOSSLContext(configuration: configuration)

let server = ServerBootstrap(group: group)
    .childChannelInitializer { channel in
        // important: The handler must be initialized _inside_ the `childChannelInitializer`
        let handler = try NIOSSLServerHandler(context: sslContext)

        [...]
        channel.pipeline.addHandler(handler)
        [...]
    }

For clients, it is a bit simpler as there is no need to have a certificate chain or private key (though clients may have these things). Setup for clients may be done like this:

let configuration = TLSConfiguration.forClient()
let sslContext = try NIOSSLContext(configuration: configuration)

let client = ClientBootstrap(group: group)
    .channelInitializer { channel in
        // important: The handler must be initialized _inside_ the `channelInitializer`
        let handler = try NIOSSLClientHandler(context: sslContext)

        [...]
        channel.pipeline.addHandler(handler)
        [...]
    }

Github

link
Stars: 263

Dependencies

Used By

Total: 0

Releases

SwiftNIO SSL 2.10.1 -

SemVer Patch

  • Update BoringSSL to 4a265be4d931e35f0d108040c94d37bb49827948. (#256)

Other Changes

  • Add watchOS deployment to PodSpec build script (#252)

SwiftNIO SSL 2.10.0 -

SemVer Minor

  • Add NIOSSLCertificate debug description for useful debugging (#246)
  • Add NIOSSLCertificate serial number var, and add to printable description (#247)

SemVer Patch

  • Fix threading violation in KeyLogCallbackManager (#250)
  • Update BoringSSL version to 3989c99706bf30054798ff82f1cb010e50e385f5 (#249)

SwiftNIO SSL 2.9.2 -

SemVer Patch

  • Update BoringSSL to 67818bea6690a230e2f42e8a588e0f54949bbbf1 (#244)

Other Changes

  • Fixed a spelling error in a deprecation message. (#240, patch credit to @artemredkin)
  • Update CI to use the release version of Swift 5.3. (#241)
  • Update documentation to reflect that the default branch is now 'main'. (#243)

SwiftNIO SSL 2.9.1 -

SemVer Patch

  • Update BoringSSL to 1c58648f14ed75f2a8cc3ae08897987d97f493ec (#239)

Other Changes

  • Fix the -f option in build_podspec.sh. (#237, patch credit to @MrMage)

SwiftNIO SSL 2.9.0 -

SemVer Minor

  • Add option to specify signining and verification algorithms (#232, patch credit to @fourplusone)

SemVer Patch

  • Update BoringSSL to 54858b63c1d886f6c8d903d4a4f594f1485de189 (#235)

Other Changes

  • Fix inappropriate language in NIOSSL (#233)
  • Don't install Jazzy on Xenial (#234)

SwiftNIO SSL 2.8.0 -

SemVer Minor

  • Add support for custom verify callback to servers. (#226)

SemVer Patch

  • Silence #file/#filePath warnings in XCTest (#228)

SwiftNIO SSL 2.7.5 -

Semver Patch

  • Fixed crash when using custom verification callbacks in debug mode on Apple platforms. (#224)
  • Fixed issue where podspec depended on a specific NIO version. (#221)
  • Fixed issue where podspec had trouble pushing multiple modules. (#222)

SwiftNIO SSL 2.7.4 -

SemVer Patch

  • Enable X509_V_FLAG_TRUSTED_FIRST so the trust store is searched for issuer certificates before searching the untrusted certificates when building a certificates chain. (#220)
  • Update BoringSSL to 53a17f55247101105ae35767d5c5a6c311843a8e. (#218)
  • link swift-nio-extras in docs (#208)

SwiftNIO SSL 2.7.3 -

Semver Patch

  • Fixed a rare crash when tearing down connections. (#217)
  • Updated BoringSSL to 7c522995d1ea5386b3223a19b0f62e73c1f76b17. (#216)

SwiftNIO SSL 2.7.2 -

Semver Patch

  • Support @_implementationOnly on Swift 5.3. (#212)
  • Fixed broken docker builds. (#209, #214)
  • Fixed some flaky tests. (#213)

SwiftNIO SSL 2.7.1 -

Semver Patch

  • Fixed an issue whereby stopTLS had no timeout, so attempting to remove a handler from a pipeline could wedge it open. Timing out now fires an error and fails the promise, but does not close the channel. (#205, #206)

SwiftNIO SSL 2.7.0 -

SemVer Minor

  • universal bootstrap support (#185)
  • Fix for unprocessed data before closing throwing unnecessary errors (#198, patch credit to @agnosticdev)

SemVer Patch

  • Update BoringSSL to 5298ef99bf2b2d77600b3bb74dd572027bf495be (#200)
  • Get rid of do { ... } catch { ... } for expected errors (#19, patch credit to @shekhar-rajak)
  • fix typo in README (#195, patch credit to @realdoug)
  • Add Build Podspec Script (#193, patch credit to @Jake-Prickett)
  • update docs generation script to work better with selinux (#194)
  • Adjust import to allow for CocoaPod support (#192 , patch credit to @Jake-Prickett)
  • Mitigate Folly/BoringSSL static linking issue. (#191)
  • Removed explicit Equatable implementations. (#187, patch credit to @agnosticdev)
  • Replace NIOSSLError.unableToAllocateBoringSSLObject with fatalError (#186, patch credit to @agnosticdev)
  • Swapped applicationProtocols check for encodedApplicationProtocols. (#184, patch credit to @agnosticdev)

SwiftNIO SSL 2.6.2 -

Semver Patch

  • Replace calls to deprecated SwiftNIO functions. (#183)

SwiftNIO SSL 2.6.1 -

SemVer Patch

  • Update BoringSSL to 21a879a78a60c8667468a9eba994c8365eaf92ea. (#182)
  • tell github that Sources/CNIOBoringSSL is vendored (#180)
  • Avoid curried thunks (workaround SR-12115) (#176)
  • improve docker security (#178)

SwiftNIO SSL 2.6.0 -

SemVer Minor

  • Provide better certificate verification callback (#171)
  • Add hashability to Certificate and PrivateKey (#169)

SemVer Patch

  • enable @_implementationOnly for Swift 5.3 (#174)
  • Add API for dumping certificate bytes. (#172)
  • Allow testing deprecated functions. (#170)
  • Update BoringSSL to 0deb91ab3f7e24307572497f0f7438684590bf92 (#167)

SwiftNIO SSL 2.5.0 -

SemVer Minor

  • Remove unsafe code from hostname verification (#166)
  • Better errors when we fail hostname verification (#165)

SemVer Patch

  • Add missing cases to == for NIOSSLError and BoringSSLError (#163)
  • tests: remove unused varible (#162)
  • test lots of closes (#161)

SwiftNIO SSL 2.4.5 -

SemVer Patch

  • Add regression limits for allocation tests. (#160)
  • Update BoringSSL to 134fb89c4f9da7903d9aa81c6bd1d3c466782de1 (#159)
  • Update Code of Conduct project maintainer email address (#157)
  • Refactor doUnbufferWrites reduce memory pressure (#155)
  • Add benchmarks. (#154)
  • add harness for performance tests (#156)
  • Add allocation counter tests. (#153)
  • Add regression test for executable stacks. (#152)

SwiftNIO SSL 2.4.4 -

Semver Patch

  • Fixed an issue where some symbols were not correctly namespaced on Linux. (#150)
  • Updated testing. (#145)
  • Updated BoringSSL to 6ba98ff. (#149)

SwiftNIO SSL 2.4.3 -

Semver Patch

  • Raised minimum dependency on SwiftNIO to 2.9.0 and removed build warnings. (#144)
  • Cleaned up internal use of the Swift pointer APIs to better reflect best practices. (#143)

SwiftNIO SSL 2.4.2 -

Semver Patch

  • Fixed compilation on Linux aarch64. (#141)
  • Improved testing. (#138)
  • Updated BoringSSL. (#142)

SwiftNIO SSL 2.4.1 -

Semver Patch

  • Fixed the namespacing of a number of BoringSSL functions. (#131)
  • Fix up some inline assembly. (#137)
  • CI and documentation fixes (#132, #133)

SwiftNIO SSL 2.4.0 -

SemVer Minor

  • Use UInt8 instead of Int8 for buffer types (#127)

SemVer Patch

  • Avoid using a deprecated enum case in the README (#126)
  • Use CInt and CUnsignedInt when calling C APIs (#128)
  • Don't pass read-only bytes as mutable to BoringSSL (#129)

SwiftNIO SSL 2.3.1 -

Semver Patch

  • Resolved an issue where compilation on 64-bit ARM platforms would fail due to missing compiler defines. (#125)

SwiftNIO SSL 2.3.0 -

Semver Minor

  • Added support for loading multiple certificates from a single PEM file or buffer, deprecated the old mechanism for doing so. (#123)

Semver Patch

  • Changed the BoringSSL header namespacing strategy to work better with swift package generate-xcodeproj-based Xcode projects. (#122)
  • Fix a crash when attempting to load a private key that is password protected without providing a password. (#119)
  • Clean up documentation. (#120)

SwiftNIO SSL 2.2.0 -

Semver Minor

  • Added support for TLS client authentication via renegotiation on the client side. (#111)
  • Hid BoringSSL properly from users. (#117)

Semver Patch

  • Updated BoringSSL to a86c69888b9a416f5249aacb4690a765be064969. (#118)
  • Miscellaneous testing improvements. (#114)

SwiftNIO SSL 2.1.1 -

Semver Patch

  • Removed assembly helpers for 32-bit Apple platforms, fixing compile issues. (#109)
  • Updated BoringSSL to cef9d3f38d72f13412c79157c25753e22cb05f7e. (#109)

SwiftNIO SSL 2.1.0 -

Semver Minor

  • Add a timeout to TLS shutdown, ensuring that channels don't get stuck open. (#100)
  • Add a callback that enables SSLKEYLOGFILE support. (#98)

Semver Patch

  • Correctly set SSL_VERIFY_FAIL_IF_NO_PEER_CERT when turning on cert verification. (#107)
  • Fix an issue where we use non-thread-safe buffers to print error strings. (#102)
  • Update BoringSSL. (#108)
  • Improve API docs. (#103)

SwiftNIO SSL 2.0.2 -

Semver Patch

  • Fixed an error when working on both SwiftNIO and SwiftNIO SSL in package edit mode. (#99)
  • Updated BoringSSL to ad9eee16. (#97)
  • Docs improvements. (#94, #95)

SwiftNIO 2.0.0 -

This is a major breaking release. SwiftNIO SSL 2.0.0 transitions SwiftNIO to use a vendored copy of BoringSSL instead of relying on the system copy of libssl.

Semver Major

  • Substantially renamed a number of types to remove the phrase "OpenSSL" from them. (#75)
  • NIOSSLClientHandler now requires a serverHostname, though it may still be nil. (#82)
  • uncleanShutdown was previously on OpenSSLError, is now on NIOSSLError. (#76)
  • Renamed SSLContext to NIOSSLContext. (#73)
  • Changed the type of TLSConfiguration.applicationProtocols to [String]. (#70)

SwiftNIO SSL 2.0.1 -

This release contains no function changes, and exists purely for administrative reasons.