CL+SSL

A Common Lisp interface to OpenSSL.

About

This library is a fork of SSL-CMUCL. The original SSL-CMUCL source code was written by Eric Marsden and includes contributions by Jochen Schmidt. Development into CL+SSL was done by David Lichteblau. License: MIT-style.

Distinguishing features: CL+SSL is portable code based on CFFI and gray streams. It defines its own libssl BIO method, so that SSL I/O can be written over portable Lisp streams instead of bypassing the streams and sending data over Unix file descriptors directly. (But the traditional approach is still used if possible.)

Download

Anonymous CVS (browse):

$ cvs -d :pserver:anonymous:anonymous@common-lisp.net:/project/cl-plus-ssl/cvsroot cl+ssl

Tarballs are also available (but not always up-to-date).

Note that you need the libssl-dev package on Debian to load this package without manual configuration.

Send bug reports to cl-plus-ssl-devel@common-lisp.net (list information).

API functions

Function CL+SSL:MAKE-SSL-CLIENT-STREAM (fd-or-stream &key external-format certificate key close-callback (unwrap-streams-p t))

Function CL+SSL:MAKE-SSL-SERVER-STREAM (fd-or-stream &key external-format certificate key close-callback (unwrap-streams-p t))

Return an SSL stream for the client (server) socket fd-or-stream. All reads and writes to this stream will be pushed through the OpenSSL library.

Keyword arguments:

If fd-or-stream is a lisp stream, the SSL stream will close it automatically. File descriptors are not closed automatically. However, if close-callback is non-nil, it will be called with zero arguments when the SSL stream is closed.

If unwrap-stream-p is true (the default), a stream for a file descriptor will be replaced by that file descriptor automatically. This is similar to passing the result of stream-fd as an argument, except that a deadline associated with the stream object will be taken into account, and that the stream will be closed automatically. As with file descriptor arguments, no I/O will actually be done on the stream object.

certificate is the path to a file containing the PEM-encoded certificate for your client. key is the path to the PEM-encoded key for the client, which must not be associated with a passphrase.

If external-format is nil (the default), a plain (unsigned-byte 8) SSL stream is returned. With a non-null external-format, a flexi-stream capable of character I/O will be returned instead, with the specified value as its initial external format.

Function CL+SSL:RELOAD ()

Reload libssl. Call this function after restarting a Lisp core with CL+SSL dumped into it on Lisp implementations that do not reload shared libraries automatically.

Function CL+SSL:STREAM-FD (stream)

Return stream's file descriptor as an integer, if known. Otherwise return stream itself. The result of this function can be passed to make-ssl-client-stream and make-ssl-server-stream.

Portability

CL+SSL requires CFFI with callback support.

Test results for Linux/x86, except OpenMCL which was tested on Linux/PPC:

Lisp Implementation	Status	Comments
OpenMCL	Working
SBCL	Working
CMU CL	Working
CLISP	Working
LispWorks	Working
Allegro	Broken	segfault
Corman CL	Unknown
Digitool MCL	Unknown
Scieneer CL	Unknown
ECL	Unknown
GCL	Unknown

TODO

CNAME checking
session caching
The FFI code for all platforms except clisp needs to be rewritten.

News

2008-xx-yy

Support for I/O deadlines (Clozure CL and SBCL).

2007-xx-yy

Fixed windows support, thanks to Matthew Kennedy and Vodonosov Anton.

2007-07-07

Improved clisp support, thanks to Pixel // pinterface, as well as client certificate support.
Re-introduced support for direct access to file descriptors as an optimization. New function stream-fd. New keyword argument close-callback.

2007-01-16: CL+SSL is now available under an MIT-style license.