Issue #363 new


created an issue

We already have LuaSocket, so why not add support for SSL-protected networking as well?

Comments (26)

  1. Boolsheet

    The OpenSSL dependency is pretty heavy in its file size. Maybe it's possible to strip it down to just the things LuaSec needs. Then again, compiling OpenSSL has to be a very interesting adventure.

  2. Anonymous

    OpenSSL dependency is a nightmare on windows. Basically you have to run a separate installer on the client before the thing will work. It's killing a non-löve related project at my workplace.

  3. kikito


    I think the cost of adding and maintaining that dependency on all systems does not justify the benefits - the usage of SSL in games is too niche; maybe 5 or 6 people in total would need it.

    Now, if someone other than the core devs did support this on the 3 main systems, I would not have a problem.

  4. Kyle Conroy

    Thomas R. Koll The only way is to setup an HTTP to HTTPS proxy. I'm planning on doing this via Heroku.

    +1 I would really like to be able to make HTTPS requests. I've wanted to use both the GitHub API and the Sentry API from my game, but both require HTTPS.

  5. josefnpat

    I would like to have https as well. Perhaps we could just add a ./configure flag that isn't enabled by default, and distribute the binaries on the side?

    That way "normal" developers can just use the nice small binary, and win/mac developers use a love-https binary. (linux users can just make it a dependency via luarocks?)

  6. David Serrano

    I think something like luasec would be cool and is defitnally a good addition but maybe make it optional somehow. That way only the ones who use it can suffer from the extra weight.

  7. josefnpat

    To put this issue in perspective, would it make sense to add libcurl to the framework, or should this workaround be documented on the wiki, and the ticket marked as wontfix?

  8. Lucien Greathouse

    It's been thrown around a couple times in the IRC, but if a feature like this is going to be implemented, I feel that a libcurl wrapper might be a good route: - Simple request model, easy to integrate - Widespread, supported for the foreseeable future - Can use most TLS libraries (OpenSSL, GnuTLS, whatever)

    It's what luajit-request uses right now, and it works really well with support for lots of little nifty things (cookies, for example).

  9. Bart van Strien

    As I'm sure I mentioned somewhere, I do think that's the primary reason people would want TLS support, so it's definitely a solution for that, but that doesn't solve TLS in general, though. Should it?

  10. David Serrano

    Can we please just add openSSL and the matching lua lib for it? That would be rather easy I would think and a larger game size is kinda OK. People expect it now. I think its a shame that we don't have SSL support

  11. Lucien Greathouse

    Do developers use TLS for regular game communications? I would imagine that secure game communication would retrieve a token from a login server, and then use a standard message signing method using that token, which does not rely on the integrity of the messaging protocol itself. In such a case, libcurl + a TLS library would be acceptable.

  12. Entrance Jew

    I think there's a growing need for SSL, in the very least for communications with services like Imgur, to provide a common functionality like screenshot uploading. For those unfamiliar, Imgur's API only officially supports communication via SSL and probably for good reason. Or something handy like uploading a crash log to pastebin could potentially contain personal info that they'd rather not have shared in the clear, even temporarily. Even Google is pressuring people to serve over HTTPS. luajit-request is handy, but bringing in the external dependencies of cURL is a bit of a burden and means I can't just share my HTTPS-enabled .love without having to build or roll up something for whatever platform.

  13. Lucien Greathouse

    GitHub and Twitter also communicate exclusively through HTTPS, which are two nice services. Additionally, any sort of game authentication should be done over HTTPS as well.

    Perhaps it would be wise to include a love.https module that wraps around whatever SSL implementation the system has? It might be an undertaking, but I'm not sure what other possibilities are out there that would handle this properly.

  14. Bart van Strien

    A while back I looked at luasec (and promptly forked it to improve it), and I'd be in favour of adding that. Even if only because it's the de facto lua tls implementation.

  15. Log in to comment