If we are afraid that LuaSec + OpenSSL is too big of a dependency, would using polarssl and a wrapper for that be better?
EDIT: That wrapper doesn't cover very much of the library... we would either have to write a new wrapper or just use FFI.
It's been thrown around a couple times in the IRC, but if a feature like this is going to be implemented, I feel that a libcurl wrapper might be a good route:
- Simple request model, easy to integrate
- Widespread, supported for the foreseeable future
- Can use most TLS libraries (OpenSSL, GnuTLS, whatever)
It's what luajit-request uses right now, and it works really well with support for lots of little nifty things (cookies, for example).
Can we please just add openSSL and the matching lua lib for it? That would be rather easy I would think and a larger game size is kinda OK. People expect it now. I think its a shame that we don't have SSL support
Do developers use TLS for regular game communications? I would imagine that secure game communication would retrieve a token from a login server, and then use a standard message signing method using that token, which does not rely on the integrity of the messaging protocol itself. In such a case, libcurl + a TLS library would be acceptable.
I think there's a growing need for SSL, in the very least for communications with services like Imgur, to provide a common functionality like screenshot uploading. For those unfamiliar, Imgur's API only officially supports communication via SSL and probably for good reason. Or something handy like uploading a crash log to pastebin could potentially contain personal info that they'd rather not have shared in the clear, even temporarily. Even Google is pressuring people to serve over HTTPS. luajit-request is handy, but bringing in the external dependencies of cURL is a bit of a burden and means I can't just share my HTTPS-enabled .love without having to build or roll up something for whatever platform.
GitHub and Twitter also communicate exclusively through HTTPS, which are two nice services. Additionally, any sort of game authentication should be done over HTTPS as well.
Perhaps it would be wise to include a love.https module that wraps around whatever SSL implementation the system has? It might be an undertaking, but I'm not sure what other possibilities are out there that would handle this properly.