Hi all, I've implemented a lightweight SSL layer that enables chicken-install to download eggs over HTTPS. The code is available at:
https://forgejo.rolando.cl/cpm/chicken-core **Try it out** Made a quick docker image for testing purposes (default CMD is csi): docker run --rm -it forgejo.rolando.cl/cpm/chicken-core:6 **The problem** Currently chicken-install only supports HTTP - the URL regex in egg-download.scm only matches `http://`, and the TCP layer uses plain sockets. This means egg downloads are vulnerable to man-in-the-middle attacks. **The solution** I've added an opt-in minimal OpenSSL FFI layer to core. When CHICKEN is built with `--with-openssl`, it includes a `chicken.ssl` module that provides just enough for client-side TLS connections: - SSL context creation/destruction - Socket wrapping (SSL_set_fd) - Handshake (SSL_connect) - Read/write (SSL_read, SSL_write) - System certificate store (SSL_CTX_set_default_verify_paths) - SNI support (SSL_set_tlsext_host_name) - Basic error handling The API is simple: `(ssl-connect host port)` returns input/output ports, reusing the existing tcp unit patterns. **Key design decisions** 1. **Built as a dynamic extension** - The SSL module is compiled separately and loaded at runtime, so it doesn't bloat libchicken for builds that don't need it. 2. **Runtime detection in chicken-install** - Since chicken.ssl is a dynamic extension, chicken-install uses runtime loading with `condition-case` rather than compile-time `cond-expand`. If SSL isn't available, it gracefully falls back to HTTP-only. FYI: the current approach using `eval` for the runtime import is [fugly]( https://forgejo.rolando.cl/cpm/chicken-core/commit/9ff2b06bd2a7cc047561f5980da3c99ab31f1a28#diff-57e46a262a84a32cf556423c1594ab18844feaf6), and I'm open to suggestions for a cleaner way to handle this. 3. **Minimal scope** - This isn't meant to replace the full openssl egg. It's ~300 lines focused solely on client-side HTTPS connections. 4. **Works with code.call-cc.org** - I've tested it successfully downloading eggs from the HTTPS endpoint (the shared docker image has a modified setup.defaults that points to the https endpoint for code.call-cc.org and disables the mirror) **Changes overview** - `configure`: Added `--with-openssl` flag, OpenSSL detection via pkg-config - `ssl.scm`: Minimal SSL module with `ssl-connect` procedure - `chicken-install.scm`: Runtime loading of chicken.ssl when available - `egg-download.scm`: Added HTTPS support and ssl-connect-proc hook - `setup.defaults`: Updated default server URL to use HTTPS - `Dockerfile`: Added for easy reproducible builds and distribution Distributions can build CHICKEN with `--with-openssl` to get HTTPS support out of the box, while minimal/embedded builds can omit it. I'd appreciate feedback on this approach. Is this something the community would be interested in merging? Thanks! Rolando Abarca
