path: root/docs/BUILD_TLS.md

# Building for TLS Support

If you want to include support for Transport Layer Security
(`tls+tcp://` and `wss://` URLs) you should follow these directions.

TLS support in NNG depends on a suitable TLS library.
The options are [Mbed TLS](https://tls.mbed.org/),
[WolfSSL](https://www.wolfssl.com/), [OpenSSL](https://openssl.org).

> [!IMPORTANT]
> These libraries are licensed under different terms than NNG.
> You are responsible for reading those license terms, and ensuring
> that your use conforms to them.

> [!TIP]
> This project receives no compensation or support in any other form
> from either ARM (owners of the Mbed TLS project) or WolfSSL.
> Thus, as a special request, if you're paying for commercial licenses for
> either Mbed TLS or WolfSSL for use with NNG, please consider also sponsoring
> this project or obtaining a commercial support contract from
> [Staysail Systems, Inc.](https://www.staysail.tech/)
> You can enquire about support contracts at info@staysail.tech.
> Sponsorship information is available on our
> [GitHub page](https://github.com/nanomsg/nng). Thank you!

On many distributions you may be able to install a pre-packaged version
of either library. We recommend doing so if this is an option for you.
For example, Ubuntu users can install the `libmbedtls-dev` package.

You can also build these from source; if you choose to do so,
please make sure you also _install_ it somewhere (even a temporary
staging directory).

## Notes about Mbed TLS

MbedTLS 2.28 or 3.6 are tested and known to work.
MbedTLS 4.0 is not at present supported, but we will work to
address that soon. Support for MbedTLS 2.28 may be dropped
before NNG 2.0 finalizes, as it is no longer supported by
the Mbed TLS project.

## Notes about WolfSSL

WolfSSL can be configured with a small subset of possible
features, which can impair NNG's functionality. We recommend
enabling support for peer certificates as well as the optional
extra OpenSSL compatibility APIs.

Note that the open source version of WolfSSL is GPLv3, which
applies significant additional considerations on users. Please
check with your lawyer if you're not planning to open source
your work under GPLv3 as well.

We have not tested NNG with the commercial version of WolfSSL.
If you want support for that, please contact Staysail Systems
to make support arrangements.

## Notes about OpenSSL

OpenSSL requires version 3.5 or newer. (As of this writing, OpenSSL
3.5 is the most recent long term support - LTS - release of OpenSSL.)
No effort will be made to support earlier releases.

## Configuring NNG with TLS

TLS support is not enabled by default, but can be enabled by configuring
with the CMake option `NNG_ENABLE_TLS=ON`.

You can select which library to use by using `NNG_TLS_ENGINE=mbed`,
`NNG_TLS_ENGINE=wolf`, or `NNG_TLS_ENGINE=openssl`.
If you do not specify an engine, then `mbed` is assumed by default.
(Note that the default may change in future releases.)

By default NNG searches for an installed components in `/usr/local`,
as well as the normal installation directories for libraries on your system.

If you have installed the TLS library elsewhere, you can direct the NNG configuration
to it by setting the `MBEDTLS_ROOT_DIR` or `WOLFSSL_ROOT_DIR` CMake variable
as appropriate. For OpenSSL, see the CMake documentation for `FindOpenSSL`.

## Example

The following example would work on either Linux or macOS, and assumes
that we have checked out github source trees into `$HOME/work`.
It also assumes that Mbed TLS is already installed in `/usr/local` or
a standard search path.

```

$ export NNGDIR=$HOME/work/nng
$ mkdir build
$ cd build

$ cmake -G Ninja -DNNG_ENABLE_TLS=ON ..

... (lots of lines of output from cmake...)

$ ninja build

... (lots of lines of output from ninja...)

$ ./src/supplemental/tls/tls_test -v

... (lots of lines of output from the test ...)

Summary:
  Count of all unit tests:        9
  Count of run unit tests:        9
  Count of failed unit tests:     0
  Count of skipped unit tests:    0
SUCCESS: All unit tests have passed.
```