BearSSL Secure Server Class

Implements a TLS encrypted server with optional client certificate validation. See Server Class for general information and BearSSL Secure Client Class for basic server and BearSSL concepts.

setBufferSizes(int recv, int xmit)

Similar to the BearSSL::WiFiClientSecure method, sets the receive and transmit buffer sizes. Note that servers cannot request a buffer size from the client, so if these are shrunk and the client tries to send a chunk larger than the receive buffer, it will always fail. This must be called before the server is

Setting Server Certificates

TLS servers require a certificate identifying itself and containing its public key, and a private key they will use to encrypt information with. The application author is responsible for generating this certificate and key, either using a self-signed generator or using a commercial certification authority. Do not re-use the certificates included in the examples provided.

This example command will generate a RSA 2048-bit key and certificate:

Again, it is up to the application author to generate this certificate and key and keep the private key safe and private.

setRSACert(const BearSSLX509List *chain, const BearSSLPrivateKey *sk)

Sets a RSA certificate and key to be used by the server when connections are received. Needs to be called before begin()

setECCert(const BearSSLX509List *chain, unsigned cert_issuer_key_type, const BearSSLPrivateKey *sk)

Sets an elliptic curve certificate and key for the server. Needs to be called before begin().

Requiring Client Certificates

TLS servers can request the client to identify itself by transmitting a certificate during handshake. If the client cannot transmit the certificate, the connection will be dropped by the server.

setClientTrustAnchor(const BearSSLX509List *client_CA_ta)

Sets the trust anchor (normally a self-signing CA) that all received certificates will be verified against. Needs to be called before begin().