SimpleLink SSL support; split cert and key opts

SL requires cert and key to be separate files in DER format. Date verification is disabled for now. PUBLISHED_FROM=7d76150ed356140728a1e5fd82d8a0456347b7dc

SimpleLink SSL support; split cert and key opts
SL requires cert and key to be separate files in DER format. Date verification is disabled for now. PUBLISHED_FROM=7d76150ed356140728a1e5fd82d8a0456347b7dc
dcf1cede · rojer · Cesanta Bot · 845e6082 · dcf1cede · dcf1cede
Commit dcf1cede authored Jun 09, 2016 by rojer Committed by Cesanta Bot Jun 09, 2016
8 changed files
--- a/docs/c-api/net.h/mg_set_ssl.md
+++ b/docs/c-api/net.h/mg_set_ssl.md
@@ -7,12 +7,14 @@ signature: |
                         const char *ca_cert);
 ---
+Note: This function is deprecated, please use SSL options in mg_connect_opt.
 Enable SSL for a given connection.
 `cert` is a server certificate file name for a listening connection,
 or a client certificate file name for an outgoing connection.
 Certificate files must be in PEM format. Server certificate file
 must contain a certificate, concatenated with a private key, optionally
-concatenated with parameters.
+concatenated with DH parameters.
 `ca_cert` is a CA certificate, or NULL if peer verification is not
 required.
 Return: NULL on success, or error message on error. 

--- a/docs/c-api/net.h/struct_mg_bind_opts.md
+++ b/docs/c-api/net.h/struct_mg_bind_opts.md
@@ -10,6 +10,9 @@ signature: |
  #ifdef MG_ENABLE_SSL
    /* SSL settings. */
    const char *ssl_cert;    /* Server certificate to present to clients */
+    const char *ssl_key;     /* Private key corresponding to the certificate.
+                                If ssl_cert is set but ssl_key is not, ssl_cert
+                                is used. */
    const char *ssl_ca_cert; /* Verify client certificates with this CA bundle */
  #endif
  };

--- a/docs/c-api/net.h/struct_mg_connect_opts.md
+++ b/docs/c-api/net.h/struct_mg_connect_opts.md
@@ -10,6 +10,9 @@ signature: |
  #ifdef MG_ENABLE_SSL
    /* SSL settings. */
    const char *ssl_cert;    /* Client certificate to present to the server */
+    const char *ssl_key;     /* Private key corresponding to the certificate.
+                                If ssl_cert is set but ssl_key is not, ssl_cert
+                                is used. */
    const char *ssl_ca_cert; /* Verify server certificate using this CA bundle */
    /*

--- a/docs/c-api/net.h/struct_mg_connection.md
+++ b/docs/c-api/net.h/struct_mg_connection.md
@@ -14,8 +14,17 @@ signature: |
    size_t recv_mbuf_limit;  /* Max size of recv buffer */
    struct mbuf recv_mbuf;   /* Received data */
    struct mbuf send_mbuf;   /* Data scheduled for sending */
+  #if defined(MG_ENABLE_SSL)
+  #if !defined(MG_SOCKET_SIMPLELINK)
    SSL *ssl;
    SSL_CTX *ssl_ctx;
+  #else
+    char *ssl_cert;
+    char *ssl_key;
+    char *ssl_ca_cert;
+    char *ssl_server_name;
+  #endif
+  #endif
    time_t last_io_time;              /* Timestamp of the last socket IO */
    double ev_timer_time;             /* Timestamp of the future MG_EV_TIMER */
    mg_event_handler_t proto_handler; /* Protocol-specific event handler */

--- a/examples/CC3200/Makefile.build
+++ b/examples/CC3200/Makefile.build
@@ -22,7 +22,7 @@ IPATH = . ../.. $(REPO_PATH)
 VPATH = ../..
-MONGOOSE_FEATURES = -DMG_ENABLE_HTTP_STREAMING_MULTIPART
+MONGOOSE_FEATURES = -DMG_ENABLE_SSL -DMG_ENABLE_HTTP_STREAMING_MULTIPART
 SDK_FLAGS = -DUSE_FREERTOS -DSL_PLATFORM_MULTI_THREADED
 # -DTARGET_IS_CC3200 would reduce code size by using functions in ROM

--- a/examples/CC3200/main.c
+++ b/examples/CC3200/main.c
@@ -167,7 +167,21 @@ static void mg_init(struct mg_mgr *mgr) {
    LOG(LL_ERROR, ("Failed to start NWP"));
    return;
  }
-  LOG(LL_INFO, ("NWP started"));
+  {
+    SlVersionFull ver;
+    unsigned char opt = SL_DEVICE_GENERAL_VERSION;
+    unsigned char len = sizeof(ver);
+    memset(&ver, 0, sizeof(ver));
+    sl_DevGet(SL_DEVICE_GENERAL_CONFIGURATION, &opt, &len,
+              (unsigned char *) (&ver));
+    LOG(LL_INFO, ("NWP v%d.%d.%d.%d started, host v%d.%d.%d.%d",
+                  ver.NwpVersion[0], ver.NwpVersion[1], ver.NwpVersion[2],
+                  ver.NwpVersion[3], SL_MAJOR_VERSION_NUM, SL_MINOR_VERSION_NUM,
+                  SL_VERSION_NUM, SL_SUB_VERSION_NUM));
+  }
  GPIO_IF_LedToggle(MCU_RED_LED_GPIO);
  data_init_sensors(TMP006_ADDR, BM222_ADDR);
@@ -194,7 +208,7 @@ static void mg_init(struct mg_mgr *mgr) {
  memset(&opts, 0, sizeof(opts));
  opts.error_string = &err;
-  struct mg_connection *nc = mg_bind(mgr, "80", mg_ev_handler);
+  struct mg_connection *nc = mg_bind_opt(mgr, "80", mg_ev_handler, opts);
  if (nc != NULL) {
    mg_set_protocol_http_websocket(nc);
    nc->ev_timer_time = mg_time(); /* Start data collection */

--- a/mongoose.c
+++ b/mongoose.c
@@ -2204,9 +2204,13 @@ void mg_if_timer(struct mg_connection *c, double now) {
 }
 void mg_if_poll(struct mg_connection *nc, time_t now) {
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
  if (nc->ssl == NULL || (nc->flags & MG_F_SSL_HANDSHAKE_DONE)) {
    mg_call(nc, NULL, MG_EV_POLL, &now);
  }
+#else
+  mg_call(nc, NULL, MG_EV_POLL, &now);
+#endif
 }
 static void mg_destroy_conn(struct mg_connection *conn) {
@@ -2214,9 +2218,16 @@ static void mg_destroy_conn(struct mg_connection *conn) {
    conn->proto_data_destructor(conn->proto_data);
  }
  mg_if_destroy_conn(conn);
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL)
+#if !defined(MG_SOCKET_SIMPLELINK)
  if (conn->ssl != NULL) SSL_free(conn->ssl);
  if (conn->ssl_ctx != NULL) SSL_CTX_free(conn->ssl_ctx);
+#else
+  MG_FREE(conn->ssl_cert);
+  MG_FREE(conn->ssl_key);
+  MG_FREE(conn->ssl_ca_cert);
+  MG_FREE(conn->ssl_server_name);
+#endif
 #endif
  mbuf_free(&conn->recv_mbuf);
  mbuf_free(&conn->send_mbuf);
@@ -2250,7 +2261,7 @@ void mg_mgr_init(struct mg_mgr *m, void *user_data) {
  signal(SIGPIPE, SIG_IGN);
 #endif
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
  {
    static int init_done;
    if (!init_done) {
@@ -2484,6 +2495,8 @@ MG_INTERNAL int mg_parse_address(const char *str, union socket_address *sa,
 }
 #ifdef MG_ENABLE_SSL
+#ifndef MG_SOCKET_SIMPLELINK
 /*
 * Certificate generation script is at
 * https://github.com/cesanta/mongoose/blob/master/scripts/generate_ssl_certificates.sh
@@ -2559,13 +2572,13 @@ static int mg_use_ca_cert(SSL_CTX *ctx, const char *cert) {
  return SSL_CTX_load_verify_locations(ctx, cert, NULL) == 1 ? 0 : -2;
 }
-static int mg_use_cert(SSL_CTX *ctx, const char *pem_file) {
+static int mg_use_cert(SSL_CTX *ctx, const char *cert, const char *key) {
  if (ctx == NULL) {
    return -1;
-  } else if (pem_file == NULL || pem_file[0] == '\0') {
+  } else if (cert == NULL || cert[0] == '\0' || key == NULL || key[0] == '\0') {
    return 0;
-  } else if (SSL_CTX_use_certificate_file(ctx, pem_file, 1) == 0 ||
+  } else if (SSL_CTX_use_certificate_file(ctx, cert, 1) == 0 ||
-             SSL_CTX_use_PrivateKey_file(ctx, pem_file, 1) == 0) {
+             SSL_CTX_use_PrivateKey_file(ctx, key, 1) == 0) {
    return -2;
  } else {
 #ifndef MG_DISABLE_PFS
@@ -2573,7 +2586,7 @@ static int mg_use_cert(SSL_CTX *ctx, const char *pem_file) {
    DH *dh = NULL;
    /* Try to read DH parameters from the cert/key file. */
-    bio = BIO_new_file(pem_file, "r");
+    bio = BIO_new_file(cert, "r");
    if (bio != NULL) {
      dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
      BIO_free(bio);
@@ -2594,7 +2607,7 @@ static int mg_use_cert(SSL_CTX *ctx, const char *pem_file) {
    }
 #endif
    SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-    SSL_CTX_use_certificate_chain_file(ctx, pem_file);
+    SSL_CTX_use_certificate_chain_file(ctx, cert);
    return 0;
  }
 }
@@ -2615,15 +2628,18 @@ static int mg_use_cert(SSL_CTX *ctx, const char *pem_file) {
 *
 * Return NULL on success, or error message on failure.
 */
-const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
+static const char *mg_set_ssl2(struct mg_connection *nc, const char *cert,
-                       const char *ca_cert) {
+                               const char *key, const char *ca_cert) {
  const char *result = NULL;
-  DBG(("%p %s %s", nc, (cert ? cert : ""), (ca_cert ? ca_cert : "")));
+  DBG(("%p %s,%s,%s", nc, (cert ? cert : ""), (key ? key : ""),
+       (ca_cert ? ca_cert : "")));
  if (nc->flags & MG_F_UDP) {
    return "SSL for UDP is not supported";
  }
+  if (key == NULL && cert != NULL) key = cert;
  if (nc->ssl != NULL) {
    SSL_free(nc->ssl);
    nc->ssl = NULL;
@@ -2639,19 +2655,13 @@ const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
  } else if (!(nc->flags & MG_F_LISTENING) &&
             (nc->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
    result = "SSL_CTX_new() failed";
-  } else if (mg_use_cert(nc->ssl_ctx, cert) != 0) {
+  } else if (mg_use_cert(nc->ssl_ctx, cert, key) != 0) {
    result = "Invalid ssl cert";
  } else if (mg_use_ca_cert(nc->ssl_ctx, ca_cert) != 0) {
    result = "Invalid CA cert";
  } else if (!(nc->flags & MG_F_LISTENING) &&
             (nc->ssl = SSL_new(nc->ssl_ctx)) == NULL) {
    result = "SSL_new() failed";
-  } else if (!(nc->flags & MG_F_LISTENING) && nc->sock != INVALID_SOCKET) {
-    /*
-     * Socket is open here only if we are connecting to IP address
-     * and does not open if we are connecting using async DNS resolver
-     */
-    SSL_set_fd(nc->ssl, nc->sock);
  }
 #ifndef MG_DISABLE_PFS
@@ -2659,6 +2669,37 @@ const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
 #endif
  return result;
 }
+const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
+                       const char *ca_cert) {
+  return mg_set_ssl2(nc, cert, NULL, ca_cert);
+}
+#else  /* !MG_SOCKET_SIMPLELINK */
+static const char *mg_set_ssl2(struct mg_connection *nc, const char *cert,
+                               const char *key, const char *ca_cert) {
+  DBG(("%p %s,%s,%s", nc, (cert ? cert : ""), (key ? key : ""),
+       (ca_cert ? ca_cert : "")));
+  if (nc->flags & MG_F_UDP) {
+    return "SSL for UDP is not supported";
+  }
+  if (cert != NULL || key != NULL) {
+    if (cert != NULL && key != NULL) {
+      nc->ssl_cert = strdup(cert);
+      nc->ssl_key = strdup(key);
+    } else {
+      return "both cert and key are required";
+    }
+  }
+  if (ca_cert != NULL) nc->ssl_ca_cert = strdup(ca_cert);
+  return NULL;
+}
+#endif /* MG_SOCKET_SIMPLELINK */
 #endif /* MG_ENABLE_SSL */
 struct mg_connection *mg_if_accept_new_conn(struct mg_connection *lc) {
@@ -2672,8 +2713,7 @@ struct mg_connection *mg_if_accept_new_conn(struct mg_connection *lc) {
  nc->user_data = lc->user_data;
  nc->recv_mbuf_limit = lc->recv_mbuf_limit;
  mg_add_conn(nc->mgr, nc);
-  DBG(("%p %p %d %d, %p %p", lc, nc, nc->sock, (int) nc->flags, lc->ssl_ctx,
+  DBG(("%p %p %d %d", lc, nc, nc->sock, (int) nc->flags));
-       nc->ssl));
  return nc;
 }
@@ -2875,20 +2915,28 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
  if ((nc = mg_create_connection(mgr, callback, add_sock_opts)) == NULL) {
    return NULL;
-  } else if ((rc = mg_parse_address(address, &nc->sa, &proto, host,
+  }
-                                    sizeof(host))) < 0) {
+  if ((rc = mg_parse_address(address, &nc->sa, &proto, host, sizeof(host))) <
+      0) {
    /* Address is malformed */
    MG_SET_PTRPTR(opts.error_string, "cannot parse address");
    mg_destroy_conn(nc);
    return NULL;
  }
  nc->flags |= opts.flags & _MG_ALLOWED_CONNECT_FLAGS_MASK;
  nc->flags |= (proto == SOCK_DGRAM) ? MG_F_UDP : 0;
  nc->user_data = opts.user_data;
 #ifdef MG_ENABLE_SSL
+  DBG(("%p %s %s %s %s", nc, address, (opts.ssl_cert ? opts.ssl_cert : ""),
+       (opts.ssl_key ? opts.ssl_key : ""),
+       (opts.ssl_ca_cert ? opts.ssl_ca_cert : "")));
  if (opts.ssl_cert != NULL || opts.ssl_ca_cert != NULL) {
-    const char *err = mg_set_ssl(nc, opts.ssl_cert, opts.ssl_ca_cert);
+    const char *err =
+        mg_set_ssl2(nc, opts.ssl_cert, opts.ssl_key, opts.ssl_ca_cert);
    if (err != NULL) {
      MG_SET_PTRPTR(opts.error_string, err);
      mg_destroy_conn(nc);
@@ -2899,6 +2947,8 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
      if (opts.ssl_server_name == NULL) opts.ssl_server_name = host;
 #ifdef SSL_KRYPTON
      SSL_CTX_kr_set_verify_name(nc->ssl_ctx, opts.ssl_server_name);
+#elif defined(MG_SOCKET_SIMPLELINK)
+      nc->ssl_server_name = strdup(opts.ssl_server_name);
 #else
      /* TODO(rojer): Implement server name verification on OpenSSL. */
      MG_SET_PTRPTR(opts.error_string,
@@ -2970,8 +3020,25 @@ struct mg_connection *mg_bind_opt(struct mg_mgr *mgr, const char *address,
  nc->sa = sa;
  nc->flags |= MG_F_LISTENING;
-  if (proto == SOCK_DGRAM) {
+  if (proto == SOCK_DGRAM) nc->flags |= MG_F_UDP;
-    nc->flags |= MG_F_UDP;
+#ifdef MG_ENABLE_SSL
+  DBG(("%p %s %s %s %s", nc, address, (opts.ssl_cert ? opts.ssl_cert : ""),
+       (opts.ssl_key ? opts.ssl_key : ""),
+       (opts.ssl_ca_cert ? opts.ssl_ca_cert : "")));
+  if (opts.ssl_cert != NULL || opts.ssl_ca_cert != NULL) {
+    const char *err =
+        mg_set_ssl2(nc, opts.ssl_cert, opts.ssl_key, opts.ssl_ca_cert);
+    if (err != NULL) {
+      MG_SET_PTRPTR(opts.error_string, err);
+      mg_destroy_conn(nc);
+      return NULL;
+    }
+  }
+#endif /* MG_ENABLE_SSL */
+  if (nc->flags & MG_F_UDP) {
    rc = mg_if_listen_udp(nc, &nc->sa);
  } else {
    rc = mg_if_listen_tcp(nc, &nc->sa);
@@ -2982,16 +3049,6 @@ struct mg_connection *mg_bind_opt(struct mg_mgr *mgr, const char *address,
    mg_destroy_conn(nc);
    return NULL;
  }
-#ifdef MG_ENABLE_SSL
-  if (opts.ssl_cert != NULL || opts.ssl_ca_cert != NULL) {
-    const char *err = mg_set_ssl(nc, opts.ssl_cert, opts.ssl_ca_cert);
-    if (err != NULL) {
-      MG_SET_PTRPTR(opts.error_string, err);
-      mg_destroy_conn(nc);
-      return NULL;
-    }
-  }
-#endif /* MG_ENABLE_SSL */
  mg_add_conn(nc->mgr, nc);
  return nc;
@@ -3130,8 +3187,9 @@ double mg_time() {
 #define MG_TCP_RECV_BUFFER_SIZE 1024
 #define MG_UDP_RECV_BUFFER_SIZE 1500
-static sock_t mg_open_listening_socket(union socket_address *sa, int proto);
+static sock_t mg_open_listening_socket(union socket_address *sa, int type,
-#ifdef MG_ENABLE_SSL
+                                       int proto);
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
 static void mg_ssl_begin(struct mg_connection *nc);
 static int mg_ssl_err(struct mg_connection *conn, int res);
 #endif
@@ -3169,18 +3227,28 @@ int mg_is_error(int n) {
 void mg_if_connect_tcp(struct mg_connection *nc,
                       const union socket_address *sa) {
-  int rc;
+  int rc, proto = 0;
-  nc->sock = socket(AF_INET, SOCK_STREAM, 0);
+#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
+  if (nc->ssl_cert != NULL || nc->ssl_ca_cert != NULL) proto = SL_SEC_SOCKET;
+#endif
+  nc->sock = socket(AF_INET, SOCK_STREAM, proto);
  if (nc->sock == INVALID_SOCKET) {
    nc->err = errno ? errno : 1;
    return;
  }
 #if !defined(MG_SOCKET_SIMPLELINK) && !defined(MG_ESP8266)
  mg_set_non_blocking_mode(nc->sock);
+#endif
+#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
+  int is_ssl_no_vrfy = (nc->ssl_ca_cert != NULL && nc->ssl_ca_cert[0] == '\0');
+  if (!sl_set_ssl_opts(nc)) return;
 #endif
  rc = connect(nc->sock, &sa->sa, sizeof(sa->sin));
+#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
+  if (is_ssl_no_vrfy && rc == SL_ESECSNOVERIFY) rc = 0;
+#endif
  nc->err = mg_is_error(rc) ? errno : 0;
-  DBG(("%p sock %d err %d", nc, nc->sock, nc->err));
+  LOG(LL_INFO, ("%p sock %d err %d", nc, nc->sock, nc->err));
 }
 void mg_if_connect_udp(struct mg_connection *nc) {
@@ -3193,16 +3261,23 @@ void mg_if_connect_udp(struct mg_connection *nc) {
 }
 int mg_if_listen_tcp(struct mg_connection *nc, union socket_address *sa) {
-  sock_t sock = mg_open_listening_socket(sa, SOCK_STREAM);
+  int proto = 0;
+#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
+  if (nc->ssl_cert != NULL || nc->ssl_ca_cert != NULL) proto = SL_SEC_SOCKET;
+#endif
+  sock_t sock = mg_open_listening_socket(sa, SOCK_STREAM, proto);
  if (sock == INVALID_SOCKET) {
    return (errno ? errno : 1);
  }
  mg_sock_set(nc, sock);
+#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
+  if (!sl_set_ssl_opts(nc)) return nc->err;
+#endif
  return 0;
 }
 int mg_if_listen_udp(struct mg_connection *nc, union socket_address *sa) {
-  sock_t sock = mg_open_listening_socket(sa, SOCK_DGRAM);
+  sock_t sock = mg_open_listening_socket(sa, SOCK_DGRAM, 0);
  if (sock == INVALID_SOCKET) return (errno ? errno : 1);
  mg_sock_set(nc, sock);
  return 0;
@@ -3262,7 +3337,7 @@ static int mg_accept_conn(struct mg_connection *lc) {
  DBG(("%p conn from %s:%d", nc, inet_ntoa(sa.sin.sin_addr),
       ntohs(sa.sin.sin_port)));
  mg_sock_set(nc, sock);
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
  if (lc->ssl_ctx != NULL) {
    nc->ssl = SSL_new(lc->ssl_ctx);
    if (nc->ssl == NULL || SSL_set_fd(nc->ssl, sock) != 1) {
@@ -3278,7 +3353,8 @@ static int mg_accept_conn(struct mg_connection *lc) {
 }
 /* 'sa' must be an initialized address to bind to */
-static sock_t mg_open_listening_socket(union socket_address *sa, int proto) {
+static sock_t mg_open_listening_socket(union socket_address *sa, int type,
+                                       int proto) {
  socklen_t sa_len =
      (sa->sa.sa_family == AF_INET) ? sizeof(sa->sin) : sizeof(sa->sin6);
  sock_t sock = INVALID_SOCKET;
@@ -3286,7 +3362,7 @@ static sock_t mg_open_listening_socket(union socket_address *sa, int proto) {
  int on = 1;
 #endif
-  if ((sock = socket(sa->sa.sa_family, proto, 0)) != INVALID_SOCKET &&
+  if ((sock = socket(sa->sa.sa_family, type, proto)) != INVALID_SOCKET &&
 #if !defined(MG_SOCKET_SIMPLELINK) && \
    !defined(MG_LWIP) /* SimpleLink and LWIP don't support either */
 #if defined(_WIN32) && defined(SO_EXCLUSIVEADDRUSE)
@@ -3310,7 +3386,7 @@ static sock_t mg_open_listening_socket(union socket_address *sa, int proto) {
 #endif /* !MG_SOCKET_SIMPLELINK && !MG_LWIP */
      !bind(sock, &sa->sa, sa_len) &&
-      (proto == SOCK_DGRAM || listen(sock, SOMAXCONN) == 0)) {
+      (type == SOCK_DGRAM || listen(sock, SOMAXCONN) == 0)) {
 #if !defined(MG_SOCKET_SIMPLELINK) && \
    !defined(MG_LWIP) /* TODO(rojer): Fix this. */
    mg_set_non_blocking_mode(sock);
@@ -3348,7 +3424,7 @@ static void mg_write_to_socket(struct mg_connection *nc) {
    return;
  }
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
  if (nc->ssl != NULL) {
    if (nc->flags & MG_F_SSL_HANDSHAKE_DONE) {
      n = SSL_write(nc->ssl, io->buf, io->len);
@@ -3396,7 +3472,7 @@ static void mg_read_from_socket(struct mg_connection *conn) {
    return;
  }
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
  if (conn->ssl != NULL) {
    if (conn->flags & MG_F_SSL_HANDSHAKE_DONE) {
      /* SSL library may have more bytes ready to read then we ask to read.
@@ -3464,7 +3540,7 @@ static void mg_handle_udp_read(struct mg_connection *nc) {
  mg_if_recv_udp_cb(nc, buf, n, &sa, sa_len);
 }
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
 static int mg_ssl_err(struct mg_connection *conn, int res) {
  int ssl_err = SSL_get_error(conn->ssl, res);
  DBG(("%p %d -> %d", conn, res, ssl_err));
@@ -3507,7 +3583,7 @@ static void mg_ssl_begin(struct mg_connection *nc) {
    }
  }
 }
-#endif /* MG_ENABLE_SSL */
+#endif /* defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK) */
 #define _MG_F_FD_CAN_READ 1
 #define _MG_F_FD_CAN_WRITE 1 << 1
@@ -3533,8 +3609,12 @@ void mg_mgr_handle_conn(struct mg_connection *nc, int fd_flags, double now) {
       * TODO(rojer): Figure out why it fails where blocking succeeds.
       */
      err = nc->err;
+#if defined(MG_SOCKET_SIMPLELINK)
+      /* TODO(rojer): Provide API to set date. */
+      if (err == SL_ESECDATEERROR) err = 0;
 #endif
-#ifdef MG_ENABLE_SSL
+#endif
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
      if (nc->ssl != NULL && err == 0) {
        SSL_set_fd(nc->ssl, nc->sock);
        mg_ssl_begin(nc);
@@ -7233,7 +7313,11 @@ static void mg_prepare_cgi_environment(struct mg_connection *nc,
    mg_addenv(blk, "PATH_TRANSLATED=%.*s", (int) path_info->len, path_info->p);
  }
+#ifdef MG_ENABLE_SSL
  mg_addenv(blk, "HTTPS=%s", nc->ssl != NULL ? "on" : "off");
+#else
+  mg_addenv(blk, "HTTPS=off");
+#endif
  if ((h = mg_get_http_header((struct http_message *) hm, "Content-Type")) !=
      NULL) {
@@ -7708,9 +7792,14 @@ struct mg_connection *mg_connect_http_base(
    return NULL;
  }
 #endif
+#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
+  if (use_ssl && opts.ssl_ca_cert == NULL) {
+    opts.ssl_ca_cert = "";
+  }
+#endif
  if ((nc = mg_connect_opt(mgr, *addr, ev_handler, opts)) != NULL) {
-#ifdef MG_ENABLE_SSL
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
    if (use_ssl && nc->ssl_ctx == NULL) {
      /*
       * Schema requires SSL, but no SSL parameters were provided in
@@ -11001,7 +11090,7 @@ const char *inet_ntop(int af, const void *src, char *dst, socklen_t size) {
 char *inet_ntoa(struct in_addr n) {
  static char a[16];
-  return (char *) inet_ntop(AF_INET, &n, a, sizeof(n));
+  return (char *) inet_ntop(AF_INET, &n, a, sizeof(a));
 }
 int inet_pton(int af, const char *src, void *dst) {
@@ -11021,6 +11110,50 @@ int inet_pton(int af, const char *src, void *dst) {
  return 1;
 }
+#ifdef MG_ENABLE_SSL
+int sl_set_ssl_opts(struct mg_connection *nc) {
+  DBG(("%p %s,%s,%s,%s", nc, (nc->ssl_cert ? nc->ssl_cert : ""), (nc->ssl_key ? nc->ssl_cert : ""), (nc->ssl_ca_cert ? nc->ssl_ca_cert : ""), (nc->ssl_server_name ? nc->ssl_server_name : "")));
+  if (nc->ssl_cert != NULL && nc->ssl_key != NULL) {
+    nc->err = sl_SetSockOpt(nc->sock, SL_SOL_SOCKET,
+                            SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME,
+                            nc->ssl_cert,
+                            strlen(nc->ssl_cert));
+    DBG(("CERTIFICATE_FILE_NAME %s -> %d", nc->ssl_cert, nc->err));
+    if (nc->err != 0) return 0;
+    nc->err = sl_SetSockOpt(nc->sock, SL_SOL_SOCKET,
+                            SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME,
+                            nc->ssl_key,
+                            strlen(nc->ssl_key));
+    DBG(("PRIVATE_KEY_FILE_NAME %s -> %d", nc->ssl_key, nc->err));
+    if (nc->err != 0) return 0;
+    MG_FREE(nc->ssl_cert);
+    MG_FREE(nc->ssl_key);
+    nc->ssl_cert = nc->ssl_key = NULL;
+  }
+  if (nc->ssl_ca_cert != NULL && nc->ssl_ca_cert[0] != '\0') {
+    nc->err = sl_SetSockOpt(nc->sock, SL_SOL_SOCKET,
+                            SL_SO_SECURE_FILES_CA_FILE_NAME,
+                            nc->ssl_ca_cert,
+                            strlen(nc->ssl_ca_cert));
+    DBG(("CA_FILE_NAME %s -> %d", nc->ssl_ca_cert, nc->err));
+    if (nc->err != 0) return 0;
+    MG_FREE(nc->ssl_ca_cert);
+    nc->ssl_ca_cert = NULL;
+  }
+  if (nc->ssl_server_name != NULL) {
+    nc->err = sl_SetSockOpt(nc->sock, SL_SOL_SOCKET,
+                            SO_SECURE_DOMAIN_NAME_VERIFICATION,
+                            nc->ssl_server_name,
+                            strlen(nc->ssl_server_name));
+    DBG(("DOMAIN_NAME_VERIFICATION %s -> %d", nc->ssl_server_name, nc->err));
+    if (nc->err != 0) return 0;
+    MG_FREE(nc->ssl_server_name);
+    nc->ssl_server_name = NULL;
+  }
+  return 1;
+}
+#endif
 #endif /* CS_COMMON_PLATFORMS_SIMPLELINK_SL_SOCKET_C_ */
 #ifdef MG_MODULE_LINES
 #line 1 "./src/../../common/platforms/simplelink/sl_mg_task.c"

--- a/mongoose.h
+++ b/mongoose.h
@@ -731,6 +731,7 @@ char *inet_ntoa(struct in_addr in);
 int inet_pton(int af, const char *src, void *dst);
 struct mg_mgr;
+struct mg_connection;
 typedef void (*mg_init_cb)(struct mg_mgr *mgr);
 bool mg_start_task(int priority, int stack_size, mg_init_cb mg_init);
@@ -739,6 +740,8 @@ void mg_run_in_task(void (*cb)(struct mg_mgr *mgr, void *arg), void *cb_arg);
 int sl_fs_init();
+int sl_set_ssl_opts(struct mg_connection *nc);
 #ifdef __cplusplus
 }
 #endif
@@ -1172,11 +1175,10 @@ int json_emit_va(char *buf, int buf_len, const char *fmt, va_list);
 #ifdef __APPLE__
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #endif
+#if !defined(MG_SOCKET_SIMPLELINK)
 #include <openssl/ssl.h>
-#else
-typedef void *SSL;
-typedef void *SSL_CTX;
 #endif
+#endif /* MG_ENABLE_SSL */
 #ifndef MG_VPRINTF_BUFFER_SIZE
 #define MG_VPRINTF_BUFFER_SIZE 100
@@ -1257,8 +1259,17 @@ struct mg_connection {
  size_t recv_mbuf_limit;  /* Max size of recv buffer */
  struct mbuf recv_mbuf;   /* Received data */
  struct mbuf send_mbuf;   /* Data scheduled for sending */
+#if defined(MG_ENABLE_SSL)
+#if !defined(MG_SOCKET_SIMPLELINK)
  SSL *ssl;
  SSL_CTX *ssl_ctx;
+#else
+  char *ssl_cert;
+  char *ssl_key;
+  char *ssl_ca_cert;
+  char *ssl_server_name;
+#endif
+#endif
  time_t last_io_time;              /* Timestamp of the last socket IO */
  double ev_timer_time;             /* Timestamp of the future MG_EV_TIMER */
  mg_event_handler_t proto_handler; /* Protocol-specific event handler */
@@ -1402,6 +1413,9 @@ struct mg_bind_opts {
 #ifdef MG_ENABLE_SSL
  /* SSL settings. */
  const char *ssl_cert;    /* Server certificate to present to clients */
+  const char *ssl_key;     /* Private key corresponding to the certificate.
+                              If ssl_cert is set but ssl_key is not, ssl_cert
+                              is used. */
  const char *ssl_ca_cert; /* Verify client certificates with this CA bundle */
 #endif
 };
@@ -1442,6 +1456,9 @@ struct mg_connect_opts {
 #ifdef MG_ENABLE_SSL
  /* SSL settings. */
  const char *ssl_cert;    /* Client certificate to present to the server */
+  const char *ssl_key;     /* Private key corresponding to the certificate.
+                              If ssl_cert is set but ssl_key is not, ssl_cert
+                              is used. */
  const char *ssl_ca_cert; /* Verify server certificate using this CA bundle */
  /*
@@ -1515,19 +1532,23 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
                                     mg_event_handler_t handler,
                                     struct mg_connect_opts opts);
+#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
 /*
+ * Note: This function is deprecated, please use SSL options in mg_connect_opt.
+ *
 * Enable SSL for a given connection.
 * `cert` is a server certificate file name for a listening connection,
 * or a client certificate file name for an outgoing connection.
 * Certificate files must be in PEM format. Server certificate file
 * must contain a certificate, concatenated with a private key, optionally
- * concatenated with parameters.
+ * concatenated with DH parameters.
 * `ca_cert` is a CA certificate, or NULL if peer verification is not
 * required.
 * Return: NULL on success, or error message on error.
 */
 const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
                       const char *ca_cert);
+#endif
 /*
 * Send data to the connection.