Currently HTTP.jl hard-codes a dependency on MbedTLS.jl for TLS support; it has served us decently over the years, but there have always been a lingering set of errors that crop up that are very difficult to debug; either because mbedtls library is a “black box” or the bindings around it (in MbedTLS.jl) are also tricky to get right.
What do people generally think around TLS in Julia going forward? It doesn’t seem like there’s an appetite to do something native (though go and rust both have implementations we could leverage), so what about the best TLS shared libraries that could be leveraged? OpenSSL? BoringSSL? I’ve had my eye on bearssl for several years, but it’s been very slow going in terms of getting out of “beta” status. There’s also the rustls project that has an ffi-package we could leverage.
Personally, I’m just a little tired of these little mbedtls errors that always pop up without a good way to address them. One option is to “overhaul” the MbedTLS.jl package with an aim to modernize, simplify, and make the code more robust since it was mainly written some 5-7 years ago. On the other hand, there’s only so much we can fix without diving into the mbedtls C source code, which I definitely don’t have an appetite for. It would be pretty easy to make the choice of TLS configurable in HTTP.jl, but I’m just wondering what other options people think it’s worth pursuing.