rontolisp:tls-listen-pem
(rontolisp:tls-listen-pem cert-file key-file port &optional host)
Binds a listening TLS socket serving a certificate and private key read
from PEM files — the certbot / OpenSSL-friendly counterpart of
rontolisp:tls-listen (which takes a PKCS12
keystore). cert-file is a PEM certificate chain (leaf certificate first) and
key-file is the matching unencrypted PKCS#8 private key (-----BEGIN PRIVATE KEY-----, RSA/EC/DSA/EdDSA). Everything else matches tls-listen: the
listener handle works with rontolisp:tcp-accept,
rontolisp:tcp-local-port and
close, and an accepted connection handshakes on its first read or
write.
Generate a self-signed cert and key for local development with OpenSSL (this
writes an unencrypted PKCS#8 key thanks to -nodes):
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout key.pem -out cert.pem -days 365 -subj /CN=localhost \
-addext subjectAltName=IP:127.0.0.1,DNS:localhost
The example below is a one-connection TLS echo server; test it with
openssl s_client -connect 127.0.0.1:8443 (type a line, it comes back):
(let* ((listener (rontolisp:tls-listen-pem "cert.pem" "key.pem" 8443))
(sock (rontolisp:tcp-accept listener)) ; blocks for a client
(line (read-line sock))) ; the handshake happens here
(write-line line sock)
(close sock)
(close listener))
Backend support
- Interpreter: reads the PEM files at run time, so
cert-fileandkey-filemay be computed at run time. A missing file, a malformed certificate, an encrypted or unsupported key, or a busy port signals an error. - JVM: the certificate and key are parsed at compile time and the
resulting keystore is embedded in the compiled class, so
cert-fileandkey-filemust be string literals (a computed path is a compile error); relative paths resolve against the source file's directory. The compiled program needs no PEM files at run time. - WASM: not supported —
tls-listen-pemis a compile error in both Preview 1 and--componentmode. Thewasi:tlsproposal is client-only (there is no server-side TLS interface for WASM components), so a TLS server has no WASM path. - Browser playground: not supported — the browser sandbox provides no raw
TCP sockets, so
tls-listen-pemsignals an error.
Limitations
- The private key must be an unencrypted PKCS#8 key
(
-----BEGIN PRIVATE KEY-----). Encrypted keys and legacy PKCS#1 (-----BEGIN RSA PRIVATE KEY-----) or SEC1 (-----BEGIN EC PRIVATE KEY-----) formats are not read; convert withopenssl pkcs8 -topk8 -nocrypt -in old.pem -out key.pem. - No client-certificate authentication (mutual TLS) options.
- On the JVM backend the paths are compile-time literals (see Backend support);
for a keystore chosen at run time on the JVM, use
rontolisp:tls-listenwith a PKCS12 file instead.