TLS/HTTPS Sockets
Spectranext supports TLS/SSL (Transport Layer Security) for secure, encrypted network connections. This allows ZX Spectrum programs to access modern HTTPS websites and other encrypted services.
Automatic TLS(HTTPS) Decryption
Spectranext automatically handles TLS encryption for any socket connection to port 443 (the standard HTTPS port). When your program opens a socket and connects to port 443, Spectranext transparently:
- Detects port 443: Automatically recognizes HTTPS connections
- Establishes TLS handshake: Performs the TLS/SSL handshake with the server
- Encrypts/decrypts data: All data sent and received is automatically encrypted and decrypted
- Verifies certificates: Validates server certificates to ensure secure connections
No special code required - simply connect to port 443 and use the socket normally. The encryption happens transparently.
Using HTTPS
From BASIC
10 REM Connect to HTTPS website
20 %connect #4, "www.example.com", 443
30 PRINT #4; "GET / HTTP/1.1"
40 PRINT #4; "Host: www.example.com"
50 PRINT #4
60 INPUT #4, a$
70 PRINT a$
80 %close #4
From Assembly
; Connect to port 443 - TLS is automatic
ld hl, hostname
ld de, 443 ; Port 443 triggers automatic TLS
call CONNECT
; Socket is now encrypted automatically
How It Works
When you connect to port 443:
- TCP Connection: First, a normal TCP connection is established
- TLS Detection: Spectranext detects the port 443 destination
- TLS Handshake: Automatically performs TLS handshake with the server
- Certificate Verification: Validates the server's SSL certificate
- Encrypted Communication: All subsequent data is encrypted/decrypted transparently
Your program uses the socket exactly as it would for a normal TCP connection - the encryption is handled automatically by Spectranext.
Certificate Authority (CA) Certificates
Spectranext includes a curated list of trusted Certificate Authority (CA) certificates for validating server certificates. The CA store includes the following root CAs:
Included CA Certificates
- ISRG Root X1 - Internet Security Research Group (Let's Encrypt)
- ISRG Root X2 - Internet Security Research Group (Let's Encrypt)
- DigiCert Global Root G2 - DigiCert Inc.
- DigiCert TLS RSA Root CA - DigiCert Inc.
- DigiCert TLS ECC Root CA - DigiCert Inc.
- GTS Root R1/R2/R3/R4 - Google Trust Services LLC
- Amazon Root CA 1/2 - Amazon
- GlobalSign Root R3 - GlobalSign
- USERTrust RSA Certification Authority - The USERTRUST Network
- USERTrust ECC Certification Authority - The USERTRUST Network
- Microsoft RSA Root Certificate Authority 2017 - Microsoft Corporation
- Entrust Root Certification Authority - G2 - Entrust, Inc.
- Baltimore CyberTrust Root - Baltimore CyberTrust
These CAs cover the majority of modern HTTPS websites, including:
- Let's Encrypt certificates (used by many free SSL certificate providers)
- Google services (Gmail, YouTube, etc.)
- Amazon Web Services (AWS)
- Microsoft services
- Major commercial certificate providers (DigiCert, GlobalSign, etc.)
Certificate Validation
When connecting to port 443, Spectranext:
- Receives the server's SSL certificate
- Validates the certificate chain against the included CA store
- Verifies the certificate hasn't expired
- Checks the certificate matches the hostname (SNI)
- Only allows the connection if validation succeeds
If certificate validation fails, the TLS connection will be rejected and your program will receive an error.
Limitations
- Port 443 only: Automatic TLS only works for port 443 connections
- Client mode: Only client-side TLS is supported (connecting to servers)
- Certificate validation: Server certificates are validated automatically against the included CA certificate store
- TLS 1.2: Supports TLS 1.2 protocol
- Limited CA list: Only certificates issued by the included CAs are trusted
Next Steps
- Socket APIs - Understanding underlying socket API
- Memory Architecture - Understanding TLS buffer management
- Check TLS library documentation for advanced features