The big lines of code in TLS is x.509 certificate parsing, and supporting multiple protocols. If you just want 1.3 and you've got existing cipher and certificate validation libraries to call, it's not too bad. There's some published test vectors to help you get the cipher setup right as well; it gets fiddly, but it's not going to be a lot of code unless you have an Object Extravaganza, and even then, still not too bad.
Does supporting only the mandatory stuff give you acceptable compatibility in the real world, or do too many people rely on things that were supposed to be optional?
It works most of the time unless the "endpoint" employs an engineer who is prone to customizing things too much :) In TLS 1.3 "mandatory" really means it.
der.lisp is only loading a PKCS1/DER-encoded private RSA key, which is a far cry from certificate parsing. (And certificate.lisp just loads a blob.) Granted, for a server which doesn't support mTLS you don't need to parse certificates, or any other complex DER-encoded structures.
Thanks. It was a really fun project. There were a lot of things to keep track of so readability of the code was a big help to not lose the big picture.
