Running picotls TLS 1.3 server with AddressSanitizer and Docker

Picotls is a TLS 1.3 implementation written in C. At the moment of writing this post, picotls implements TLS 1.3 draft 26.

I have been experimenting with TLS 1.3 in tlsbunny project. This is a framework for building negative tests and fuzzers for TLS 1.3 implementations. For example, tlsbunny has several simple fuzzers for TLS structures like TLSPlaintext, Handshake, ClientHello, etc. It would not be worse to run those fuzzers against picotls server.

picotls is a tiny TLS 1.3 implementation, so building takes less than a minute. But I’d like to have a couple of features:

  • run picotls server in a Docker container
  • enable AddressSanitizer to catch possible memory corruptions and leaks

Unfortunately picotls doesn’t support AddressSanitizer out-of-the box (which may be a nice improvement), so -fsanitize=address option should be passed to the compiler via environment variables and CMake parameters.

The tlsbunny repository contains a Dockerfile which builds picotls and starts a local server. Furthermore, the repository already contains server key and certificate which you will need to start the server. So, the easiest way to build a Docker image with picotls is to clone tlsbunny repository and run docker build:

$ git clone
$ cd tlsbunny
$ docker build --file src/main/docker/picotls/Dockerfile --tag picotls/server/tls13 .

Below you can find the details:

  • generates EC keys and certificates. It’s a bit redundant but it should not be a problem.
  • Dockerfile is a just a Dockerfile.
  • A local server starts on Note that doesn’t work because the port can’t be exposed outside the container in this case.


If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.


Leave a Reply

Notify of