Safe Haskell | None |
---|---|
Language | Haskell2010 |
Helpers for setting up a tls connection with tls
package
Note, functions in this module will throw error if can't load certificates or CA store.
- data TrustedCAStore
- makeCAStore :: TrustedCAStore -> IO CertificateStore
- makeClientParams :: (HostName, ByteString) -> TrustedCAStore -> IO ClientParams
- makeClientParams' :: FilePath -> [FilePath] -> FilePath -> (HostName, ByteString) -> TrustedCAStore -> IO ClientParams
- makeServerParams :: FilePath -> [FilePath] -> FilePath -> IO ServerParams
- makeServerParams' :: FilePath -> [FilePath] -> FilePath -> TrustedCAStore -> IO ServerParams
choose a CAStore
data TrustedCAStore Source #
The whole point of TLS is that: a peer should have already trusted
some certificates, which can be used for validating other peer's certificates.
if the certificates sent by other side form a chain. and one of them is issued
by one of TrustedCAStore
, Then the peer will be trusted.
SystemCAStore | provided by your operating system. |
MozillaCAStore | provided by Mozilla. |
CustomCAStore FilePath | provided by your self, the CA file can contain multiple certificates as long as they can form a certificate chain. |
make TLS settings
:: (HostName, ByteString) | hostname which should match with certificate, with identitifer to distinguish different certificate on the same hostname (for example, service port). |
-> TrustedCAStore | trusted certificates. |
-> IO ClientParams |
make a simple tls ClientParams
that will validate server and use tls connection
without providing client's own certificate. suitable for connecting server which don't
validate clients.
Note, tls's default validating method require server has v3 certificate. You can use openssl's V3 extension to issue such a certificate.
:: FilePath | public certificate (X.509 format). |
-> [FilePath] | chain certificates (X.509 format). the root of your certificate chain should be already trusted by server, or tls will fail. |
-> FilePath | private key associated. |
-> (HostName, ByteString) | same as |
-> TrustedCAStore | trusted certificates. |
-> IO ClientParams |
make a simple tls ClientParams
that will validate server and use tls connection
while providing client's own certificate as well. suitable for connecting server which
validate clients.
Also only accept v3 certificate.
:: FilePath | public certificate (X.509 format). |
-> [FilePath] | chain certificates (X.509 format). the root of your certificate chain should be already trusted by client, or tls will fail. |
-> FilePath | private key associated. |
-> IO ServerParams |
make a simple tls ServerParams
without validating client's certificate.
:: FilePath | public certificate (X.509 format). |
-> [FilePath] | chain certificates (X.509 format). |
-> FilePath | private key associated. |
-> TrustedCAStore | server will use these certificates to validate clients. |
-> IO ServerParams |
make a tls ServerParams
that also validating client's certificate.