Fields

clientUseMaxFragmentLength :: Maybe MaxFragmentEnum

 

clientServerIdentification :: (HostName, Bytes)

Define the name of the server, along with an extra service identification blob. this is important that the hostname part is properly filled for security reason, as it allow to properly associate the remote side with the given certificate during a handshake.

The extra blob is useful to differentiate services running on the same host, but that might have different certificates given. It's only used as part of the X509 validation infrastructure.

clientUseServerNameIndication :: Bool

Allow the use of the Server Name Indication TLS extension during handshake, which allow the client to specify which host name, it's trying to access. This is useful to distinguish CNAME aliasing (e.g. web virtual host).

clientWantSessionResume :: Maybe (SessionID, SessionData)

try to establish a connection using this session.

clientShared :: Shared

 

clientHooks :: ClientHooks

 

clientSupported :: Supported

 

Fields

serverWantClientCert :: Bool

request a certificate from client.

serverCACertificates :: [SignedCertificate]

This is a list of certificates from which the disinguished names are sent in certificate request messages. For TLS1.0, it should not be empty.

serverDHEParams :: Maybe DHParams

Server Optional Diffie Hellman parameters. If this value is not properly set, no Diffie Hellman key exchange will take place.

serverShared :: Shared

 

serverHooks :: ServerHooks

 

serverSupported :: Supported

 

Fields

onCertificateRequest :: ([CertificateType], Maybe [HashAndSignatureAlgorithm], [DistinguishedName]) -> IO (Maybe (CertificateChain, PrivKey))

This action is called when the server sends a certificate request. The parameter is the information from the request. The action should select a certificate chain of one of the given certificate types where the last certificate in the chain should be signed by one of the given distinguished names. Each certificate should be signed by the following one, except for the last. At least the first of the certificates in the chain must have a corresponding private key, because that is used for signing the certificate verify message.

Note that is is the responsibility of this action to select a certificate matching one of the requested certificate types. Returning a non-matching one will lead to handshake failure later.

Returning a certificate chain not matching the distinguished names may lead to problems or not, depending whether the server accepts it.

onNPNServerSuggest :: Maybe ([ByteString] -> IO ByteString)

 

onServerCertificate :: CertificateStore -> ValidationCache -> ServiceID -> CertificateChain -> IO [FailedReason]

 

Fields

onClientCertificate :: CertificateChain -> IO CertificateUsage

This action is called when a client certificate chain is received from the client. When it returns a CertificateUsageReject value, the handshake is aborted.

onUnverifiedClientCert :: IO Bool

This action is called when the client certificate cannot be verified. A Nothing argument indicates a wrong signature, a 'Just e' message signals a crypto error.

onCipherChoosing :: Version -> [Cipher] -> Cipher

Allow the server to choose the cipher relative to the the client version and the client list of ciphers.

This could be useful with old clients and as a workaround to the BEAST (where RC4 is sometimes prefered with TLS < 1.1)

The client cipher list cannot be empty.

onSuggestNextProtocols :: IO (Maybe [ByteString])

suggested next protocols accoring to the next protocol negotiation extension.

onNewHandshake :: Measurement -> IO Bool

at each new handshake, we call this hook to see if we allow handshake to happens.

Fields

supportedVersions :: [Version]

Supported Versions by this context On the client side, the highest version will be used to establish the connection. On the server side, the highest version that is less or equal than the client version will be chosed.

supportedCiphers :: [Cipher]

Supported cipher methods

supportedCompressions :: [Compression]

supported compressions methods

supportedHashSignatures :: [HashAndSignatureAlgorithm]

All supported hash/signature algorithms pair for client certificate verification, ordered by decreasing priority.

supportedSecureRenegotiation :: Bool

Set if we support secure renegotiation.

supportedSession :: Bool

Set if we support session.

Fields

sharedCredentials :: Credentials

 

sharedSessionManager :: SessionManager

 

sharedCAStore :: CertificateStore

 

sharedValidationCache :: ValidationCache

 

Fields

hookRecvHandshake :: Handshake -> IO Handshake

called at each handshake message received

hookRecvCertificates :: CertificateChain -> IO ()

called at each certificate chain message received

hookLogging :: Logging

hooks on IO and packets, receiving and sending.

Fields

loggingPacketSent :: String -> IO ()

 

loggingPacketRecv :: String -> IO ()

 

loggingIOSent :: ByteString -> IO ()

 

loggingIORecv :: Header -> ByteString -> IO ()

 

Fields

nbHandshakes :: !Word32

number of handshakes on this context

bytesReceived :: !Word32

bytes received since last handshake

bytesSent :: !Word32

bytes sent since last handshake

Fields

sessionVersion :: Version

 

sessionCipher :: CipherID

 

sessionSecret :: ByteString

 

Fields

sessionResume :: SessionID -> IO (Maybe SessionData)

used on server side to decide whether to resume a client session.

sessionEstablish :: SessionID -> SessionData -> IO ()

used when a session is established.

sessionInvalidate :: SessionID -> IO ()

used when a session is invalidated.

Fields

backendFlush :: IO ()

Flush the connection sending buffer, if any.

backendClose :: IO ()

Close the connection.

backendSend :: ByteString -> IO ()

Send a bytestring through the connection.

backendRecv :: Int -> IO ByteString

Receive specified number of bytes from the connection.

Fields

infoVersion :: Version

 

infoCipher :: Cipher

 

infoCompression :: Compression

 

Fields

bulkName :: String

 

bulkKeySize :: Int

 

bulkIVSize :: Int

 

bulkBlockSize :: Int

 

bulkF :: BulkFunctions

 

Fields

hashName :: String

 

hashSize :: Int

 

hashF :: ByteString -> ByteString

 

Fields

cipherID :: CipherID

 

cipherName :: String

 

cipherHash :: Hash

 

cipherBulk :: Bulk

 

cipherKeyExchange :: CipherKeyExchangeType

 

cipherMinVer :: Maybe Version

 

Fields

checkTimeValidity :: Bool

check time validity of every certificate in the chain. the make sure that current time is between each validity bounds in the certificate

checkAtTime :: Maybe UTCTime

The time when the validity check happens. When set to Nothing, the current time will be used

checkStrictOrdering :: Bool

Check that no certificate is included that shouldn't be included. unfortunately despite the specification violation, a lots of real world server serves useless and usually old certificates that are not relevant to the certificate sent, in their chain.

checkCAConstraints :: Bool

Check that signing certificate got the CA basic constraint. this is absolutely not recommended to turn it off.

checkExhaustive :: Bool

Check the whole certificate chain without stopping at the first failure. Allow gathering a exhaustive list of failure reasons. if this is turn off, it's absolutely not safe to ignore a failed reason even it doesn't look serious (e.g. Expired) as other more serious checks would not have been performed.

checkLeafV3 :: Bool

Check that the leaf certificate is version 3. If disable, version 2 certificate is authorized in leaf position and key usage cannot be checked.

checkLeafKeyUsage :: [ExtKeyUsageFlag]

Check that the leaf certificate is authorized to be used for certain usage. If set to empty list no check are performed, otherwise all the flags is the list need to exists in the key usage extension. If the extension is not present, the check will pass and behave as if the certificate key is not restricted to any specific usage.

checkLeafKeyPurpose :: [ExtKeyUsagePurpose]

Check that the leaf certificate is authorized to be used for certain purpose. If set to empty list no check are performed, otherwise all the flags is the list need to exists in the extended key usage extension if present. If the extension is not present, then the check will pass and behave as if the certificate is not restricted to any specific purpose.

checkFQHN :: Bool

Check the top certificate names matching the fully qualified hostname (FQHN). it's not recommended to turn this check off, if no other name checks are performed.

Fields

hookMatchSubjectIssuer :: DistinguishedName -> Certificate -> Bool

check the the issuer DistinguishedName match the subject DistinguishedName of a certificate.

hookValidateTime :: UTCTime -> Certificate -> [FailedReason]

validate that the parametrized time valide with the certificate in argument

hookValidateName :: HostName -> Certificate -> [FailedReason]

validate the certificate leaf name with the DNS named used to connect

hookFilterReason :: [FailedReason] -> [FailedReason]

user filter to modify the list of failure reasons

Fields

cacheQuery :: ValidationCacheQueryCallback

cache querying callback

cacheAdd :: ValidationCacheAddCallback

cache adding callback