tls-extra-0.4.1: TLS extra default values and helpers

Portabilityunknown
Stabilityexperimental
MaintainerVincent Hanquez <vincent@snarc.org>

Network.TLS.Extra

Contents

Description

 

Synopsis

Cipher related definition

cipher suite

ciphersuite_all :: [Cipher]Source

all encrypted ciphers supported ordered from strong to weak. this choice of ciphersuite should satisfy most normal need

ciphersuite_medium :: [Cipher]Source

list of medium ciphers.

ciphersuite_strong :: [Cipher]Source

the strongest ciphers supported.

ciphersuite_unencrypted :: [Cipher]Source

all unencrypted ciphers, do not use on insecure network.

individual ciphers

cipher_null_null :: CipherSource

this is not stricly a usable cipher; it's the initial cipher of a TLS connection

cipher_null_SHA1 :: CipherSource

unencrypted cipher using RSA for key exchange and SHA1 for digest

cipher_null_MD5 :: CipherSource

unencrypted cipher using RSA for key exchange and MD5 for digest

cipher_RC4_128_MD5 :: CipherSource

RC4 cipher, RSA key exchange and MD5 for digest

cipher_RC4_128_SHA1 :: CipherSource

RC4 cipher, RSA key exchange and SHA1 for digest

cipher_AES128_SHA1 :: CipherSource

AES cipher (128 bit key), RSA key exchange and SHA1 for digest

cipher_AES256_SHA1 :: CipherSource

AES cipher (256 bit key), RSA key exchange and SHA1 for digest

cipher_AES128_SHA256 :: CipherSource

AES cipher (128 bit key), RSA key exchange and SHA256 for digest

cipher_AES256_SHA256 :: CipherSource

AES cipher (256 bit key), RSA key exchange and SHA256 for digest

Certificate helpers

certificateChecks :: [[X509] -> IO TLSCertificateUsage] -> [X509] -> IO TLSCertificateUsageSource

combine many certificates checking function together. if one check fail, the whole sequence of checking is cuted short and return the reject reason.

certificateVerifyChain :: [X509] -> IO TLSCertificateUsageSource

verify a certificates chain using the system certificates available.

each certificate of the list is verified against the next certificate, until it can be verified against a system certificate (system certificates are assumed as trusted)

This helper only check that the chain of certificate is valid, which means that each items received are signed by the next one, or by a system certificate. Some extra checks need to be done at the user level so that the certificate chain received make sense in the context.

for example for HTTP, the user should typically verify the certificate subject match the URL of connection.

TODO: verify validity, check revocation list if any, add optional user output to know the rejection reason.

certificateVerifyAgainst :: X509 -> X509 -> IO BoolSource

verify a certificate against another one. the first certificate need to be signed by the second one for this function to succeed.

certificateSelfSigned :: X509 -> BoolSource

returns if this certificate is self signed.

certificateVerifyDomain :: String -> [X509] -> TLSCertificateUsageSource

Verify that the given certificate chain is application to the given fully qualified host name.

certificateVerifyValidity :: Day -> [X509] -> TLSCertificateUsageSource

Verify certificate validity period that need to between the bounds of the certificate. TODO: maybe should verify whole chain.

certificateFingerprint :: (ByteString -> ByteString) -> X509 -> ByteStringSource

hash the certificate signing data using the supplied hash function.

Connection helpers

connectionClient :: CryptoRandomGen g => String -> String -> TLSParams -> g -> IO (TLSCtx Handle)Source

open a TCP client connection to a destination and port description (number or name)