| Portability | unknown |
|---|---|
| Stability | experimental |
| Maintainer | Vincent Hanquez <vincent@snarc.org> |
| Safe Haskell | Safe-Infered |
Network.TLS.Extra
Contents
Description
- ciphersuite_all :: [Cipher]
- ciphersuite_medium :: [Cipher]
- ciphersuite_strong :: [Cipher]
- ciphersuite_unencrypted :: [Cipher]
- cipher_null_null :: Cipher
- cipher_null_SHA1 :: Cipher
- cipher_null_MD5 :: Cipher
- cipher_RC4_128_MD5 :: Cipher
- cipher_RC4_128_SHA1 :: Cipher
- cipher_AES128_SHA1 :: Cipher
- cipher_AES256_SHA1 :: Cipher
- cipher_AES128_SHA256 :: Cipher
- cipher_AES256_SHA256 :: Cipher
- certificateChecks :: [[X509] -> IO TLSCertificateUsage] -> [X509] -> IO TLSCertificateUsage
- certificateVerifyChain :: [X509] -> IO TLSCertificateUsage
- certificateVerifyAgainst :: X509 -> X509 -> IO Bool
- certificateSelfSigned :: X509 -> Bool
- certificateVerifyDomain :: String -> [X509] -> TLSCertificateUsage
- certificateVerifyValidity :: Day -> [X509] -> TLSCertificateUsage
- certificateFingerprint :: (ByteString -> ByteString) -> X509 -> ByteString
- connectionClient :: CryptoRandomGen g => String -> String -> TLSParams -> g -> IO (TLSCtx Handle)
- fileReadCertificate :: FilePath -> IO X509
- fileReadPrivateKey :: FilePath -> IO PrivateKey
Cipher related definition
cipher suite
ciphersuite_all :: [Cipher]Source
all encrypted ciphers supported ordered from strong to weak. this choice of ciphersuite should satisfy most normal need
ciphersuite_medium :: [Cipher]Source
list of medium ciphers.
ciphersuite_strong :: [Cipher]Source
the strongest ciphers supported.
ciphersuite_unencrypted :: [Cipher]Source
all unencrypted ciphers, do not use on insecure network.
individual ciphers
cipher_null_null :: CipherSource
this is not stricly a usable cipher; it's the initial cipher of a TLS connection
cipher_null_SHA1 :: CipherSource
unencrypted cipher using RSA for key exchange and SHA1 for digest
cipher_null_MD5 :: CipherSource
unencrypted cipher using RSA for key exchange and MD5 for digest
cipher_RC4_128_MD5 :: CipherSource
RC4 cipher, RSA key exchange and MD5 for digest
cipher_RC4_128_SHA1 :: CipherSource
RC4 cipher, RSA key exchange and SHA1 for digest
cipher_AES128_SHA1 :: CipherSource
AES cipher (128 bit key), RSA key exchange and SHA1 for digest
cipher_AES256_SHA1 :: CipherSource
AES cipher (256 bit key), RSA key exchange and SHA1 for digest
cipher_AES128_SHA256 :: CipherSource
AES cipher (128 bit key), RSA key exchange and SHA256 for digest
cipher_AES256_SHA256 :: CipherSource
AES cipher (256 bit key), RSA key exchange and SHA256 for digest
Certificate helpers
certificateChecks :: [[X509] -> IO TLSCertificateUsage] -> [X509] -> IO TLSCertificateUsageSource
Returns CertificateUsageAccept if all the checks pass, or the first
failure.
certificateVerifyChain :: [X509] -> IO TLSCertificateUsageSource
verify a certificates chain using the system certificates available.
each certificate of the list is verified against the next certificate, until it can be verified against a system certificate (system certificates are assumed as trusted)
This helper only check that the chain of certificate is valid, which means that each items received are signed by the next one, or by a system certificate. Some extra checks need to be done at the user level so that the certificate chain received make sense in the context.
for example for HTTP, the user should typically verify the certificate subject match the URL of connection.
TODO: verify validity, check revocation list if any, add optional user output to know the rejection reason.
certificateVerifyAgainst :: X509 -> X509 -> IO BoolSource
verify a certificate against another one. the first certificate need to be signed by the second one for this function to succeed.
certificateSelfSigned :: X509 -> BoolSource
Is this certificate self signed?
certificateVerifyDomain :: String -> [X509] -> TLSCertificateUsageSource
Verify that the given certificate chain is application to the given fully qualified host name.
certificateVerifyValidity :: Day -> [X509] -> TLSCertificateUsageSource
Verify certificate validity period that need to between the bounds of the certificate. TODO: maybe should verify whole chain.
certificateFingerprint :: (ByteString -> ByteString) -> X509 -> ByteStringSource
hash the certificate signing data using the supplied hash function.
Connection helpers
connectionClient :: CryptoRandomGen g => String -> String -> TLSParams -> g -> IO (TLSCtx Handle)Source
open a TCP client connection to a destination and port description (number or name)
File helpers
fileReadCertificate :: FilePath -> IO X509Source
read one X509 certificate from a file.
the certificate must be in the usual PEM format with the TRUSTED CERTIFICATE or CERTIFICATE pem name.
If no valid PEM encoded certificate is found in the file this function will raise an error.
fileReadPrivateKey :: FilePath -> IO PrivateKeySource
read one private key from a file.
the private key must be in the usual PEM format and at the moment only RSA PRIVATE KEY are supported.
If no valid PEM encoded private key is found in the file this function will raise an error.