http2-tls-0.4.3: Library for HTTP/2 over TLS
Running an HTTP/2 client over TLS.



type Client a = SendRequest -> Aux -> IO a #

Client type.

type HostName = String #

Either a host name e.g., "" or a numeric host address string consisting of a dotted decimal IPv4 address or an IPv6 address e.g., "".

type Authority = String #


data PortNumber #

Port number. Use the Num instance (i.e. use a literal) to create a PortNumber value.

>>> 1 :: PortNumber
>>> read "1" :: PortNumber
>>> show (12345 :: PortNumber)
>>> 50000 < (51000 :: PortNumber)
>>> 50000 < (52000 :: PortNumber)
>>> 50000 + (10000 :: PortNumber)


runTLS Source #


:: Settings 
-> HostName 
-> PortNumber 
-> ByteString


-> (Context -> SockAddr -> SockAddr -> IO a) 
-> IO a 

Generalized API

data ClientConfig #

Client configuration


defaultAuthority :: HostName -> Authority Source #

Default authority

When we connect to a server, we can distinguish between three names, all of which may be different:

  1. The HostName, used for the DNS lookup to get the server's IP
  2. The HTTP2 :authority pseudo-header
  3. The TLS SNI (Server Name Indicator). This is different from (2) only in exceptional circumstances, see settingsServerNameOverride.

In most cases, however, all three names are identical, and so the default Authority is simply equal to the ServerName.

runWithConfig :: ClientConfig -> Settings -> HostName -> PortNumber -> Client a -> IO a Source #

Running an HTTP/2 client over TLS (over TCP).

runH2CWithConfig :: ClientConfig -> Settings -> HostName -> PortNumber -> Client a -> IO a Source #

Running an HTTP/2 client over TCP.

runTLSWithConfig Source #


:: ClientConfig 
-> Settings 
-> HostName 
-> PortNumber 
-> ByteString


-> (Context -> SockAddr -> SockAddr -> IO a) 
-> IO a 

Running a TLS client.


defaultSettings :: Settings Source #

Default settings.

settingsKeyLogger :: Settings -> String -> IO () Source #

Key logger (TLS and H2)

Applications may wish to set this depending on the SSLKEYLOGFILE environment variable.

Default: do nothing.

settingsValidateCert :: Settings -> Bool Source #

Should we validate TLS certificates? (TLS and H2)

>>> settingsValidateCert defaultSettings

settingsCAStore :: Settings -> CertificateStore Source #

Certificate store used for validation. (TLS and H2)

Default: mempty.

settingsCacheLimit :: Settings -> Int Source #

How many pushed responses are contained in the cache (H2 and H2c)

>>> settingsCacheLimits defaultSettings

settingsConcurrentStreams :: Settings -> Int Source #

The maximum number of incoming streams on the net (H2 and H2c)

>>> settingsConcurrentStreams defaultSettings

settingsConnectionWindowSize :: Settings -> Int Source #

The window size of a connection (H2 and H2c)

>>> settingsConnectionWindowSize defaultSettings

settingsStreamWindowSize :: Settings -> Int Source #

The window size of incoming streams (H2 and H2c)

>>> settingsStreamWindowSize defaultSettings

settingsServerNameOverride :: Settings -> Maybe HostName Source #

Server name override (H2)

By default, the server name (for TLS SNI) is set based on the authority, corresponding to the HTTP2 :authority pseudo-header. In rare circumstances these two values should be different (for example in the case of domain fronting); settingsServerNameOverride can be used to give SNI a different value than :authority.

settingsSessionManager :: Settings -> SessionManager Source #

TLS session manager (H2 and TLS)

Default: noSessionManager

settingsWantSessionResume :: Settings -> Maybe (SessionID, SessionData) Source #

Try to resume a TLS session (H2 and TLS)

>>> settingsWantSessionResume defaultSettings

settingsWantSessionResumeList :: Settings -> [(SessionID, SessionData)] Source #

Try to resume a TLS session (H2 and TLS). This takes precedence over settingsWantSessionResume.

>>> settingsWantSessionResumeList defaultSettings

settingsOpenClientSocket :: Settings -> AddrInfo -> IO Socket Source #

Function to initialize the server socket (All)

Default: openClientSocket

settingsUseEarlyData :: Settings -> Bool Source #

Try to use 0-RTT (H2 and TLS)

This is only supported for tls >= 2.0.

>>> settingsUseEarlyData defaultSettings

Rate limits

settingsPingRateLimit :: Settings -> Int Source #

Maximum number of pings allowed per second (CVE-2019-9512)

>>> settingsPingRateLimit defaultSettings

settingsEmptyFrameRateLimit :: Settings -> Int Source #

Maximum number of empty data frames allowed per second (CVE-2019-9518)

>>> settingsEmptyFrameRateLimit defaultSettings

settingsSettingsRateLimit :: Settings -> Int Source #

Maximum number of settings frames allowed per second (CVE-2019-9515)

>>> settingsSettingsRateLimit defaultSettings

settingsRstRateLimit :: Settings -> Int Source #

Maximum number of reset frames allowed per second (CVE-2023-44487)

>>> settingsRstRateLimit