!-Vt      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~? BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownSafeQ,6543210/.- BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneK3      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      ! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone%:tlsConnection IO backend<tls,Flush the connection sending buffer, if any.=tlsClose the connection.>tls)Send a bytestring through the connection.?tls6Receive specified number of bytes from the connection. 789:;<=>? BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone)@tls'record some data about this connection.Btls$number of handshakes on this contextCtls#bytes received since last handshakeDtlsbytes sent since last handshake @ABCD"#$%& NoneM) '()*+,-./0 None*I1E2F3456789:;<= BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownNone7.Gtls2048 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 103 bits.Htls3072 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 125 bits.Itls4096 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 150 bits.Jtls6144 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 175 bits.Ktls8192 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 192 bits.GHIJKGHIJK  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone<>tls Direction?tlsRoleLtlsCompression identificationMtlsCipher identificationOtlsSession data to resumeZtls A session ID[tlsVersions known to TLSDSSL2 is just defined, but this version is and will not be supported.%>@A?BCLMNDEFGHOPQRSTUVWXYZ[\]^_`aIJbK  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneCctlsA session manageretlsAused on server side to decide whether to resume a client session.ftls_used on server side to decide whether to resume a client session for TLS 1.3 0RTT. For a given Z%, the implementation must return its O( only once and must not return the same O after the call.gtls#used when a session is established.htls#used when a session is invalidated.cdefghi  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneEXPELtls0This is the default compression which is a NOOP.jtlsAevery compression need to be wrapped in this, to fit in structureltls>supported compression algorithms need to be part of this classMtls+return the associated ID for this algorithmNtlszdeflate (compress) a bytestring using a compression context and return the result along with the new compression context.Otlswinflate (decompress) a bytestring using a compression context and return the result along the new compression context.Ptlsintersect a list of ids commonly given by the other side with a list of compression the function keeps the list of compression in order, to be able to find quickly the prefered compression.ptlsdefault null compression LLjklmnoMNOPp BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneQQRNoneXTStlsThis is a strict version of &&.Ttlsverify that 2 bytestrings are equals. it's a non lazy version, that will compare every bytes. arguments with different length will bail out early UVWXYSTZ[\ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneX]tls\Attempt to decode a bytestring representing an DER ASN.1 serialized object into the object.^tls7Encode an ASN.1 Object to the DER serialized bytestring]^NoneY _`ab BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownNoneZ< cdefghijklmNoneEX[zntls+(for the md5 context, for the sha1 context)j ,-./01234561E2F3456789:;<=cdefghijklmopqrstuvwxyqwvutsrxyz{z{|}~n BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone2vftlsBdeprecated alert, should never be sent by compliant implementationtls@TLS Exceptions related to bad user usage or asynchronous errorstlsGEarly termination exception with the reason and the error associatedtls(Handshake failed for the reason attachedtlsjUsage error when the connection has not been established and the user is trying to send or receive datatls5TLSError that might be returned through the TLS stacktlsmainly for instance of Errortlshandshake policy failed.tls,Some of the IANA registered code points for  are not currently supported by the library. Nor should they be, they're are either unwise, obsolete or both. There's no point in conveying these to the user in the client certificate request callback. The request callback will be filtered to exclude unsupported values. If the user cannot find a certificate for a supported code point, we'll go ahead without a client certificate and hope for the best, unless the user's callback decides to throw an exception.tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC8422tlsTLS13 and up, synthetictlsTLS13 and up, synthetic | None of the below will ever be presented to the callback. Any future public key algorithms valid for client certificates go above this line.tlshLast supported certificate type, no 'CertificateType that compares greater than this one (based on the y instance, not on the wire code point) will be reported to the application via the client certificate request callback.OPQRSTUVWXYZ[\]^_`a|}~ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone{&      BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone'tlsFor now we ignore the version, but perhaps some day the PRF will depend not only on the cipher PRF algorithm, but also on the protocol version. BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneEXtlsCipher algorithmtlsCheck if a specific 2 is allowed to be used with the version specified@Mqwvutsrx      BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetlsyAll AES and ChaCha20-Poly1305 ciphers supported ordered from strong to weak. This choice of ciphersuites should satisfy most normal needs. For otherwise strong ciphers we make little distinction between AES128 and AES256, and list each but the weakest of the AES128 ciphers ahead of the corresponding AES256 ciphers, with the ChaCha20-Poly1305 variant placed just after.aThe CCM ciphers all come together after the GCM variants due to their relative performance cost.tlsDThe default ciphersuites + some not recommended last resort ciphers.tlslist of medium ciphers.tlsThe strongest ciphers supported. For ciphers with PFS, AEAD and SHA2, we list each AES128 variant after the corresponding AES256 and ChaCha20-Poly1305 variants. For weaker constructs, we use just the AES256 form.gThe CCM ciphers come just after the corresponding GCM ciphers despite their relative performance cost.tls}DHE-RSA cipher suite. This only includes ciphers bound specifically to DHE-RSA so TLS 1.3 ciphers must be added separately.tls8all unencrypted ciphers, do not use on insecure network.tls@unencrypted cipher using RSA for key exchange and MD5 for digesttlsAunencrypted cipher using RSA for key exchange and SHA1 for digesttls/RC4 cipher, RSA key exchange and MD5 for digesttls0RC4 cipher, RSA key exchange and SHA1 for digest tls?3DES cipher (168 bit key), RSA key exchange and SHA1 for digest!tls>AES cipher (128 bit key), RSA key exchange and SHA1 for digest"tlsMAES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for digest#tlsMAES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for digest$tls>AES cipher (256 bit key), RSA key exchange and SHA1 for digest%tlsMAES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for digest&tlsMAES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for digest'tls@AES cipher (128 bit key), RSA key exchange and SHA256 for digest(tls@AES cipher (256 bit key), RSA key exchange and SHA256 for digest,tlsaAESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.-tlsbAESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC..tlsaAESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC./tlsaAESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.0tlsbAESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.1tlsaAESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is used as a PRF, not as a MAC.; !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO;!$'(,-./01#&*+"%234567:NODBCE8@AFGHIJKLM9;<=>? ) BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@GHIJK !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone. !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGH BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone;Itlscurrent protocol versionJtlscurrent key exchange typeKtls$Decode a list CA distinguished namesLtls%Encode a list of distinguished names.Mtlsin certain cases, we haven't manage to decode ServerKeyExchange properly, because the decoding was too eager and the cipher wasn't been set yet. we keep the Server Key Exchange in it unparsed format, and this function is able to really decode the server key xchange if it's unparsed.NtlsfThe TLS12 PRF is cipher specific, and some TLS12 algorithms use SHA384 instead of the default SHA256.*OPIJQRSTUVWXYZ[\]K^_`aLbcdefghijkMlmnopqrs BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@A2tuvwxyz{|}~ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneGtlsRepresent a TLS record.tlsXturn a plaintext record into a compressed record using the compression function suppliedtlsTturn a compressed record into a ciphertext record using the cipher function suppliedtlsXturn a ciphertext fragment into a compressed fragment using the cipher function suppliedtls^turn a compressed fragment into a plaintext fragment using the decompression function suppliedtls&turn a record into an header and bytestls*turn a header and a fragment into a recordtlsturn a record into a header BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetlsRepresent a TLS record.tls*turn a header and a fragment into a record BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone/ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>z  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneϽ! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>" BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone;tuvwxyz{# BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone$ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AM+Ptls5Type to show which handshake mode is used in TLS 1.3.QtlsFull handshake is used.Rtls/Full handshake is used with hello retry reuest.Stls!Server authentication is skipped.Ttls8Server authentication is skipped and early data is sent.tls-When we receive a CertificateRequest from a server, a just-in-time callback is issued to the application to obtain a suitable certificate. Somewhat unfortunately, the callback parameters don't abstract away the details of the TLS 1.2 Certificate Request message, which combines the legacy certificate_types and new supported_signature_algorithms& parameters is a rather subtle way.TLS 1.2 also (again unfortunately, in the opinion of the author of this comment) overloads the signature algorithms parameter to constrain not only the algorithms used in TLS, but also the algorithms used by issuing CAs in the X.509 chain. Best practice is to NOT treat such that restriction as a MUST, but rather take it as merely a preference, when a choice exists. If the best chain available does not match the provided signature algorithm list, go ahead and use it anyway, it will probably work, and the server may not even care about the issuer CAs at all, it may be doing DANE or have explicit mappings for the client's public key, ... The TLS 1.3 CertificateRequest message, drops certificate_types and no longer overloads supported_signature_algorithmsi to cover X.509. It also includes a new opaque context token that the client must echo back, which makes certain client authentication replay attacks more difficult. We will store that context separately, it does not need to be presented in the user callback. The certificate signature algorithms preferred by the peer are now in the separate signature_algorithms_cert extension, but we cannot report these to the application callback without an API change. The good news is that filtering the X.509 signature types is generally unnecessary, unwise and difficult. So we just ignore this extension.As a result, the information we provide to the callback is no longer a verbatim copy of the certificate request payload. In the case of TLS 1.3 The 6 list is synthetically generated from the server's signature_algorithms extension, and the signature_algorithms_certs extension is ignored.Since the original TLS 1.2  has no provision for the newer certificate types that have appeared in TLS 1.3 we're adding some synthetic values that have no equivalent values in the TLS 1.2  as defined in the IANA < Uhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2d TLS ClientCertificateType Identifiers> registry. These values are inferred from the TLS 1.3 signature_algorithmsl extension, and will allow clients to present Ed25519 and Ed448 certificates when these become supported.tls>Set to Just-value when a TLS13 certificate request is receivedtls8Set to Just-value when a certificate request is receivedtlsIn TLS 1.3, these are separate from the certificate issuer signature algorithm hints in the callback data. In TLS 1.2 the same list is overloaded for both purposes. Not present in TLS 1.1 and earliertls4Set to true when a client certificate chain was senttls/Set to true when a certificate request was senttlsECompress the whole transcript with the specified function. Function fo takes the handshake digest as input and returns an encoded handshake message to replace the transcript with.tls6Generate the master secret from the pre master secret.tlsSet master secret and as a side effect generate the key block with all the right parameters, and setup the pending tx/rx state.tlschosen transmission versiontls2the role (Client or Server) of the generating sidetlsthe pre master secrettlschosen versionZPSQRT% BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone& BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone!%tls-Application Layer Protocol Negotiation (ALPN)tlsSecure Renegotiationtls?Max fragment extension with length from 512 bytes to 4096 bytesRFC 6066 defines: If a server receives a maximum fragment length negotiation request for a value other than the allowed values, it MUST abort the handshake with an "illegal_parameter" alert.HSo, if a server receives MaxFragmentLengthOther, it must send the alert.tlsServer Name extension including the name type and the associated name. the associated name decoding is dependant of its name type. name type = 0 : hostnametlsKExtension class to transform bytes to and from a high level Extension type.tls.all supported extensions by the implementationi,-./0123456      !"#$%&'()*+,-./01234567UVWXY89:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ' BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AMSX$0D/[\]^_`abcdefghijklmnopqrstuvwxyz{|}~( BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone)Ztls3Certificate Usage callback possible returns values.[tlsusage of certificate accepted\tlsusage of certificate rejected]tls&Certificate and Chain rejection reason#+Z[\]^_`a) BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone/btlsA collection of hooks actions.dtls)called at each handshake message receivedetls1called at each certificate chain message receivedftls/hooks on IO and packets, receiving and sending.gtlsHooks for logging8This is called when sending and receiving packets and IO bcdefghijkl* BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone=ptlstry to create a new credential object from a public certificate and the associated private key that are stored on the filesystem in PEM format.qtls similar to pV but take the certificate and private key from memory instead of from the filesystem.rtls similar to p/ but also allow specifying chain certificates.stls similar to q/ but also allow specifying chain certificates.tlsChecks whether certificate signatures in the chain comply with a list of hash/signature algorithm pairs. Currently the verification applies only to the signature of the leaf certificate, and when not self-signed. This may be extended to additional chain elements in the future.ptls!public certificate (X.509 format)tlsprivate key associatedrtls!public certificate (X.509 format)tls!chain certificates (X.509 format)tlsprivate key associated mnopqrs+ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone1ttlsQA set of callbacks run by the server for various corners of the TLS establishmentvtlsThis action is called when a client certificate chain is received from the client. When it returns a CertificateUsageReject value, the handshake is aborted.The function is not expected to verify the key-usage extension of the certificate. This verification is performed by the library internally.wtlsNThis action is called when the client certificate cannot be verified. Return ' to accept the certificate anyway, or  to fail verification.xtlsiAllow the server to choose the cipher relative to the the client version and the client list of ciphers.xThis could be useful with old clients and as a workaround to the BEAST (where RC4 is sometimes prefered with TLS < 1.1)'The client cipher list cannot be empty.ytlstAllow the server to indicate additional credentials to be used depending on the host name indicated by the client.This is most useful for transparent proxies where credentials must be generated on the fly according to the host the client is trying to connect to.yReturned credentials may be ignored if a client does not support the signature algorithms used in the certificate chain.ztlsQat each new handshake, we call this hook to see if we allow handshake to happens.{tlsAllow the server to choose an application layer protocol suggested from the client through the ALPN (Application Layer Protocol Negotiation) extensions.|tlsNA set of callbacks run by the clients for various corners of TLS establishment~tls$This action is called when the a certificate request is received from the server. The callback argument is the information from the request. The server, at its discretion, may be willing to continue the handshake without a client certificate. Therefore, the callback is free to return  to indicate that no client certificate should be sent, despite the server's request. In some cases it may be appropriate to get user consent before sending the certificate; the content of the user's certificate may be sensitive and intended only for specific servers.!The action should select a certificate chain of one of the given certificate types and one of the certificates in the chain should (if possible) be signed by one of the given distinguished names. Some servers, that don't have a narrow set of preferred issuer CAs, will send an empty  list, rather than send all the names from their trusted CA bundle. If the client does not have a certificate chaining to a matching CA, it may choose a default certificate instead.Each certificate except the last should be signed by the following one. The returned private key must be for the first certificates in the chain. This key will be used to signing the certificate verify message.|The public key in the first certificate, and the matching returned private key must be compatible with one of the list of  value when provided. TLS 1.3 changes the meaning of the list elements, adding explicit code points for each supported pair of hash and signature (public key) algorithms, rather than combining separate codes for the hash and key. For details see  1https://tools.ietf.org/html/rfc8446#section-4.2.3RFC 8446M section 4.2.3. When no compatible certificate chain is available, return  if it is OK to continue without a client certificate. Returning a non-matching certificate should result in a handshake failure.KWhile the TLS version is not provided to the callback, the content of the signature_algorithmsm list provides a strong hint, since TLS 1.3 servers will generally list RSA pairs with a hash component of  Intrinsic (0x08).Note that is is the responsibility of this action to select a certificate matching one of the requested certificate types (public key algorithms). Returning a non-matching one will lead to handshake failure later.tlsZUsed by the client to validate the server certificate. The default implementation calls H which validates according to the default hooks and checks provided by Data.X509.ValidationT. This can be replaced with a custom validation function using different settings.The function is not expected to verify the key-usage extension of the end-entity certificate, as this depends on the dynamically-selected cipher and this part should not be cached. Key-usage verification is performed by the library internally.tlsqThis action is called when the client sends ClientHello to determine ALPN values such as '["h2", "http/1.1"]'.tlsThis action is called to validate DHE parameters when the server selected a finite-field group not part of the "Supported Groups Registry" or not part of  list.With TLS 1.3 custom groups have been removed from the protocol, so this callback is only used when the version negotiated is 1.2 or below.CThe default behavior with (dh_p, dh_g, dh_size) and pub as follows: rejecting if dh_p is even,rejecting unless 1 < dh_g && dh_g < dh_p - 1+rejecting unless 1 < dh_p && pub < dh_p - 16rejecting if dh_size < 1024 (to prevent Logjam attack)-See RFC 7919 section 3.1 for recommandations.tls Type for 4. This type synonym is to make document readable.tls Type for ~4. This type synonym is to make document readable.tls,Group usage callback possible return values.tlsusage of group acceptedtls-usage of group provides insufficient securitytls>usage of group rejected for other reason (specified as string)tls+usage of group with an invalid public valuetls2Parameters that are common to clients and servers.tlsThe list of certificates and private keys that a server will use as part of authentication to clients. Actual credentials that are used are selected dynamically from this list based on client capabilities. Additional credentials returned by y are also considered.XWhen credential list is left empty (the default value), no key exchange can take place.tlsCallbacks used by clients and servers in order to resume TLS sessions. The default implementation never resumes sessions. Package  7https://hackage.haskell.org/package/tls-session-managertls-session-manager' provides an in-memory implementation.tlsA collection of trust anchors to be used by a client as part of validation of server certificates. This is set as first argument to function  . Package  /https://hackage.haskell.org/package/x509-system x509-systemH gives access to a default certificate store configured in the system.tlsCallbacks that may be used by a client to cache certificate validation results (positive or negative) and avoid expensive signature check. The default implementation does not have any caching.tlsDList all the supported algorithms, versions, ciphers, etc supported.tlsSupported Versions by this context On the client side, the highest version will be used to establish the connection. On the server side, the highest version that is less or equal than the client version will be chosed.tlsSSupported cipher methods. The default is empty, specify a suitable cipher list. , is often a good choice.tlsSupported compressions methods. By default only the "null" compression is supported, which means no compression will be performed. Allowing other compression method is not advised as it causes a connection failure when TLS 1.3 is negotiated.tlsAll supported hash/signature algorithms pair for client certificate verification and server signature in (EC)DHE, ordered by decreasing priority.BThis list is sent to the peer as part of the "signature_algorithms" extension. It is used to restrict accepted signatures received from the peer at TLS level (not in X.509 certificates), but only when the TLS version is 1.2 or above. In order to disable SHA-1 one must then also disable earlier protocol versions in .WThe list also impacts the selection of possible algorithms when generating signatures.Note: with TLS 1.3 some algorithms have been deprecated and will not be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA PKCS#1, DSS.tls/Secure renegotiation defined in RFC5746. If 7, clients send the renegotiation_info extension. If g, servers handle the extension or the renegotiation SCSV then send the renegotiation_info extension.tlsIf ], renegotiation is allowed from the client side. This is vulnerable to DOS attacks. If I, renegotiation is allowed only from the server side via HelloRequest.tlsSet if we support session.tls4Support for fallback SCSV defined in RFC7507. If b, servers reject handshakes which suggest a lower protocol than the highest protocol supported.tlsdIn ver <= TLS1.0, block ciphers using CBC are using CBC residue as IV, which can be guessed by an attacker. Hence, an empty packet is normally sent before a normal data packet, to prevent guessability. Some Microsoft TLS-based protocol implementations, however, consider these empty packets as a protocol violation and disconnect. If this parameter is Y, empty packets will never be added, which is less secure, but might help in rare cases.tlsVA list of supported elliptic curves and finite-field groups in the preferred order.The list is sent to the server as part of the "supported_groups" extension. It is used in both clients and servers to restrict accepted groups in DH key exchange.The default value is [0,-,.,/]. 0 and - provide 128-bit security which is strong enough until 2030. Both curves are fast because their backends are written in C.tls"request a certificate from client.tlsThis is a list of certificates from which the disinguished names are sent in certificate request messages. For TLS1.0, it should not be empty.tlsServer Optional Diffie Hellman parameters. Setting parameters is necessary for FFDHE key exchange when clients are not compatible with RFC 7919.9Value can be one of the standardized groups from module Network.TLS.Extra.FFDHE& or custom parameters generated with -..tlsrServer accepts this size of early data in TLS 1.3. 0 (or lower) means that the server does not accept early data.tlsDefine the name of the server, along with an extra service identification blob. this is important that the hostname part is properly filled for security reason, as it allow to properly associate the remote side with the given certificate during a handshake.The extra blob is useful to differentiate services running on the same host, but that might have different certificates given. It's only used as part of the X509 validation infrastructure.tlsAllow the use of the Server Name Indication TLS extension during handshake, which allow the client to specify which host name, it's trying to access. This is useful to distinguish CNAME aliasing (e.g. web virtual host).tls1try to establish a connection using this session.tlsIIn this element, you'll need to override the default empty value of of  with a suitable cipherlist.tlsClient tries to send this early data in TLS 1.3 if possible. If not accepted by the server, it is application's responsibility to re-sent it.tls-All settings should not be used in productiontlsDisable the true randomness in favor of deterministic seed that will produce a deterministic random from. This is useful for tests and debugging purpose. Do not use in productiontlsyAdd a way to print the seed that was randomly generated. re-using the same seed will reproduce the same randomness with tls0Force to choose this version in the server side.tls1Printing master keys. The default is no printing.QUVWXYZ[\]^_`atuvwxyz{|}~/ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetlsJA TLS Context keep tls specific state, parameters and backend information.tls6return the backend object associated with this contexttlshas the handle EOFed or not.tls0has the handshake been done and been successful.tls-empty packet workaround for CBC guessability.tlsenable the reception of compatibility SSLv2 client hello. the flag will be set to false regardless of its initial value after the first packet received.tlscurrent tx statetlscurrent rx statetlsoptional handshake statetlshooks for this contexttls;lock to use for writing data (including updating the state)tls;lock to use for reading data (including updating the state)tlsmlock used during read/write when receiving and sending packet. it is usually nested in a write or read lock.tls=Information related to a running context, e.g. current ciphertls.A shortcut for 'backendFlush . ctxConnection'.tls.A shortcut for 'backendClose . ctxConnection'.tls%Information about the current contextu@ABCDOPQRSTUVWXYZUVWXYbcdef0 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone tlsmakePacketData\ create a Header and a content bytestring related to a packet this doesn't change any statetlsmarshall packet datatlsjwritePacket transform a packet into marshalled data related to current state and updating state on the go1 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>2 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>A3 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone 4 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneQtls Generate a server random suitable for the version selected by the server and its supported versions. We use an 8-byte downgrade suffix when the selected version is lowered because of incomplete client support, but also when a version downgrade has been forced with debugVersionForced. This second part allows to test that the client implementation correctly detects downgrades. The suffix is not used when forcing TLS13 to a server not officially supporting TLS13 (this is not a downgrade scenario but only the consequence of our debug API allowing this).tlsTest if the negotiated version was artificially downgraded (that is, for other reason than the versions supported by the client).5 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneQ6 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneM,tlsjState monad used to group several packets together and send them on wire as single flight. When packets are loaded in the monad, they are logged immediately, update the context digest and transcript, but actual sending is deferred. Packets are sent all at once when the monadic computation ends (normal termination but also if interrupted by an exception).tlsJrecvRecord receive a full TLS record (header + data), from the other side..The record is disengaged from the record layertlsreceive one packet from the context that contains 1 or many messages (many only in case of handshake). if will returns a TLSError if the packet is unexpected or malformed tlsSend one packet to the contexttls1flag to enable SSLv2 compat ClientHello receptiontls TLS context     7 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.0 8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone?!tlsACheck that the signature algorithm is compatible with a list of t values. Ed25519 and Ed448 have no assigned code point and are checked with extension "signature_algorithms" only."tls Translate a  to an acceptable . Perhaps this needs to take supported groups into account, so that, for example, if we don't support any shared ECDSA groups with the server, we return  rather than .Therefore, this interface is preliminary. It gets us moving in the right direction. The interplay between all the various TLS extensions and certificate selection is rather complex.NThe goal is to ensure that the client certificate request callback only sees n values that are supported by the library and also compatible with the server signature algorithms extension.DSince we don't yet support ECDSA private keys, the caller will use , to filter those out for now, leaving just RSA@ as the only supported client certificate algorithm for TLS 1.3.1FIXME: Add RSA_PSS_PSS signatures when supported. #$!%"&'()*+,-9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@./0:NoneF1tls1when a new handshake is done, wrap up & clean up.2tls?process a list of handshakes message in the recv state machine.3tlsStore the specified keypair. Whether the public key and private key actually match is left for the peer to discover. We're not presently burning CPU to detect that misconfiguration. We verify only that the types of keys match.456789:;1<=>2?@A3BC; BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMHDEFGHIJKLMNOPQRSTUVWXYZ< BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneJ'[\]^= BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone[j_tls)Put the server context in handshake mode.Expect a client hello message as parameter. This is useful when the client hello has been already poped from the recv layer to inspect the packet.When the function returns, a new handshake has been succesfully negociated. On any error, a HandshakeFailed exception is raised.handshake protocol ( - receiving, -K sending, [] optional): (no session) (session resumption) <- client hello <- client hello -> server hello -> server hello -> [certificate] -> [server key xchg] -> [cert request] -> hello done <- [certificate] <- client key xchg <- [cert verify]  -change cipher - change cipher  -finish -Z finish -> change cipher <- change cipher -> finish <- finish`tls>receive Client data in handshake until the Finished handshake.g<- [certificate] <- client key xchg <- [cert verify] <- change cipher <- finisha_> BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone_btlsBStore the keypair and check that it is compatible with a list of  values.ctlsWhen the server requests a client certificate, we try to obtain a suitable certificate chain and private key via the callback in the client parameters. It is OK for the callback to return an empty chain, in many cases the client certificate is optional. If the client wishes to abort the handshake for lack of a suitable certificate, it can throw an exception in the callback.The return value is  when no CertificateRequest was received and no  Certificate? message needs to be sent. An empty chain means that an empty  Certificate> message needs to be sent to the server, naturally without a CertificateVerify. A non-empty @ is the chain to send to the server along with a corresponding CertificateVerify.With TLS < 1.2 the server's CertificateRequesto does not carry a signature algorithm list. It has a list of supported public key signing algorithms in the certificate_types' field. The hash is implicit. It is s for DSS and x for RSA.With TLS == 1.2 the server's CertificateRequest always has a supported_signature_algorithms. list, as a fixed component of the structure. This list is (wrongly) overloaded to also limit X.509 signatures in the client's certificate chain. The BCP strategy is to find a compatible chain if possible, but else ignore the constraint, and let the server verify the chain as it sees fit. The supported_signature_algorithmsY field is only obligatory with respect to signatures on TLS messages, in this case the CertificateVerify message. The certificate_types field is still included.With TLS 1.3 the server's CertificateRequest has a mandatory signature_algorithms extension, the signature_algorithms_cert extension, which is optional, carries a list of algorithms the server promises to support in verifying the certificate chain. As with TLS 1.2, the client's makes a  best-effortD to deliver a compatible certificate chain where all the CA signatures are known to be supported, but it should not abort the connection just because the chain might not work out, just send the best chain you have and let the server worry about the rest. The supported public key algorithms are now inferred from the signature_algorithms extension and certificate_types is gone.(With TLS 1.3, we synthesize and store a certificate_types& field at the time that the server's CertificateRequestx message is received. This is then present across all the protocol versions, and can be used to determine whether a CertificateRequest was received or not.If signature_algorithms is ), then we're doing TLS 1.0 or 1.1. The signature_algorithms_cert extension is optional in TLS 1.3, and so the application callback will not be able to distinguish between TLS 1.[01] and TLS 1.3 with no certificate algorithm hints, but this just simplifies the chain selection process, all CA signatures are OK.dtlsReturn a most preferred HandAndSignatureAlgorithm that is compatible with the private key and server's signature algorithms (both already saved). Must only be called for TLS versions 1.2 and up.The values in the server's signature_algorithmsv extension are in descending order of preference. However here the algorithms are selected by client preference in  cHashSigs.etlsReturn the supported M values that are compatible with at least one supported signature algorithm.ftlsHTLS 1.2 and below. Send the client handshake messages that follow the  ServerHello, etc. except for CCS and Finished.aXXX: Is any buffering done here to combined these messages into a single TCP packet? Otherwise we're prone to Nagle delays, or in any case needlessly generate multiple small packets, where a single larger packet will do. The TLS 1.3 code path seems to separating record generation and transmission and sending multiple records in a single packet.> [certificate]> client key exchange> [cert verify]gtls<onServerHello process the ServerHello message on the client.1) check the version chosen by the server is one allowed by parameters. 2) check that our compression and cipher algorithms are part of the list we sent 3) check extensions received are part of the one we sent 4) process the session parameter to see if the server want to start a new session or can resume 5) if no resume switch to processCertificate SM or in resume switch to expectChangeCipherhi? BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetlssHandshake for a new TLS connection This is to be called at the beginning of a connection, and during renegotiationa_hij@ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonettls@create a new context using the backend and parameters specified.tls"create a new context on an handle.tls!create a new context on a socket.tlsNBackend abstraction with specific method to interact with the connection type.tlsParameters of the context.tlsHandle of the connection.tlsParameters of the context.tlsSocket of the connection.tlsParameters of the context.ObcdefA BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneX tlsHow to update keys in TLS 1.3tlsUnidirectional key updatetls&Bidirectional key update (normal case)tlsnotify the context that this side wants to close connection. this is important that it is called before closing the handle, otherwise the session might not be resumable (for version < TLS1.2).&this doesn't actually close the handletlsVIf the ALPN extensions have been used, this will return get the protocol agreed upon.tlsdIf the Server Name Indication extension has been used, return the hostname specified by the client.tls[sendData sends a bunch of data. It will automatically chunk data to acceptable packet sizetlsGet data out of Data packet, and automatically renegotiate if a Handshake ClientHello is received. An empty result means EOF.tls/same as recvData but returns a lazy bytestring.tlsWUpdating appication traffic secrets for TLS 1.3. If this API is called for TLS 1.3,  is returned. Otherwise,  is returned.  B BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoney5 !"OPQRSTUVWXYZ[\]^_`a|}~#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHOPIJQRSTUVWXYZ[\]K^_`aLbcdefghijkMlmnopqrs  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneƐ "! #'&%$+*)(,-./0123456789:;<=>?@ABCDEFLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqwvutsrxyz{|}~     PSQRTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~789:;<=>?|}~tuvwxyz{mnopqrsZOPQRSTUVWXYcdefghiNbcdef|ghijklbEF@ABCDZ[\]^_`aUVWXY"! +*)('&%$#[\]^_`ajklmnopL   qwvutsrxM   ,-./0123456PSQRTyz{}~kCDECDFCDGCDHCDICDJCDKCDLCMNCMOCMPCMQCMRCMSCMTCMUCMVCMWXYZXY[XY\XY]XY^XY_XY`XYaXYbXYcXYcXYdXYeXYfXYgXYhXYhXijXikXilXimXinXioXipXiqXiqrstuvwxyz{|}~                            !"#$%&&'()*+,-./0123456789:;<=>?@ABCCDEFGHIJKLMNOPQ,RSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~$$$$$&&&&&(((((((()))))))))))*******+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/////////////////?@@@@@@@AAAAAAAAA A     !"#$%&$'($')$%*$+,$%-$%.$%/$%0$%1$%2$%3$%4$%567867967:67;67<67=67>67?$@A$%B$%C$%D$%E$%F$%G$HI$HJ$HK$HL$HM$HN$HO$HP$HQ$HR$HS$HT$UV$UW$%X$%Y$%Z$%[$\]$\^$\_6`a6`b6`c6`d6`e$fg$fh$fi$fjklm$no$np$nq$nr$ns$ns$nt$nu$nu$nv$nw$nw$nx$ny$nz$nz$n{$n|$n|$n}$n~$n$n$n$n$n$+$+$+$+$+$+$+$+$+$+$+$+$+$+$$U$U$U$$$$$$$$$$$$$$H$H$H$H$H$H$H$H$H$H$H$H$H$H$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$f$f$f$$$$$$$$$ $ $ $ $ $$$$$$$$$$$$$$$$$$$ !$ "$'#$'$$'%$'&$''$'($')$'*$'+$',$'-$'.$'/$'0$'1$'2$'3$'4$'5$'6$'7$'8$'9$':$';$'<$'=$'>$'?$'@$'A$BC$BD$BE$BF$BG$BH$BI$BJ$%K$%L$%M$%N$%O$%P$%Q$%R$%S$%T$%U$%V$%W$%X$%Y$%Z$%[$%\$%]$^_`abcdefgefhefiefjeklekm n n o p q r s t u v w x y z { | } ~                  eeeC       !"#$%&'()*+,-./0123456789:;<=>?@AB4CDEFGHIJKLMNOPQRPQSPQTPUVPUWPUXPUYPUZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !#####$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ $ $$$$$$$$$$$$$$$$$$$ $!$"$#$$$%$&$'$($)$*$+$,$-$.%/%0%1&2&3&4&5&6&7&8&8&9&9&:&:&&;&<&=&=&>&>&?&@&A&B&C&D&E&F&F&G&H&I&J&K&L&L&M&M&N&O&P&Q&Q&R&R&S&T&U&V&W&W&X&X&2&3&4&Y&Z&[&\&5&]&^&_&`&a&b&c&d&e&f&g&h&i&j&k&l&m&n&o&p&q&r&s&t&u&v&w&x&y'z'{'{'|'}'~'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''CCCCCCCCCCCCCCXYXYX((()*****6`6`+//////////////////////////////////////////////// / / / 0 0012333333333334444 4!5"5#6$6%6&6'6(6)6*6+6,7-7.7/707172737475767778797:7;7<7=7>8?8@8A8B8C8D8E8F8G8H8I8J8K9L9M9N:O:P:Q:R:S:T:U:V:W:X:Y:Z:[:\:]:^:_:`:a;b;c;d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s;t;u;v;w;x<y<z<{<|=}=~=>>>>>>>>? tls-1.5.0-ImoLCbwksWxCqUe5H30xqp Network.TLSNetwork.TLS.Extra.FFDHENetwork.TLS.Extra.CipherNetwork.TLS.Crypto.TypesNetwork.TLS.ErrTNetwork.TLS.ImportsNetwork.TLS.BackendNetwork.TLS.MeasurementNetwork.TLS.RNGNetwork.TLS.Crypto.DHNetwork.TLS.TypesNetwork.TLS.SessionNetwork.TLS.CompressionNetwork.TLS.CapNetwork.TLS.UtilNetwork.TLS.Util.ASN1Network.TLS.Util.SerializationNetwork.TLS.Crypto.IESNetwork.TLS.CryptoNetwork.TLS.StructNetwork.TLS.Struct13Network.TLS.MACNetwork.TLS.CipherNetwork.TLS.ExtraNetwork.TLS.WireNetwork.TLS.PacketNetwork.TLS.Record.StateNetwork.TLS.Record.TypesNetwork.TLS.Record.Types13Network.TLS.Record.Engage13Network.TLS.Record.Disengage13Network.TLS.Record.EngageNetwork.TLS.Record.DisengageNetwork.TLS.RecordNetwork.TLS.Packet13Network.TLS.Handshake.StateNetwork.TLS.KeyScheduleNetwork.TLS.ExtensionNetwork.TLS.StateNetwork.TLS.X509Network.TLS.HooksNetwork.TLS.CredentialsNetwork.TLS.Parametersciphersuite_defaultCrypto.PubKey.DHgenerateParamsNetwork.TLS.Context.InternalNetwork.TLS.SendingNetwork.TLS.Receiving13Network.TLS.ReceivingNetwork.TLS.Handshake.State13Network.TLS.Handshake.RandomNetwork.TLS.Sending13Network.TLS.IONetwork.TLS.Handshake.KeyNetwork.TLS.Handshake.SignatureNetwork.TLS.Handshake.ProcessNetwork.TLS.Handshake.CommonNetwork.TLS.Handshake.Common13!Network.TLS.Handshake.CertificateNetwork.TLS.Handshake.ServerNetwork.TLS.Handshake.ClientNetwork.TLS.HandshakeNetwork.TLS.ContextNetwork.TLS.CoreNetwork.TLS.Internal x509-1.7.5-QqjXQLIR8P7TKIpspJHMGData.X509.PrivateKey PrivKeyEd448PrivKeyEd25519 PrivKeyX448 PrivKeyX25519 PrivKeyEC PrivKeyDSA PrivKeyRSAPrivKeyData.X509.PublicKey PubKeyUnknown PubKeyEd448 PubKeyEd25519 PubKeyX448 PubKeyX25519PubKeyECPubKeyDH PubKeyDSA PubKeyRSAPubKey-x509-validation-1.6.11-6Y8OKDLCriF7uDF1C1KjklData.X509.Validation checkFQHNcheckLeafKeyPurposecheckLeafKeyUsage checkLeafV3checkExhaustivecheckCAConstraintscheckStrictOrdering checkAtTimecheckTimeValidityValidationCheckshookFilterReasonhookValidateNamehookValidateTimehookMatchSubjectIssuerValidationHooksData.X509.Validation.CacheexceptionValidationCacheValidationCacheUnknownValidationCacheDeniedValidationCachePassValidationCacheResultcacheAdd cacheQueryValidationCacheGroupP256P384P521X25519X448 FFDHE2048 FFDHE3072 FFDHE4096 FFDHE6144 FFDHE8192 HasBackendinitializeBackend getBackendBackend backendFlush backendClose backendSend backendRecv Measurement nbHandshakes bytesReceived bytesSentDHParamsDHPublic ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 CompressionIDCipherIDTLS13TicketInfo SessionDatasessionVersion sessionCiphersessionCompressionsessionClientSNI sessionSecret sessionGroupsessionTicketInfo sessionALPNsessionMaxEarlyDataSize SessionIDVersionSSL2SSL3TLS10TLS11TLS12TLS13HostNameSessionManager sessionResumesessionResumeOnlyOncesessionEstablishsessionInvalidatenoSessionManager Compression CompressionCcompressionCIDcompressionCDeflatecompressionCInflatenullCompressionHashMD5SHA1SHA224SHA256SHA384SHA512SHA1_MD5KxErrorRSAError KxUnsupported HandshakeAlertDescription CloseNotifyUnexpectedMessage BadRecordMacDecryptionFailedRecordOverflowDecompressionFailureHandshakeFailureBadCertificateUnsupportedCertificateCertificateRevokedCertificateExpiredCertificateUnknownIllegalParameter UnknownCa AccessDenied DecodeError DecryptErrorExportRestrictionProtocolVersionInsufficientSecurity InternalErrorInappropriateFallback UserCanceledNoRenegotiationMissingExtensionUnsupportedExtensionCertificateUnobtainableUnrecognizedNameBadCertificateStatusResponseBadCertificateHashValueUnknownPskIdentityCertificateRequired ClientRandomunClientRandom ServerRandomunServerRandomHeader TLSException TerminatedHandshakeFailedConnectionNotEstablishedTLSError Error_MiscError_ProtocolError_CertificateError_HandshakePolicy Error_EOF Error_PacketError_Packet_unexpectedError_Packet_Parsing ProtocolTypeProtocolType_ChangeCipherSpecProtocolType_AlertProtocolType_HandshakeProtocolType_AppData ProtocolType_DeprecatedHandshakeHashAndSignatureAlgorithmSignatureAlgorithmSignatureAnonymous SignatureRSA SignatureDSSSignatureECDSASignatureRSApssRSAeSHA256SignatureRSApssRSAeSHA384SignatureRSApssRSAeSHA512SignatureEd25519SignatureEd448SignatureRSApsspssSHA256SignatureRSApsspssSHA384SignatureRSApsspssSHA512SignatureOther HashAlgorithmHashNoneHashMD5HashSHA1 HashSHA224 HashSHA256 HashSHA384 HashSHA512 HashIntrinsic HashOtherCertificateTypeCertificateType_RSA_SignCertificateType_DSS_SignCertificateType_ECDSA_SignCertificateType_Ed25519_SignCertificateType_Ed448_SignCertificateType_RSA_Fixed_DHCertificateType_DSS_Fixed_DH CertificateType_RSA_Ephemeral_DH CertificateType_DSS_Ephemeral_DHCertificateType_fortezza_dmsCertificateType_RSA_Fixed_ECDH CertificateType_ECDSA_Fixed_ECDHCertificateType_UnknownCiphercipherID cipherName cipherHash cipherBulkcipherKeyExchange cipherMinVer cipherPRFHashBulkbulkName bulkKeySize bulkIVSizebulkExplicitIVbulkAuthTagLen bulkBlockSizebulkFCipherKeyExchangeTypeCipherKeyExchange_RSACipherKeyExchange_DH_AnonCipherKeyExchange_DHE_RSACipherKeyExchange_ECDHE_RSACipherKeyExchange_DHE_DSSCipherKeyExchange_DH_DSSCipherKeyExchange_DH_RSACipherKeyExchange_ECDH_ECDSACipherKeyExchange_ECDH_RSACipherKeyExchange_ECDHE_ECDSACipherKeyExchange_TLS13 BulkFunctions BulkBlockF BulkStreamF BulkAeadF BulkDirection BulkEncrypt BulkDecryptBulkAEAD BulkBlock BulkStream BulkStateBulkStateStreamBulkStateBlock BulkStateAEADBulkStateUninitializedBulkAdditionalData BulkNonceBulkIVBulkKeybulkInithasMAC hasRecordIVcipherKeyBlockSizecipherAllowedForVersionciphersuite_allciphersuite_mediumciphersuite_strongciphersuite_dhe_rsaciphersuite_dhe_dssciphersuite_unencryptedcipher_null_MD5cipher_null_SHA1cipher_RC4_128_MD5cipher_RC4_128_SHA1cipher_RSA_3DES_EDE_CBC_SHA1cipher_AES128_SHA1cipher_DHE_DSS_AES128_SHA1cipher_DHE_RSA_AES128_SHA1cipher_AES256_SHA1cipher_DHE_DSS_AES256_SHA1cipher_DHE_RSA_AES256_SHA1cipher_AES128_SHA256cipher_AES256_SHA256cipher_DHE_DSS_RC4_SHA1cipher_DHE_RSA_AES128_SHA256cipher_DHE_RSA_AES256_SHA256cipher_AES128CCM_SHA256cipher_AES128CCM8_SHA256cipher_AES128GCM_SHA256cipher_AES256CCM_SHA256cipher_AES256CCM8_SHA256cipher_AES256GCM_SHA384cipher_DHE_RSA_AES128CCM_SHA256 cipher_DHE_RSA_AES128CCM8_SHA256cipher_DHE_RSA_AES128GCM_SHA256cipher_DHE_RSA_AES256CCM_SHA256 cipher_DHE_RSA_AES256CCM8_SHA256cipher_DHE_RSA_AES256GCM_SHA384(cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256*cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256&cipher_DHE_RSA_CHACHA20POLY1305_SHA256cipher_TLS13_AES128GCM_SHA256cipher_TLS13_AES256GCM_SHA384$cipher_TLS13_CHACHA20POLY1305_SHA256cipher_TLS13_AES128CCM_SHA256cipher_TLS13_AES128CCM8_SHA256 cipher_ECDHE_ECDSA_AES128CBC_SHA cipher_ECDHE_ECDSA_AES256CBC_SHAcipher_ECDHE_RSA_AES128CBC_SHAcipher_ECDHE_RSA_AES256CBC_SHA!cipher_ECDHE_RSA_AES128CBC_SHA256!cipher_ECDHE_RSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CBC_SHA256#cipher_ECDHE_ECDSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CCM_SHA256$cipher_ECDHE_ECDSA_AES128CCM8_SHA256#cipher_ECDHE_ECDSA_AES128GCM_SHA256#cipher_ECDHE_ECDSA_AES256CCM_SHA256$cipher_ECDHE_ECDSA_AES256CCM8_SHA256#cipher_ECDHE_ECDSA_AES256GCM_SHA384!cipher_ECDHE_RSA_AES128GCM_SHA256!cipher_ECDHE_RSA_AES256GCM_SHA384HandshakeMode13 FullHandshakeHelloRetryRequest PreSharedKeyRTT0MaxFragmentEnumMaxFragment512MaxFragment1024MaxFragment2048MaxFragment4096CertificateUsageCertificateUsageAcceptCertificateUsageRejectCertificateRejectReasonCertificateRejectExpiredCertificateRejectRevokedCertificateRejectUnknownCACertificateRejectOtherHookshookRecvHandshakehookRecvCertificates hookLoggingLoggingloggingPacketSentloggingPacketRecv loggingIOSent loggingIORecv Credentials CredentialcredentialLoadX509credentialLoadX509FromMemorycredentialLoadX509Chain!credentialLoadX509ChainFromMemory ServerHooksonClientCertificateonUnverifiedClientCertonCipherChoosingonServerNameIndicationonNewHandshakeonALPNClientSuggest ClientHooksonCertificateRequestonServerCertificate onSuggestALPNonCustomFFDHEGroupOnServerCertificateOnCertificateRequest GroupUsageGroupUsageValidGroupUsageInsecureGroupUsageUnsupportedGroupUsageInvalidPublicSharedsharedCredentialssharedSessionManager sharedCAStoresharedValidationCache SupportedsupportedVersionssupportedCipherssupportedCompressionssupportedHashSignaturessupportedSecureRenegotiation%supportedClientInitiatedRenegotiationsupportedSessionsupportedFallbackScsvsupportedEmptyPacketsupportedGroups ServerParamsserverWantClientCertserverCACertificatesserverDHEParams serverShared serverHooksserverSupported serverDebugserverEarlyDataSize ClientParamsclientUseMaxFragmentLengthclientServerIdentificationclientUseServerNameIndicationclientWantSessionResume clientShared clientHooksclientSupported clientDebugclientEarlyData DebugParams debugSeeddebugPrintSeeddebugVersionForceddebugKeyLoggerdefaultParamsClientContext ctxConnection Information infoVersion infoCipherinfoCompressioninfoMasterSecretinfoClientRandominfoServerRandominfoNegotiatedGroupinfoTLS13HandshakeModeinfoIsEarlyDataAccepted contextFlush contextClosecontextGetInformationcontextModifyHooks handshake TLSParams contextNewcontextNewOnHandlecontextNewOnSocketcontextHookSetHandshakeRecvcontextHookSetCertificateRecvcontextHookSetLoggingKeyUpdateRequestOneWayTwoWaybyegetNegotiatedProtocol getClientSNIsendDatarecvData recvData' updateKeyBytesKeyExchangeSignatureAlgKX_ECDSAKX_DSSKX_RSADigitalSignatureAlgDS_Ed448 DS_Ed25519DS_ECDSADS_DSSDS_RSAavailableFFGroupsavailableECGroups mtl-2.2.2Control.Monad.Error.Class MonadError throwError catchErrortransformers-0.5.5.0Control.Monad.Trans.ErrorErrorstrMsgnoMsgErrTrunErrTbaseGHC.Base++GHC.Listfilterzipmap Control.MonadguardjoinMonad>>=>>returnfailFunctorfmap<$ghc-prim GHC.ClassesOrd>=minmax><compare<=Control.Monad.Fail MonadFail Applicativepure<*>*>liftA2<* Data.Foldablefoldrnulllengthfoldlfoldl'foldl1sumproductfoldr1maximumminimumelemData.TraversablemapMsequence Semigroup<>sconcatstimes GHC.MaybeMaybeNothingJust GHC.TypesOrderingLTEQGTWordGHC.WordWord8Word16Word32Word64bytestring-0.10.8.2Data.ByteString.Internal ByteStringData.Semigroupoption mtimesDefaultdiffcycle1MingetMinMaxgetMaxArgArgMinArgMaxFirstgetFirstLastgetLast WrappedMonoid WrapMonoid unwrapMonoidOption getOptionmfilter<$!>unless replicateM_ replicateMfoldM_foldM zipWithM_zipWithM mapAndUnzipMforever<=<>=>filterM Data.ListisSubsequenceOf mapAccumR mapAccumLforMControl.Applicativeoptional WrappedMonad WrapMonad unwrapMonad WrappedArrow WrapArrow unwrapArrowZipList getZipListData.Functor.ConstConstgetConstfindnotElem minimumBy maximumByallanyorand concatMapconcatmsum sequence_forM_mapM_Data.Semigroup.Internal stimesMonoidstimesIdempotentDualgetDualEndoappEndoAllgetAllAnygetAnySumgetSumProduct getProduct Data.OldListunwordswordsunlineslinesunfoldrsortOnsortBysort permutations subsequencestailsinitsgroupBygroupdeleteFirstsByunzip7unzip6unzip5unzip4zipWith7zipWith6zipWith5zipWith4zip7zip6zip5zip4genericReplicate genericIndexgenericSplitAt genericDrop genericTake genericLengthinsertByinsert partition transpose intercalate intersperse intersectBy intersectunionByunion\\deleteBydeletenubBynub isInfixOf isSuffixOf isPrefixOf findIndices findIndex elemIndices elemIndex stripPrefix dropWhileEndData.Ord comparingDown byteSwap64 byteSwap32 byteSwap16 Data.BitstoIntegralSizedpopCountDefaulttestBitDefault bitDefaultBits.&..|.xor complementshiftrotatezeroBitsbitsetBitclearBit complementBittestBit bitSizeMaybebitSizeisSignedshiftL unsafeShiftLshiftR unsafeShiftRrotateLrotateRpopCount FiniteBits finiteBitSizecountLeadingZeroscountTrailingZeros Data.Functorvoid<$>unzip3unzipzipWith3zipWithzip3!!lookupreversebreakspansplitAtdroptake dropWhile takeWhilecycle replicaterepeatiterate'iteratescanr1scanrscanl'scanl1scanlfoldl1'initlasttailunconshead Data.MaybemapMaybe catMaybes listToMaybe maybeToList fromMaybe isNothingisJustmaybeapliftM5liftM4liftM3liftM2liftMwhen=<<liftA3liftA<**> Alternativeempty<|>somemany MonadPlusmzeromplusstimesIdempotentMonoid showBytesHexnewMeasurementaddBytesReceived addBytesSentresetBytesCountersincrementNbHandshakes&cryptonite-0.26-ERs27QA47IyJsgxtkQ54MC Crypto.RandomseedFromInteger seedToIntegerseedNewSeedCrypto.Random.Types MonadRandomgetRandomBytesStateRNG withTLSRNG newStateRNGDHKey DHPrivatedhPublic dhPrivatedhParamsdhGenerateKeyPair dhGetShareddhValiddhUnwrap dhParamsGetP dhParamsGetGdhParamsGetBitsdhUnwrapPublic DirectionRoleTxRx ClientRole ServerRolelifetimeageAddtxrxTime estimatedRTT MillisecondSecond invertRoleNullCompression compressionIDcompressionDeflatecompressionInflatecompressionIntersectIDhasHelloExtensionshasExplicitBlockIV&&!bytesEqsubtakelast partition3 partition6fromJust fmapEithercatchException mapChunks_decodeASN1ObjectencodeASN1ObjectCrypto.Number.Serializei2ospOf_i2ospos2ip lengthBytesGroupKey GroupPublic GroupPrivatedhParamsForGroupgroupGenerateKeyPairdhGroupGenerateKeyPairgroupGetPubShareddhGroupGetPubSharedgroupGetSharedencodeGroupPublicdecodeGroupPublic hashUpdateSSLSignatureParams RSAParams DSSParams ECDSAParams Ed25519Params Ed448Params RSAEncodingRSApkcs1RSApssHashCtx HashContext PrivateKey PublicKeyfindDigitalSignatureAlgfindKeyExchangeSignatureAlgfindFiniteFieldGrouphashInit hashUpdate hashFinalhashhashNamehashDigestSize hashBlockSize kxEncrypt kxDecryptkxVerifykxSignlastSupportedCertificateTypeData.X509.DistinguishedNameDistinguishedName EnumSafe16fromEnumSafe16 toEnumSafe16 EnumSafe8 fromEnumSafe8 toEnumSafe8 TypeValuable valToType valOfTypeFinished ClientHello ServerHello Certificates HelloRequestServerHelloDone ClientKeyXchg ServerKeyXchg CertRequest CertVerifyClientKeyXchgAlgorithmDataCKX_RSACKX_DHCKX_ECDHServerKeyXchgAlgorithmData SKX_DH_Anon SKX_DHE_DSS SKX_DHE_RSA SKX_ECDHE_RSASKX_ECDHE_ECDSASKX_RSA SKX_DH_DSS SKX_DH_RSA SKX_Unparsed SKX_UnknownServerRSAParams rsa_modulus rsa_exponentServerECDHParamsServerDHParamsserverDHParams_pserverDHParams_gserverDHParams_yBigNum HandshakeTypeHandshakeType_HelloRequestHandshakeType_ClientHelloHandshakeType_ServerHelloHandshakeType_CertificateHandshakeType_ServerKeyXchgHandshakeType_CertRequestHandshakeType_ServerHelloDoneHandshakeType_CertVerifyHandshakeType_ClientKeyXchgHandshakeType_Finished AlertLevelAlertLevel_WarningAlertLevel_Fatal ExtensionRaw ExtensionID FinishedDataSessionPacketAlertChangeCipherSpecAppDataDigitallySigned Signature CipherDatacipherDataContent cipherDataMACcipherDataPadding CipherType CipherStream CipherBlock CipherAEAD ConnectionEndConnectionServerConnectionClientbigNumToIntegerbigNumFromIntegerserverDHParamsFromserverDHParamsToParamsserverDHParamsToPublic packetTypetypeOfHandshake numericalVerverOfNum ContentTypeContentType_ChangeCipherSpecContentType_AlertContentType_HandshakeContentType_AppDataHandshakeType13HandshakeType_ClientHello13HandshakeType_ServerHello13HandshakeType_EndOfEarlyData13 HandshakeType_NewSessionTicket13#HandshakeType_EncryptedExtensions13HandshakeType_CertRequest13HandshakeType_Certificate13HandshakeType_CertVerify13HandshakeType_Finished13HandshakeType_KeyUpdate13 Handshake13 ClientHello13 ServerHello13NewSessionTicket13EndOfEarlyData13EncryptedExtensions13 CertRequest13 Certificate13 CertVerify13 Finished13 KeyUpdate13 KeyUpdateUpdateNotRequestedUpdateRequestedPacket13Alert13ChangeCipherSpec13 AppData13typeOfHandshake13 contentTypeprotoToContentprf_TLSmacSSLhmacprf_SHA1prf_MD5 prf_MD5SHA1 prf_SHA256%cereal-0.5.8.1-KRPM4Pfa6l3HK7sjbDz33xData.Serialize.PutputWord8runPutPutData.Serialize.GetgetWord8getBytesisEmpty remainingGet GetResultGotError GotPartial GotSuccessGotSuccessRemainingGetContinuationrunGet runGetErr runGetMaybetryGet getWords8 getWord16 getWords16 getWord24 getWord32 getWord64 getOpaque8 getOpaque16 getOpaque24 getInteger16 getBigNum16getList processBytes putWords8 putWord16 putWord32 putWord64 putWords16 putWord24putBytes putOpaque8 putOpaque16 putOpaque24 putInteger16 putBigNum16 encodeWord16 encodeWord32 encodeWord64cParamsVersioncParamsKeyXchgType getDNames putDNames&decodeReallyServerKeyXchgAlgorithmDatagetPRF CurrentParamsgetBinaryVersionputBinaryVersion decodeHeaderdecodeDeprecatedHeaderLengthdecodeDeprecatedHeader encodeHeaderencodeHeaderNoVer decodeAlert decodeAlerts encodeAlertsdecodeHandshakeRecorddecodeHandshakedecodeDeprecatedHandshakeencodeHandshakeencodeHandshakesencodeHandshakeHeaderencodeHandshakeContentputServerRandom32 putSession getExtensions putExtensiongetSignatureHashAlgorithmputSignatureHashAlgorithmdecodeChangeCipherSpecencodeChangeCipherSpecdecodePreMasterSecretencodePreMasterSecretgenerateMasterSecretgenerateKeyBlockgenerateClientFinishedgenerateServerFinishedgenerateCertificateVerify_SSL!generateCertificateVerify_SSL_DSSencodeSignedDHParamsencodeSignedECDHParamsRecordM runRecordM RecordStatestCipher stCompression stCryptState stMacStateMacState msSequence CryptStatecstKeycstIV cstMacSecretgetRecordVersionnewRecordStateincrRecordState setRecordIVwithCompression computeDigest makeDigestgetBulkgetMacSequenceRecordfragmentCompressfragmentCipherfragmentUncipherfragmentUncompress recordToRaw rawToRecordrecordToHeader Ciphertext Compressed PlaintextFragmentfragmentGetBytesfragmentPlaintextfragmentCiphertextonRecordFragmentRecord13 rawToRecord13 engageRecorddisengageRecord13disengageRecordencodeHandshakes13encodeHandshake13getHandshakeType13decodeHandshakeRecord13decodeHandshake13 CertReqCBdatahstCertReqTokenhstCertReqCBdatahstCertReqSigAlgsCerthstClientCertSenthstCertReqSentfoldHandshakeDigestsetMasterSecretFromPresetMasterSecretsetServerHelloParameters RTT0StatusRTT0NoneRTT0Sent RTT0Accepted RTT0Rejected HandshakeMHandshakeStatehstClientVersionhstClientRandomhstServerRandomhstMasterSecret hstKeyStatehstServerDHParams hstDHPrivatehstServerECDHParamshstGroupPrivatehstHandshakeDigesthstHandshakeMessageshstClientCertChainhstPendingTxStatehstPendingRxStatehstPendingCipherhstPendingCompressionhstNegotiatedGrouphstTLS13HandshakeModehstTLS13RTT0StatushstTLS13SecretHandshakeDigestHandshakeMessagesHandshakeDigestContextSecret13NoSecret EarlySecretResuptionSecretnewEmptyHandshake runHandshake setPublicKeysetPublicPrivateKeysgetRemotePublicKeygetLocalPublicPrivateKeyssetServerDHParamsgetServerDHParamssetServerECDHParamsgetServerECDHParams setDHPrivate getDHPrivategetGroupPrivatesetGroupPrivatesetNegotiatedGroupgetNegotiatedGroupsetTLS13HandshakeModegetTLS13HandshakeModesetTLS13RTT0StatusgetTLS13RTT0StatussetTLS13SecretgetTLS13SecretsetCertReqSentgetCertReqSentsetClientCertSentgetClientCertSentsetClientCertChaingetClientCertChainsetCertReqTokengetCertReqTokensetCertReqCBdatagetCertReqCBdatasetCertReqSigAlgsCertgetCertReqSigAlgsCertgetPendingCipheraddHandshakeMessagegetHandshakeMessagesgetHandshakeMessagesRevupdateHandshakeDigestgetHandshakeDigest hkdfExtract deriveSecrethkdfExpandLabel#ApplicationLayerProtocolNegotiationSecureRenegotiationMaxFragmentLength ServerName ExtensionsupportedExtensionsCertificateAuthoritiesCookieEarlyDataIndicationPreSharedKeyClientHelloPreSharedKeyServerHello PskIdentityPskKeyExchangeModes PskKexModePSK_KE PSK_DHE_KEKeyShareKeyShareClientHelloKeyShareServerHello KeyShareHRR KeyShareEntrykeyShareEntryGroupkeySHareEntryKeyExchangeSupportedVersionsSupportedVersionsClientHelloSupportedVersionsServerHelloSignatureAlgorithmsCertSignatureAlgorithms HeartBeatModeHeartBeat_PeerAllowedToSendHeartBeat_PeerNotAllowedToSend HeartBeat SessionTicket EcPointFormatEcPointFormat_Uncompressed'EcPointFormat_AnsiX962_compressed_prime'EcPointFormat_AnsiX962_compressed_char2EcPointFormatsSupportedNegotiatedGroupsMaxFragmentLengthOtherServerNameTypeServerNameHostNameServerNameOtherextensionDecodeextensionEncode extensionID MessageTypeMsgTClientHelloMsgTServerHelloMsgTHelloRetryRequestMsgTEncryptedExtensionsMsgTNewSessionTicketMsgTCertificateRequestextensionID_ServerNameextensionID_MaxFragmentLengthextensionID_NegotiatedGroupsextensionID_EcPointFormatsextensionID_SignatureAlgorithmsextensionID_Heartbeat/extensionID_ApplicationLayerProtocolNegotiationextensionID_PreSharedKeyextensionID_EarlyDataextensionID_SupportedVersionsextensionID_CookieextensionID_PskKeyExchangeModes"extensionID_CertificateAuthoritiesextensionID_OidFiltersextensionID_PostHandshakeAuth#extensionID_SignatureAlgorithmsCertextensionID_KeyShareextensionID_SecureRenegotiationdefinedExtensionsTLSStTLSState stSessionstSessionResumingstSecureRenegotiationstClientVerifiedDatastServerVerifiedDatastExtensionALPNstHandshakeRecordContstNegotiatedProtocolstHandshakeRecordCont13stClientALPNSuggeststClientGroupSuggeststClientEcPointFormatSuggeststClientCertificateChain stClientSNI stRandomGen stVersionstClientContextstTLS13KeySharestTLS13PreSharedKey stTLS13HRR stTLS13CookiestExporterMasterSecret runTLSState newTLSStateupdateVerifiedDatafinishHandshakeTypeMaterialfinishHandshakeMaterialcertVerifyHandshakeTypeMaterialcertVerifyHandshakeMaterial setSession getSessionisSessionResuming setVersionsetVersionIfUnset getVersiongetVersionWithDefaultsetSecureRenegotiationgetSecureRenegotiationsetExtensionALPNgetExtensionALPNsetNegotiatedProtocolsetClientALPNSuggestgetClientALPNSuggestsetClientEcPointFormatSuggestgetClientEcPointFormatSuggestsetClientCertificateChaingetClientCertificateChain setClientSNIgetVerifiedDataisClientContext genRandomwithRNGsetExporterMasterSecretgetExporterMasterSecretsetTLS13KeySharegetTLS13KeySharesetTLS13PreSharedKeygetTLS13PreSharedKey setTLS13HRR getTLS13HRRsetTLS13CookiegetTLS13Cookie Data.X509getCertificateSignedCertificateData.X509.CertificateChainCertificateChainData.X509.Cert Certificate certVersion certSerialcertSignatureAlg certIssuerDN certValidity certSubjectDN certPubKeycertExtensions'x509-store-1.6.7-74EBCwXjZZz14y9MFVrpHxData.X509.CertificateStoreCertificateStorevalidateDefault FailedReasonData.X509.Validation.Types ServiceIDisNullCertificateChaingetCertificateChainLeafwrapCertificateChecks defaultHookscredentialMatchesHashSignatures credentialsListSigningAlgorithmscredentialsFindForSigningcredentialsFindForDecryptingcredentialPublicPrivateKeysTrueFalse CommonParamsctxEOF_ctxEstablished_ctxNeedEmptyPacketctxSSLv2ClientHello ctxTxState ctxRxState ctxHandshakectxHooks ctxLockWrite ctxLockRead ctxLockState PendingAction EstablishedNotEstablishedEarlyDataAllowedEarlyDataNotAllowed ctxSupported ctxSharedctxStatectxMeasurementctxDoHandshakectxDoHandshakeWithctxPendingActions ctxKeyLogger updateMeasure withMeasure contextSend contextRecvctxEOFctxHasSSLv2ClientHelloctxDisableSSLv2ClientHellosetEOFctxEstablished ctxWithHookssetEstablishedwithLog throwCore usingState usingState_ usingHState getHState runTxState runRxState getStateRNG withReadLock withWriteLock withRWLock withStateLock tls13orLater makeRecord encodeRecord writePacketprocessPacket13 processPacket getTxState getRxState setTxState setRxState clearTxState clearRxStatesetHelloParameters13wrapAsMessageHash13transcriptHashsetPendingActionspopPendingAction serverRandom isDowngraded clientRandom hrrRandomisHelloRetryRequest writePacket13updateHandshake13 PacketFlightM recvRecord recvPacket sendPacket checkValid sendPacket13 recvPacket13runPacketFlight loadPacket13LogKey MasterSecretClientEarlyTrafficSecretServerHandshakeTrafficSecretClientHandshakeTrafficSecretServerTrafficSecret0ClientTrafficSecret0 encryptRSA signPrivate decryptRSA verifyPublic generateDHE generateECDHEgenerateECDHEShared generateFFDHEgenerateFFDHESharedgetLocalDigitalSignatureAlglogKeycertificateCompatiblehashSigToCertType fromPubKey decryptErrorsignatureCompatiblecheckCertificateVerifycreateCertificateVerifysignatureParamsdigitallySignDHParamsdigitallySignECDHParamsdigitallySignDHParamsVerifydigitallySignECDHParamsVerifycheckSupportedHashSignatureprocessHandshakeprocessHandshake13startHandshakehandshakeTerminateonRecvStateHandshake storePrivInfo RecvState RecvStateNextRecvStateHandshake RecvStateDonehandshakeFailed errorToAlert unexpected newSessionsendChangeCipherAndFinishrecvChangeCipherAndFinishrecvPacketHandshake runRecvStategetSessionDataextensionLookupcheckSupportedGroupisSupportedGroupRecvHandshake13M makeFinishedmakeVerifyDatamakeServerKeySharemakeClientKeySharefromServerKeySharemakeCertVerifycheckCertVerify makePSKBinderreplacePSKBindercreateTLS13TicketInfoageToObfuscatedAge isAgeValidgetAgecheckFreshnessgetCurrentTimeFromBasegetSessionData13ensureNullCompressionsafeNonNegative32recvHandshake13preUpdaterecvHandshake13postUpdaterunRecvHandshake13isHashSignatureValid13certificateRejectedbadCertificaterejectOnExceptionverifyLeafKeyUsagehandshakeServerWithrecvClientDatahandshakeServerstorePrivInfoClient clientChaingetLocalHashSigAlgsupportedCtypessendClientData onServerHellohandshakeClientWithhandshakeClient handshakeWith