!N       !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~= BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownSafeH.876543210/ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone*3      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-. BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone&{<tlsConnection IO backend>tls,Flush the connection sending buffer, if any.?tlsClose the connection.@tls)Send a bytestring through the connection.Atls6Receive specified number of bytes from the connection. 9:;<=>?@A BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone*bBtls'record some data about this connection.Dtls$number of handshakes on this contextEtls#bytes received since last handshakeFtlsbytes sent since last handshake BCDEF/0123 NoneM* 456789:;<= None+(>G?H@ABCDEFGHIJ BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownNone8 Itls2048 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 103 bits.Jtls3072 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 125 bits.Ktls4096 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 150 bits.Ltls6144 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 175 bits.Mtls8192 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 192 bits.IJKLMIJKLM  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneG> Ktls DirectionLtlsRoleNtlsCompression identificationOtlsCipher identificationMtls(Certificate request context for TLS 1.3.QtlsSome session flagsRtls+Session created with Extended Master SecretStlsSession data to resume_tls A session ID`tlsVersions known to TLSDSSL2 is just defined, but this version is and will not be supported.>NOPQRSTUVWXYZ[\]^_`abKcdLefNOPghijkMQRSTUVWXYZ[\]^_`abcdeflmgn  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneGihtlsA session managerjtlsAused on server side to decide whether to resume a client session.ktls_used on server side to decide whether to resume a client session for TLS 1.3 0RTT. For a given _%, the implementation must return its S( only once and must not return the same S after the call.ltls#used when a session is established.mtls#used when a session is invalidated.ntls"The session manager to do nothing.hijklmn  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneEXTotls0This is the default compression which is a NOOP.otlsAevery compression need to be wrapped in this, to fit in structureqtls>supported compression algorithms need to be part of this classptls+return the associated ID for this algorithmqtlszdeflate (compress) a bytestring using a compression context and return the result along with the new compression context.rtlswinflate (decompress) a bytestring using a compression context and return the result along the new compression context.stlsintersect a list of ids commonly given by the other side with a list of compression the function keeps the list of compression in order, to be able to find quickly the prefered compression.utlsdefault null compression Noopqrstpqrsu BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneUotuNoneX\vtlsUAn opaque newtype wrapper to prevent from poking inside content that has been saved.wtlsThis is a strict version of &&.xtlsverify that 2 bytestrings are equals. it's a non lazy version, that will compare every bytes. arguments with different length will bail out earlyytlsSave the content of an z to restore it later.{tlsRestore the content of an zO to a previous saved value and return the content that has just been replaced.v|}~wxy{ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone`tls\Attempt to decode a bytestring representing an DER ASN.1 serialized object into the object.tls7Encode an ASN.1 Object to the DER serialized bytestringNone` BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownNoneb NoneEXgotlsPTest the RSASSA-PKCS1 length condition described in RFC 8017 section 9.2, i.e. emLen >= tLen + 11. Lengths are in bytes.tlsPTest the RSASSA-PSS length condition described in RFC 8017 section 9.1.1, i.e. emBits >= 8hLen + 8sLen + 9. Lengths are in bits.tls+(for the md5 context, for the sha1 context)g ./012345678>G?H@ABCDEFGHIJv|{zyxw}~ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone2OtlsBdeprecated alert, should never be sent by compliant implementationtls@TLS Exceptions related to bad user usage or asynchronous errorstlsGEarly termination exception with the reason and the error associatedtls(Handshake failed for the reason attachedtlsjUsage error when the connection has not been established and the user is trying to send or receive datatls5TLSError that might be returned through the TLS stacktlsmainly for instance of Errortlshandshake policy failed.tls,Some of the IANA registered code points for  are not currently supported by the library. Nor should they be, they're are either unwise, obsolete or both. There's no point in conveying these to the user in the client certificate request callback. The request callback will be filtered to exclude unsupported values. If the user cannot find a certificate for a supported code point, we'll go ahead without a client certificate and hope for the best, unless the user's callback decides to throw an exception.tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC8422tlsTLS13 and up, synthetictlsTLS13 and up, synthetic | None of the below will ever be presented to the callback. Any future public key algorithms valid for client certificates go above this line.tlshLast supported certificate type, no 'CertificateType that compares greater than this one (based on the  y instance, not on the wire code point) will be reported to the application via the client certificate request callback.STUVWXYZ[\]^_`abcdef      BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone  !"#$%&'()*+,-./01234567 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone8tlsFor now we ignore the version, but perhaps some day the PRF will depend not only on the cipher PRF algorithm, but also on the protocol version.9:;<=>8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneEXtlsCipher algorithmtlsCheck if a specific 2 is allowed to be used with the version specified@Ov|{zyxw}      BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneYtlsyAll AES and ChaCha20-Poly1305 ciphers supported ordered from strong to weak. This choice of ciphersuites should satisfy most normal needs. For otherwise strong ciphers we make little distinction between AES128 and AES256, and list each but the weakest of the AES128 ciphers ahead of the corresponding AES256 ciphers, with the ChaCha20-Poly1305 variant placed just after.aThe CCM ciphers all come together after the GCM variants due to their relative performance cost.tlsDThe default ciphersuites + some not recommended last resort ciphers.tlslist of medium ciphers.tlsThe strongest ciphers supported. For ciphers with PFS, AEAD and SHA2, we list each AES128 variant after the corresponding AES256 and ChaCha20-Poly1305 variants. For weaker constructs, we use just the AES256 form.gThe CCM ciphers come just after the corresponding GCM ciphers despite their relative performance cost. tls}DHE-RSA cipher suite. This only includes ciphers bound specifically to DHE-RSA so TLS 1.3 ciphers must be added separately."tls8all unencrypted ciphers, do not use on insecure network.#tls@unencrypted cipher using RSA for key exchange and MD5 for digest$tlsAunencrypted cipher using RSA for key exchange and SHA1 for digest%tls/RC4 cipher, RSA key exchange and MD5 for digest&tls0RC4 cipher, RSA key exchange and SHA1 for digest'tls?3DES cipher (168 bit key), RSA key exchange and SHA1 for digest(tls>AES cipher (128 bit key), RSA key exchange and SHA1 for digest)tlsMAES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for digest*tlsMAES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for digest+tls>AES cipher (256 bit key), RSA key exchange and SHA1 for digest,tlsMAES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for digest-tlsMAES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for digest.tls@AES cipher (128 bit key), RSA key exchange and SHA256 for digest/tls@AES cipher (256 bit key), RSA key exchange and SHA256 for digest3tlsaAESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.4tlsbAESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.5tlsaAESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.6tlsaAESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.7tlsbAESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.8tlsaAESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is used as a PRF, not as a MAC.; !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUV;" !$(+./345678*-12),9:;<=>AUVKIJL?GHMNOPQRST@BCDEF'%&#0 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneg@IJKLM !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUV BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonemtlscurrent protocol versionntlscurrent key exchange typeotls$Decode a list CA distinguished namesptls%Encode a list of distinguished names.qtlsin certain cases, we haven't manage to decode ServerKeyExchange properly, because the decoding was too eager and the cipher wasn't been set yet. we keep the Server Key Exchange in it unparsed format, and this function is able to really decode the server key xchange if it's unparsed.rtlsfThe TLS12 PRF is cipher specific, and some TLS12 algorithms use SHA384 instead of the default SHA256..stmnuvwxyz{|}~opq BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@A BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneGtlsRepresent a TLS record.tlsXturn a plaintext record into a compressed record using the compression function suppliedtlsTturn a compressed record into a ciphertext record using the cipher function suppliedtlsXturn a ciphertext fragment into a compressed fragment using the cipher function suppliedtls^turn a compressed fragment into a plaintext fragment using the decompression function suppliedtls&turn a record into an header and bytestls*turn a header and a fragment into a recordtlsturn a record into a header BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneֽ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone> BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone;  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AMoWtls5Type to show which handshake mode is used in TLS 1.3.XtlsFull handshake is used.Ytls/Full handshake is used with hello retry reuest.Ztls!Server authentication is skipped.[tls8Server authentication is skipped and early data is sent.tls-When we receive a CertificateRequest from a server, a just-in-time callback is issued to the application to obtain a suitable certificate. Somewhat unfortunately, the callback parameters don't abstract away the details of the TLS 1.2 Certificate Request message, which combines the legacy certificate_types and new supported_signature_algorithms& parameters is a rather subtle way.TLS 1.2 also (again unfortunately, in the opinion of the author of this comment) overloads the signature algorithms parameter to constrain not only the algorithms used in TLS, but also the algorithms used by issuing CAs in the X.509 chain. Best practice is to NOT treat such that restriction as a MUST, but rather take it as merely a preference, when a choice exists. If the best chain available does not match the provided signature algorithm list, go ahead and use it anyway, it will probably work, and the server may not even care about the issuer CAs at all, it may be doing DANE or have explicit mappings for the client's public key, ... The TLS 1.3 CertificateRequest message, drops certificate_types and no longer overloads supported_signature_algorithmsi to cover X.509. It also includes a new opaque context token that the client must echo back, which makes certain client authentication replay attacks more difficult. We will store that context separately, it does not need to be presented in the user callback. The certificate signature algorithms preferred by the peer are now in the separate signature_algorithms_cert extension, but we cannot report these to the application callback without an API change. The good news is that filtering the X.509 signature types is generally unnecessary, unwise and difficult. So we just ignore this extension.As a result, the information we provide to the callback is no longer a verbatim copy of the certificate request payload. In the case of TLS 1.3 The 6 list is synthetically generated from the server's signature_algorithms extension, and the signature_algorithms_certs extension is ignored.Since the original TLS 1.2  has no provision for the newer certificate types that have appeared in TLS 1.3 we're adding some synthetic values that have no equivalent values in the TLS 1.2  as defined in the IANA < Uhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2d TLS ClientCertificateType Identifiers> registry. These values are inferred from the TLS 1.3 signature_algorithmsl extension, and will allow clients to present Ed25519 and Ed448 certificates when these become supported.tls>Set to Just-value when a TLS13 certificate request is receivedtls8Set to Just-value when a certificate request is receivedtlsIn TLS 1.3, these are separate from the certificate issuer signature algorithm hints in the callback data. In TLS 1.2 the same list is overloaded for both purposes. Not present in TLS 1.1 and earliertls4Set to true when a client certificate chain was senttls|Set to true when a certificate request was sent. This applies only to requests sent during handshake (not post-handshake).tlsECompress the whole transcript with the specified function. Function fo takes the handshake digest as input and returns an encoded handshake message to replace the transcript with.tls6Generate the master secret from the pre master secret.tlsSet master secret and as a side effect generate the key block with all the right parameters, and setup the pending tx/rx state.tlschosen transmission versiontls2the role (Client or Server) of the generating sidetlsthe pre master secrettlschosen version_WZXY[      !"#$%&'()*+," BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone*-./# BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone)0tlsExtended Master Secret1tls-Application Layer Protocol Negotiation (ALPN)2tlsSecure Renegotiation3tls?Max fragment extension with length from 512 bytes to 4096 bytesRFC 6066 defines: If a server receives a maximum fragment length negotiation request for a value other than the allowed values, it MUST abort the handshake with an "illegal_parameter" alert.HSo, if a server receives MaxFragmentLengthOther, it must send the alert.4tlsServer Name extension including the name type and the associated name. the associated name decoding is dependant of its name type. name type = 0 : hostname5tlsKExtension class to transform bytes to and from a high level Extension type.6tls.all supported extensions by the implementationn./012345678789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdef0g1h2i\]^_`3jklmn4o5pqrstuvwxyz{|}~6$ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AMSX- G<% BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone2atls3Certificate Usage callback possible returns values.btlsusage of certificate acceptedctlsusage of certificate rejecteddtls&Certificate and Chain rejection reason!#-abcdefghi& BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone8jtlsA collection of hooks actions.ltls)called at each handshake message receivedmtls5called at each handshake message received for TLS 1.3ntls1called at each certificate chain message receivedotls/hooks on IO and packets, receiving and sending.ptlsHooks for logging8This is called when sending and receiving packets and IO jklmnopqrstu' BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneGytlstry to create a new credential object from a public certificate and the associated private key that are stored on the filesystem in PEM format.ztls similar to yV but take the certificate and private key from memory instead of from the filesystem.{tls similar to y/ but also allow specifying chain certificates.|tls similar to z/ but also allow specifying chain certificates.tlsChecks whether certificate signatures in the chain comply with a list of hash/signature algorithm pairs. Currently the verification applies only to the signature of the leaf certificate, and when not self-signed. This may be extended to additional chain elements in the future.ytls!public certificate (X.509 format)tlsprivate key associated{tls!public certificate (X.509 format)tls!chain certificates (X.509 format)tlsprivate key associated vwxyz{|( BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone%I?}tlsQA set of callbacks run by the server for various corners of the TLS establishmenttlsThis action is called when a client certificate chain is received from the client. When it returns a CertificateUsageReject value, the handshake is aborted.The function is not expected to verify the key-usage extension of the certificate. This verification is performed by the library internally. Default: returns the followings: RCertificateUsageReject (CertificateRejectOther "no client certificates expected") tlsNThis action is called when the client certificate cannot be verified. Return ' to accept the certificate anyway, or  to fail verification.Default: returns tlsiAllow the server to choose the cipher relative to the the client version and the client list of ciphers.xThis could be useful with old clients and as a workaround to the BEAST (where RC4 is sometimes prefered with TLS < 1.1)'The client cipher list cannot be empty.$Default: taking the head of ciphers.tlstAllow the server to indicate additional credentials to be used depending on the host name indicated by the client.This is most useful for transparent proxies where credentials must be generated on the fly according to the host the client is trying to connect to.yReturned credentials may be ignored if a client does not support the signature algorithms used in the certificate chain.Default: returns tlsQAt each new handshake, we call this hook to see if we allow handshake to happens.Default: returns tlsAllow the server to choose an application layer protocol suggested from the client through the ALPN (Application Layer Protocol Negotiation) extensions. Default: ,tlsNA set of callbacks run by the clients for various corners of TLS establishmenttls$This action is called when the a certificate request is received from the server. The callback argument is the information from the request. The server, at its discretion, may be willing to continue the handshake without a client certificate. Therefore, the callback is free to return , to indicate that no client certificate should be sent, despite the server's request. In some cases it may be appropriate to get user consent before sending the certificate; the content of the user's certificate may be sensitive and intended only for specific servers.!The action should select a certificate chain of one of the given certificate types and one of the certificates in the chain should (if possible) be signed by one of the given distinguished names. Some servers, that don't have a narrow set of preferred issuer CAs, will send an empty  list, rather than send all the names from their trusted CA bundle. If the client does not have a certificate chaining to a matching CA, it may choose a default certificate instead.Each certificate except the last should be signed by the following one. The returned private key must be for the first certificates in the chain. This key will be used to signing the certificate verify message.|The public key in the first certificate, and the matching returned private key must be compatible with one of the list of  value when provided. TLS 1.3 changes the meaning of the list elements, adding explicit code points for each supported pair of hash and signature (public key) algorithms, rather than combining separate codes for the hash and key. For details see  1https://tools.ietf.org/html/rfc8446#section-4.2.3RFC 8446M section 4.2.3. When no compatible certificate chain is available, return , if it is OK to continue without a client certificate. Returning a non-matching certificate should result in a handshake failure.KWhile the TLS version is not provided to the callback, the content of the signature_algorithmsm list provides a strong hint, since TLS 1.3 servers will generally list RSA pairs with a hash component of  Intrinsic (0x08).Note that is is the responsibility of this action to select a certificate matching one of the requested certificate types (public key algorithms). Returning a non-matching one will lead to handshake failure later.Default: returns , anyway.tlsZUsed by the client to validate the server certificate. The default implementation calls H which validates according to the default hooks and checks provided by Data.X509.ValidationT. This can be replaced with a custom validation function using different settings.The function is not expected to verify the key-usage extension of the end-entity certificate, as this depends on the dynamically-selected cipher and this part should not be cached. Key-usage verification is performed by the library internally. Default: tlsqThis action is called when the client sends ClientHello to determine ALPN values such as '["h2", "http/1.1"]'.Default: returns ,tlsThis action is called to validate DHE parameters when the server selected a finite-field group not part of the "Supported Groups Registry" or not part of  list.With TLS 1.3 custom groups have been removed from the protocol, so this callback is only used when the version negotiated is 1.2 or below.CThe default behavior with (dh_p, dh_g, dh_size) and pub as follows: rejecting if dh_p is even,rejecting unless 1 < dh_g && dh_g < dh_p - 1+rejecting unless 1 < dh_p && pub < dh_p - 16rejecting if dh_size < 1024 (to prevent Logjam attack)-See RFC 7919 section 3.1 for recommandations.tls Type for 4. This type synonym is to make document readable.tls Type for 4. This type synonym is to make document readable.tls,Group usage callback possible return values.tlsusage of group acceptedtls-usage of group provides insufficient securitytls>usage of group rejected for other reason (specified as string)tls+usage of group with an invalid public valuetls2Parameters that are common to clients and servers.tlsThe list of certificates and private keys that a server will use as part of authentication to clients. Actual credentials that are used are selected dynamically from this list based on client capabilities. Additional credentials returned by  are also considered.XWhen credential list is left empty (the default value), no key exchange can take place. Default: tlsCallbacks used by clients and servers in order to resume TLS sessions. The default implementation never resumes sessions. Package  7https://hackage.haskell.org/package/tls-session-managertls-session-manager' provides an in-memory implementation. Default: ntlsA collection of trust anchors to be used by a client as part of validation of server certificates. This is set as first argument to function  . Package  /https://hackage.haskell.org/package/x509-system x509-systemH gives access to a default certificate store configured in the system. Default: tlsCallbacks that may be used by a client to cache certificate validation results (positive or negative) and avoid expensive signature check. The default implementation does not have any caching.See the default value of -.tls8Client or server policy regarding Extended Master Secrettls"Extended Master Secret is not usedtls!Extended Master Secret is allowedtls"Extended Master Secret is requiredtlsDList all the supported algorithms, versions, ciphers, etc supported.tlsSupported versions by this context. On the client side, the highest version will be used to establish the connection. On the server side, the highest version that is less or equal than the client version will be chosen.KVersions should be listed in preference order, i.e. higher versions first. Default: [TLS13,TLS12,TLS11,TLS10]tlsSSupported cipher methods. The default is empty, specify a suitable cipher list. ) is often a good choice. Default: []tlsSupported compressions methods. By default only the "null" compression is supported, which means no compression will be performed. Allowing other compression method is not advised as it causes a connection failure when TLS 1.3 is negotiated. Default: [nullCompression]tlsAll supported hash/signature algorithms pair for client certificate verification and server signature in (EC)DHE, ordered by decreasing priority.BThis list is sent to the peer as part of the "signature_algorithms" extension. It is used to restrict accepted signatures received from the peer at TLS level (not in X.509 certificates), but only when the TLS version is 1.2 or above. In order to disable SHA-1 one must then also disable earlier protocol versions in .WThe list also impacts the selection of possible algorithms when generating signatures.Note: with TLS 1.3 some algorithms have been deprecated and will not be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA PKCS#1, DSS.Default: % [ (HashIntrinsic, SignatureEd448) , (HashIntrinsic, SignatureEd25519) , (Struct.HashSHA256, SignatureECDSA) , (Struct.HashSHA384, SignatureECDSA) , (Struct.HashSHA512, SignatureECDSA) , (HashIntrinsic, SignatureRSApssRSAeSHA512) , (HashIntrinsic, SignatureRSApssRSAeSHA384) , (HashIntrinsic, SignatureRSApssRSAeSHA256) , (Struct.HashSHA512, SignatureRSA) , (Struct.HashSHA384, SignatureRSA) , (Struct.HashSHA256, SignatureRSA) , (Struct.HashSHA1, SignatureRSA) , (Struct.HashSHA1, SignatureDSS) ] tls/Secure renegotiation defined in RFC5746. If 7, clients send the renegotiation_info extension. If g, servers handle the extension or the renegotiation SCSV then send the renegotiation_info extension. Default: tlsIf ], renegotiation is allowed from the client side. This is vulnerable to DOS attacks. If I, renegotiation is allowed only from the server side via HelloRequest. Default: tlsThe mode regarding extended master secret. Enabling this extension provides better security for TLS versions 1.0 to 1.2. TLS 1.3 provides the security properties natively and does not need the extension.JBy default the extension is enabled but not required. If mode is set to , the handshake will fail when the peer does not support the extension. It is also advised to disable SSLv3 which does not have this mechanism. Default: tlsSet if we support session. Default: tls4Support for fallback SCSV defined in RFC7507. If b, servers reject handshakes which suggest a lower protocol than the highest protocol supported. Default: tlsdIn ver <= TLS1.0, block ciphers using CBC are using CBC residue as IV, which can be guessed by an attacker. Hence, an empty packet is normally sent before a normal data packet, to prevent guessability. Some Microsoft TLS-based protocol implementations, however, consider these empty packets as a protocol violation and disconnect. If this parameter is Y, empty packets will never be added, which is less secure, but might help in rare cases. Default: tlsVA list of supported elliptic curves and finite-field groups in the preferred order.The list is sent to the server as part of the "supported_groups" extension. It is used in both clients and servers to restrict accepted groups in DH key exchange. Up until TLS v1.2, it is also used by a client to restrict accepted elliptic curves in ECDSA signatures.TThe default value includes all groups with security strength of 128 bits or more. Default: D[X25519,X448,P256,FFDHE3072,FFDHE4096,P384,FFDHE6144,FFDHE8192,P521]tls"Request a certificate from client. Default: tlsThis is a list of certificates from which the disinguished names are sent in certificate request messages. For TLS1.0, it should not be empty. Default: '[]'tlsServer Optional Diffie Hellman parameters. Setting parameters is necessary for FFDHE key exchange when clients are not compatible with RFC 7919.9Value can be one of the standardized groups from module Network.TLS.Extra.FFDHE& or custom parameters generated with *+. Default: ,tlsSee the default value of }.tlsSee the default value of .tlsSee the default value of .tlsSee the default value of .tlsrServer accepts this size of early data in TLS 1.3. 0 (or lower) means that the server does not accept early data. Default: 0tlsLifetime in seconds for session tickets generated by the server. Acceptable value range is 0 to 604800 (7 days). The default lifetime is 86400 seconds (1 day).Default: 86400 (one day)tls Default: ,tlsDefine the name of the server, along with an extra service identification blob. this is important that the hostname part is properly filled for security reason, as it allow to properly associate the remote side with the given certificate during a handshake.The extra blob is useful to differentiate services running on the same host, but that might have different certificates given. It's only used as part of the X509 validation infrastructure.This value is typically set by .tlsAllow the use of the Server Name Indication TLS extension during handshake, which allow the client to specify which host name, it's trying to access. This is useful to distinguish CNAME aliasing (e.g. web virtual host). Default: tls1try to establish a connection using this session. Default: ,tlsSee the default value of .tlsSee the default value of .tlsIIn this element, you'll need to override the default empty value of of  with a suitable cipherlist.See the default value of .tlsSee the default value of .tlsClient tries to send this early data in TLS 1.3 if possible. If not accepted by the server, it is application's responsibility to re-sent it. Default: ,tls-All settings should not be used in productiontlsDisable the true randomness in favor of deterministic seed that will produce a deterministic random from. This is useful for tests and debugging purpose. Do not use in production Default: ,tlsyAdd a way to print the seed that was randomly generated. re-using the same seed will reproduce the same randomness with Default: no printingtls0Force to choose this version in the server side. Default: ,tlsPrinting master keys.Default: no printingX\]^_`abcdefghi}~, BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone9@tlssimple pending actiontls=pending action taking transcript hash up to preceding messagetlsJA TLS Context keep tls specific state, parameters and backend information.tls6return the backend object associated with this contexttlshas the handle EOFed or not.tls0has the handshake been done and been successful.tls-empty packet workaround for CBC guessability.tlsenable the reception of compatibility SSLv2 client hello. the flag will be set to false regardless of its initial value after the first packet received.tlscurrent tx statetlscurrent rx statetlsoptional handshake statetlshooks for this contexttls;lock to use for writing data (including updating the state)tls;lock to use for reading data (including updating the state)tlsmlock used during read/write when receiving and sending packet. it is usually nested in a write or read lock.tlspending PHA requeststls=Information related to a running context, e.g. current ciphertls.A shortcut for 'backendFlush . ctxConnection'.tls.A shortcut for 'backendClose . ctxConnection'.tls%Information about the current contextBCDEFSTUVWXYZ[\]^_\]^_`jklmno      !"#$%&'()*+,-./01- BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>I2tlskencodePacket transform a packet into marshalled data related to current state and updating state on the go234. BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>?5/ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>@670 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB89:;<=>?@AB1 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneQNCtls Generate a server random suitable for the version selected by the server and its supported versions. We use an 8-byte downgrade suffix when the selected version is lowered because of incomplete client support, but also when a version downgrade has been forced with debugVersionForced. This second part allows to test that the client implementation correctly detects downgrades. The suffix is not used when forcing TLS13 to a server not officially supporting TLS13 (this is not a downgrade scenario but only the consequence of our debug API allowing this).DtlsTest if the negotiated version was artificially downgraded (that is, for other reason than the versions supported by the client).CDEFG2 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneOHI3 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneM^JtlsjState monad used to group several packets together and send them on wire as single flight. When packets are loaded in the monad, they are logged immediately, update the context digest and transcript, but actual sending is deferred. Packets are sent all at once when the monadic computation ends (normal termination but also if interrupted by an exception).KtlsSend one packet to the contextLtlsreceive one packet from the context that contains 1 or many messages (many only in case of handshake). if will returns a TLSError if the packet is unexpected or malformedMtlsJrecvRecord receive a full TLS record (header + data), from the other side..The record is disengaged from the record layerMtls1flag to enable SSLv2 compat ClientHello receptiontls;number of AppData bytes to accept above normal maximum sizetls TLS context JKNLOPQRS4 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone=?jcTtlsTest whether the argument is a public key supported for signature at the specified TLS version. This also accepts a key for RSA encryption. This test is performed by clients or servers before verifying a remote Certificate Verify.UtlsTest whether the argument is matching key pair supported for signature. This also accepts material for RSA encryption. This test is performed by servers or clients before using a credential from the local configuration.VtlsTest whether the public key satisfies a predicate about the elliptic curve. When the public key is not suitable for ECDSA, like RSA for instance, the predicate is not used and the result is .WXYZ[\]^_`TUaVb5 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone{tctls0Check that the key is compatible with a list of t values. Ed25519 and Ed448 have no assigned code point and are checked with extension "signature_algorithms" only.dtls Translate a  to an acceptable . Perhaps this needs to take supported groups into account, so that, for example, if we don't support any shared ECDSA groups with the server, we return , rather than .Therefore, this interface is preliminary. It gets us moving in the right direction. The interplay between all the various TLS extensions and certificate selection is rather complex.NThe goal is to ensure that the client certificate request callback only sees n values that are supported by the library and also compatible with the server signature algorithms extension.DSince we don't yet support ECDSA private keys, the caller will use , to filter those out for now, leaving just RSA@ as the only supported client certificate algorithm for TLS 1.3.1FIXME: Add RSA_PSS_PSS signatures when supported. ecfgdhijklmno6 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone|pqr7Nonestls1when a new handshake is done, wrap up & clean up.ttls?process a list of handshakes message in the recv state machine.utlsStore the specified keypair. Whether the public key and private key actually match is left for the peer to discover. We're not presently burning CPU to detect that misconfiguration. We verify only that the types of keys match.vwxyz{|}s~tu8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonec9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMgtls1TLS13 handshake wrap up & clean up. Contrary to handshakeTerminate, this does not handle session, which is managed separately for TLS 1.3. This does not reset byte counters because renegotiation is not allowed. And a few more state attributes are preserved, necessary for TLS13 handshake modes, session tickets and post-handshake authentication.': BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone6tls)Put the server context in handshake mode.Expect a client hello message as parameter. This is useful when the client hello has been already poped from the recv layer to inspect the packet.When the function returns, a new handshake has been succesfully negociated. On any error, a HandshakeFailed exception is raised.handshake protocol ( - receiving, -K sending, [] optional): (no session) (session resumption) <- client hello <- client hello -> server hello -> server hello -> [certificate] -> [server key xchg] -> [cert request] -> hello done <- [certificate] <- client key xchg <- [cert verify]  -change cipher - change cipher  -finish -Z finish -> change cipher <- change cipher -> finish <- finishtls>receive Client data in handshake until the Finished handshake.g<- [certificate] <- client key xchg <- [cert verify] <- change cipher <- finish; BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone_tlscStore the keypair and check that it is compatible with the current protocol version and a list of  values.tlsWhen the server requests a client certificate, we try to obtain a suitable certificate chain and private key via the callback in the client parameters. It is OK for the callback to return an empty chain, in many cases the client certificate is optional. If the client wishes to abort the handshake for lack of a suitable certificate, it can throw an exception in the callback.The return value is , when no CertificateRequest was received and no  Certificate? message needs to be sent. An empty chain means that an empty  Certificate> message needs to be sent to the server, naturally without a CertificateVerify. A non-empty @ is the chain to send to the server along with a corresponding CertificateVerify.With TLS < 1.2 the server's CertificateRequesto does not carry a signature algorithm list. It has a list of supported public key signing algorithms in the certificate_types' field. The hash is implicit. It is x for DSS and } for RSA.With TLS == 1.2 the server's CertificateRequest always has a supported_signature_algorithms. list, as a fixed component of the structure. This list is (wrongly) overloaded to also limit X.509 signatures in the client's certificate chain. The BCP strategy is to find a compatible chain if possible, but else ignore the constraint, and let the server verify the chain as it sees fit. The supported_signature_algorithmsY field is only obligatory with respect to signatures on TLS messages, in this case the CertificateVerify message. The certificate_types field is still included.With TLS 1.3 the server's CertificateRequest has a mandatory signature_algorithms extension, the signature_algorithms_cert extension, which is optional, carries a list of algorithms the server promises to support in verifying the certificate chain. As with TLS 1.2, the client's makes a  best-effortD to deliver a compatible certificate chain where all the CA signatures are known to be supported, but it should not abort the connection just because the chain might not work out, just send the best chain you have and let the server worry about the rest. The supported public key algorithms are now inferred from the signature_algorithms extension and certificate_types is gone.(With TLS 1.3, we synthesize and store a certificate_types& field at the time that the server's CertificateRequestx message is received. This is then present across all the protocol versions, and can be used to determine whether a CertificateRequest was received or not.If signature_algorithms is ,), then we're doing TLS 1.0 or 1.1. The signature_algorithms_cert extension is optional in TLS 1.3, and so the application callback will not be able to distinguish between TLS 1.[01] and TLS 1.3 with no certificate algorithm hints, but this just simplifies the chain selection process, all CA signatures are OK.tlsReturn a most preferred HandAndSignatureAlgorithm that is compatible with the local key and server's signature algorithms (both already saved). Must only be called for TLS versions 1.2 and up, with compatibility function f or g based on version.The values in the server's signature_algorithmsv extension are in descending order of preference. However here the algorithms are selected by client preference in  cHashSigs.tlsReturn the supported M values that are compatible with at least one supported signature algorithm.tlsHTLS 1.2 and below. Send the client handshake messages that follow the  ServerHello, etc. except for CCS and Finished.aXXX: Is any buffering done here to combined these messages into a single TCP packet? Otherwise we're prone to Nagle delays, or in any case needlessly generate multiple small packets, where a single larger packet will do. The TLS 1.3 code path seems to separating record generation and transmission and sending multiple records in a single packet.> [certificate]> client key exchange> [cert verify]tls<onServerHello process the ServerHello message on the client.1) check the version chosen by the server is one allowed by parameters. 2) check that our compression and cipher algorithms are part of the list we sent 3) check extensions received are part of the one we sent 4) process the session parameter to see if the server want to start a new session or can resume 5) if no resume switch to processCertificate SM or in resume switch to expectChangeCipher< BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetls:Post-handshake certificate request with TLS 1.3. Returns u if the request was possible, i.e. if TLS 1.3 is used and the remote client supports post-handshake authentication.= BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneDtlssHandshake for a new TLS connection This is to be called at the beginning of a connection, and during renegotiation> BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetls@create a new context using the backend and parameters specified.tls"create a new context on an handle.tls!create a new context on a socket.tlsNBackend abstraction with specific method to interact with the connection type.tlsParameters of the context.tlsHandle of the connection.tlsParameters of the context.tlsSocket of the connection.tlsParameters of the context.Ujklmno     !"#$()*+,-./? BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneX tlsHow to update keys in TLS 1.3tlsUnidirectional key updatetls&Bidirectional key update (normal case)tlsnotify the context that this side wants to close connection. this is important that it is called before closing the handle, otherwise the session might not be resumable (for version < TLS1.2).&this doesn't actually close the handletlsVIf the ALPN extensions have been used, this will return get the protocol agreed upon.tlsdIf the Server Name Indication extension has been used, return the hostname specified by the client.tls[sendData sends a bunch of data. It will automatically chunk data to acceptable packet sizetlsGet data out of Data packet, and automatically renegotiate if a Handshake ClientHello is received. An empty result means EOF.tls/same as recvData but returns a lazy bytestring.tlsWUpdating appication traffic secrets for TLS 1.3. If this API is called for TLS 1.3,  is returned. Otherwise,  is returned.KL@ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonec?@ABCDEFSTUVWXYZ[\]^_`abcdef      !"#$%&'()*+,-./01234567GHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklstmnuvwxyz{|}~opq23467KL BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetls Getting certificates from a client, if any. Note that the certificates are not sent by a client on resumption even if client authentication is required. So, this API would be replaced by the one which can treat both cases of full-negotiation and resumption. "! #'&%$()-,+*./0123456789:;<=>?@ABCDEFGHNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuv|{zyxw}~     WZXY[\]^_`abcdefghijklmnopqrstuvwxyz{|}~9:;<=>?@A}~BCDEFvwxyz{|hijklmn_STUVWXYZ[\]^QRP-,+*()'&%$#`abcdefopu./012345678GHabcdefghig\]^_`WZXY[jklmnopqrstu~qrstN      v|{zyxw}O"! ABCABDABEABFABGABHABIABJAKLAKMAKNAKOAKPAKQAKRAKSAKTAKUVWXVWYVWZVW[VW\VW]VW^VW_VW`VWaVWaVWbVWcVWdVWeVWfVWfVghVgiVgjVgkVglVgmVgnVgoVgpVgqVgqrstuvwxyz{|}~                              !"##$%&'()*++,-./0123456789:;<=>?@ABCDEFGHHIJKLMNOPQRSTUV)WXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~!!!!!#####%%%%%%%%%&&&&&&&&&&&&'''''''(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((,,,,,,,,,,,,,,,,,,<=> > > > > >>>?????????? !"#$%#$&#$'()*()+(),-./01/23/24/05/67/08/09/0:/0;/0</0=/0>/0?/0@ABCABDABEABFABGABHABIABJ/KL/0M/0N/0O/0P/0Q/0R/ST/SU/SV/SW/SX/SY/SZ/S[/S\/S]/S^/S_/`a/`b/0c/0d/0e/0f/gh/gi/gjAklAkmAknAkoAkp/qr/qs/qt/quvwx/yz/y{/y|/y}/y~/y~/y/y/y/y/y/y/y/y/y/y/y/y/y/y/y/y/y/y/y/y/6/6/6/6/6/6/6/6/6/6/6/6/6/6//`/`/`//////////////S/S/S/S/S/S/S/S/S/S/S/S/S/S/////////////////////////////////////////////////////////////////////////////////q/q /q /  /  / / / / / / / / / / / / / / / / / / /  / !/ "/ #/ $/ %/ &/ '/ (/ )/ */+,/+-/2./2//20/21/22/23/24/25/26/27/28/29/2:/2;/2</2=/2>/2?/2@/2A/2B/2C/2D/2E/2F/2G/2H/2I/2J/2K/2L/MN/MO/MP/MQ/MR/MS/MT/MU/0V/0W/0X/0Y/0Z/0[/0\/0]/0^/0_/0`/0a/0b/0c/0d/0e/0f/0g/0h/ijklmnopqrpqspqtpqupvwpvx y y z { | } ~                                                   /pppA      !"#$%&'()**+,--./012234456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`"abcdefghijklmnomnpmnqmrsmrtmrumrvmrwxyz{|}~     !!!!!!!!!!!! ! ! ! ! !!!!!!!!!!!!!!!!!!!! !!!"!#!$!%!&!'!(!)!*!+!,!-!.!/!0!1!2!3!4!5!6!7!8!9!:!;!<!=!>!?!@!A!B!C!D!E!F!G!H!I!J!K!L!M!N!O!P!Q!R!S!T!U!V"W"X"Y#Z#[#\#]#^#_#`#a#a#b#b#c#c##d#e#f#f#g#g#h#i#j#k#l#m#n#o#o#p#q#r#s#t#u#u#v#v#w#w#x#y#z#{#{#|#|#}#~#######Z#[#\#]#####^##############################$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$AAAAAAAAAAAAAAVWVWV%%%%&'''''AkAk/0( , , , , ,,,,,,,,,,, ,,,,,,,,,,, ,!,",#,$,%,&,',(,),*,+,,,-,.,/,0,1,2,3,4,5,6,7,8,9,:,;,<,=,>,?,@,A,B,C,D-E-F-G.H/I/J0K0L0M0N0O0P0Q0R0S0T0U1V1W1X1Y1Z2[2\3]3^3_3`3a3b3c3d3e3f4g4h4i4j4k4l4m4n4o4p4q4r4s4t4u5v5w5x5y5z5{5|5}5~555566677777777777777777777788888999999999999999999999999999999999999999:::::;;;;;;;;;<= tls-1.5.3-HgRCCF2R8QeBL9ner0nwsK Network.TLSNetwork.TLS.Extra.FFDHENetwork.TLS.Extra.CipherNetwork.TLS.Crypto.TypesNetwork.TLS.ErrTNetwork.TLS.ImportsNetwork.TLS.BackendNetwork.TLS.MeasurementNetwork.TLS.RNGNetwork.TLS.Crypto.DHNetwork.TLS.TypesNetwork.TLS.SessionNetwork.TLS.CompressionNetwork.TLS.CapNetwork.TLS.UtilNetwork.TLS.Util.ASN1Network.TLS.Util.SerializationNetwork.TLS.Crypto.IESNetwork.TLS.CryptoNetwork.TLS.StructNetwork.TLS.Struct13Network.TLS.MACNetwork.TLS.CipherNetwork.TLS.ExtraNetwork.TLS.WireNetwork.TLS.PacketNetwork.TLS.Record.StateNetwork.TLS.Record.TypesNetwork.TLS.Record.EngageNetwork.TLS.Record.DisengageNetwork.TLS.RecordNetwork.TLS.Packet13Network.TLS.Handshake.StateNetwork.TLS.KeyScheduleNetwork.TLS.ExtensionNetwork.TLS.StateNetwork.TLS.X509Network.TLS.HooksNetwork.TLS.CredentialsNetwork.TLS.Parametersciphersuite_defaultCrypto.PubKey.DHgenerateParamsNetwork.TLS.Context.InternalNetwork.TLS.SendingNetwork.TLS.Receiving13Network.TLS.ReceivingNetwork.TLS.Handshake.State13Network.TLS.Handshake.RandomNetwork.TLS.Sending13Network.TLS.IONetwork.TLS.Handshake.KeyNetwork.TLS.Handshake.SignatureNetwork.TLS.Handshake.ProcessNetwork.TLS.Handshake.Common!Network.TLS.Handshake.CertificateNetwork.TLS.Handshake.Common13Network.TLS.Handshake.ServerNetwork.TLS.Handshake.ClientNetwork.TLS.PostHandshakeNetwork.TLS.HandshakeNetwork.TLS.ContextNetwork.TLS.CoreNetwork.TLS.Internal!x509-1.7.5-88sFAu8thSMBsuVkhC0qSyData.X509.PrivateKey PrivKeyEd448PrivKeyEd25519 PrivKeyX448 PrivKeyX25519 PrivKeyEC PrivKeyDSA PrivKeyRSAPrivKeyData.X509.PublicKey PubKeyUnknown PubKeyEd448 PubKeyEd25519 PubKeyX448 PubKeyX25519PubKeyECPubKeyDH PubKeyDSA PubKeyRSAPubKey-x509-validation-1.6.11-Hs27ZJXTONT40yEPj2M3M5Data.X509.Validation checkFQHNcheckLeafKeyPurposecheckLeafKeyUsage checkLeafV3checkExhaustivecheckCAConstraintscheckStrictOrdering checkAtTimecheckTimeValidityValidationCheckshookFilterReasonhookValidateNamehookValidateTimehookMatchSubjectIssuerValidationHooksData.X509.Validation.CacheexceptionValidationCacheValidationCacheUnknownValidationCacheDeniedValidationCachePassValidationCacheResultValidationCacheQueryCallbackValidationCacheAddCallbackcacheAdd cacheQueryValidationCacheGroupP256P384P521X25519X448 FFDHE2048 FFDHE3072 FFDHE4096 FFDHE6144 FFDHE8192 HasBackendinitializeBackend getBackendBackend backendFlush backendClose backendSend backendRecv Measurement nbHandshakes bytesReceived bytesSentDHParamsDHPublic ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 CompressionIDCipherIDTLS13TicketInfo SessionFlag SessionEMS SessionDatasessionVersion sessionCiphersessionCompressionsessionClientSNI sessionSecret sessionGroupsessionTicketInfo sessionALPNsessionMaxEarlyDataSize sessionFlags SessionIDVersionSSL2SSL3TLS10TLS11TLS12TLS13HostNameSessionManager sessionResumesessionResumeOnlyOncesessionEstablishsessionInvalidatenoSessionManager Compression CompressionCcompressionCIDcompressionCDeflatecompressionCInflatenullCompressionHashMD5SHA1SHA224SHA256SHA384SHA512SHA1_MD5KxErrorRSAError KxUnsupported HandshakeAlertDescription CloseNotifyUnexpectedMessage BadRecordMacDecryptionFailedRecordOverflowDecompressionFailureHandshakeFailureBadCertificateUnsupportedCertificateCertificateRevokedCertificateExpiredCertificateUnknownIllegalParameter UnknownCa AccessDenied DecodeError DecryptErrorExportRestrictionProtocolVersionInsufficientSecurity InternalErrorInappropriateFallback UserCanceledNoRenegotiationMissingExtensionUnsupportedExtensionCertificateUnobtainableUnrecognizedNameBadCertificateStatusResponseBadCertificateHashValueUnknownPskIdentityCertificateRequiredNoApplicationProtocol ClientRandomunClientRandom ServerRandomunServerRandomHeader TLSException TerminatedHandshakeFailedConnectionNotEstablishedTLSError Error_MiscError_ProtocolError_CertificateError_HandshakePolicy Error_EOF Error_PacketError_Packet_unexpectedError_Packet_Parsing ProtocolTypeProtocolType_ChangeCipherSpecProtocolType_AlertProtocolType_HandshakeProtocolType_AppData ProtocolType_DeprecatedHandshakeHashAndSignatureAlgorithmSignatureAlgorithmSignatureAnonymous SignatureRSA SignatureDSSSignatureECDSASignatureRSApssRSAeSHA256SignatureRSApssRSAeSHA384SignatureRSApssRSAeSHA512SignatureEd25519SignatureEd448SignatureRSApsspssSHA256SignatureRSApsspssSHA384SignatureRSApsspssSHA512SignatureOther HashAlgorithmHashNoneHashMD5HashSHA1 HashSHA224 HashSHA256 HashSHA384 HashSHA512 HashIntrinsic HashOtherCertificateTypeCertificateType_RSA_SignCertificateType_DSS_SignCertificateType_ECDSA_SignCertificateType_Ed25519_SignCertificateType_Ed448_SignCertificateType_RSA_Fixed_DHCertificateType_DSS_Fixed_DH CertificateType_RSA_Ephemeral_DH CertificateType_DSS_Ephemeral_DHCertificateType_fortezza_dmsCertificateType_RSA_Fixed_ECDH CertificateType_ECDSA_Fixed_ECDHCertificateType_Unknown Handshake13CiphercipherID cipherName cipherHash cipherBulkcipherKeyExchange cipherMinVer cipherPRFHashBulkbulkName bulkKeySize bulkIVSizebulkExplicitIVbulkAuthTagLen bulkBlockSizebulkFCipherKeyExchangeTypeCipherKeyExchange_RSACipherKeyExchange_DH_AnonCipherKeyExchange_DHE_RSACipherKeyExchange_ECDHE_RSACipherKeyExchange_DHE_DSSCipherKeyExchange_DH_DSSCipherKeyExchange_DH_RSACipherKeyExchange_ECDH_ECDSACipherKeyExchange_ECDH_RSACipherKeyExchange_ECDHE_ECDSACipherKeyExchange_TLS13 BulkFunctions BulkBlockF BulkStreamF BulkAeadF BulkDirection BulkEncrypt BulkDecryptBulkAEAD BulkBlock BulkStream BulkStateBulkStateStreamBulkStateBlock BulkStateAEADBulkStateUninitializedBulkAdditionalData BulkNonceBulkIVBulkKeybulkInithasMAC hasRecordIVcipherKeyBlockSizecipherAllowedForVersionciphersuite_allciphersuite_mediumciphersuite_strongciphersuite_dhe_rsaciphersuite_dhe_dssciphersuite_unencryptedcipher_null_MD5cipher_null_SHA1cipher_RC4_128_MD5cipher_RC4_128_SHA1cipher_RSA_3DES_EDE_CBC_SHA1cipher_AES128_SHA1cipher_DHE_DSS_AES128_SHA1cipher_DHE_RSA_AES128_SHA1cipher_AES256_SHA1cipher_DHE_DSS_AES256_SHA1cipher_DHE_RSA_AES256_SHA1cipher_AES128_SHA256cipher_AES256_SHA256cipher_DHE_DSS_RC4_SHA1cipher_DHE_RSA_AES128_SHA256cipher_DHE_RSA_AES256_SHA256cipher_AES128CCM_SHA256cipher_AES128CCM8_SHA256cipher_AES128GCM_SHA256cipher_AES256CCM_SHA256cipher_AES256CCM8_SHA256cipher_AES256GCM_SHA384cipher_DHE_RSA_AES128CCM_SHA256 cipher_DHE_RSA_AES128CCM8_SHA256cipher_DHE_RSA_AES128GCM_SHA256cipher_DHE_RSA_AES256CCM_SHA256 cipher_DHE_RSA_AES256CCM8_SHA256cipher_DHE_RSA_AES256GCM_SHA384(cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256*cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256&cipher_DHE_RSA_CHACHA20POLY1305_SHA256cipher_TLS13_AES128GCM_SHA256cipher_TLS13_AES256GCM_SHA384$cipher_TLS13_CHACHA20POLY1305_SHA256cipher_TLS13_AES128CCM_SHA256cipher_TLS13_AES128CCM8_SHA256 cipher_ECDHE_ECDSA_AES128CBC_SHA cipher_ECDHE_ECDSA_AES256CBC_SHAcipher_ECDHE_RSA_AES128CBC_SHAcipher_ECDHE_RSA_AES256CBC_SHA!cipher_ECDHE_RSA_AES128CBC_SHA256!cipher_ECDHE_RSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CBC_SHA256#cipher_ECDHE_ECDSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CCM_SHA256$cipher_ECDHE_ECDSA_AES128CCM8_SHA256#cipher_ECDHE_ECDSA_AES128GCM_SHA256#cipher_ECDHE_ECDSA_AES256CCM_SHA256$cipher_ECDHE_ECDSA_AES256CCM8_SHA256#cipher_ECDHE_ECDSA_AES256GCM_SHA384!cipher_ECDHE_RSA_AES128GCM_SHA256!cipher_ECDHE_RSA_AES256GCM_SHA384HandshakeMode13 FullHandshakeHelloRetryRequest PreSharedKeyRTT0MaxFragmentEnumMaxFragment512MaxFragment1024MaxFragment2048MaxFragment4096CertificateUsageCertificateUsageAcceptCertificateUsageRejectCertificateRejectReasonCertificateRejectExpiredCertificateRejectRevokedCertificateRejectUnknownCACertificateRejectAbsentCertificateRejectOtherHookshookRecvHandshakehookRecvHandshake13hookRecvCertificates hookLoggingLoggingloggingPacketSentloggingPacketRecv loggingIOSent loggingIORecv Credentials CredentialcredentialLoadX509credentialLoadX509FromMemorycredentialLoadX509Chain!credentialLoadX509ChainFromMemory ServerHooksonClientCertificateonUnverifiedClientCertonCipherChoosingonServerNameIndicationonNewHandshakeonALPNClientSuggest ClientHooksonCertificateRequestonServerCertificate onSuggestALPNonCustomFFDHEGroupOnServerCertificateOnCertificateRequest GroupUsageGroupUsageValidGroupUsageInsecureGroupUsageUnsupportedGroupUsageInvalidPublicSharedsharedCredentialssharedSessionManager sharedCAStoresharedValidationCacheEMSModeNoEMSAllowEMS RequireEMS SupportedsupportedVersionssupportedCipherssupportedCompressionssupportedHashSignaturessupportedSecureRenegotiation%supportedClientInitiatedRenegotiationsupportedExtendedMasterSecsupportedSessionsupportedFallbackScsvsupportedEmptyPacketsupportedGroups ServerParamsserverWantClientCertserverCACertificatesserverDHEParams serverHooks serverSharedserverSupported serverDebugserverEarlyDataSizeserverTicketLifetime ClientParamsclientUseMaxFragmentLengthclientServerIdentificationclientUseServerNameIndicationclientWantSessionResume clientShared clientHooksclientSupported clientDebugclientEarlyData DebugParams debugSeeddebugPrintSeeddebugVersionForceddebugKeyLoggerdefaultParamsClientContext ctxConnection Information infoVersion infoCipherinfoCompressioninfoMasterSecretinfoExtendedMasterSecinfoClientRandominfoServerRandominfoNegotiatedGroupinfoTLS13HandshakeModeinfoIsEarlyDataAccepted contextFlush contextClosecontextGetInformationcontextModifyHooksrequestCertificate handshake TLSParams contextNewcontextNewOnHandlecontextNewOnSocketcontextHookSetHandshakeRecvcontextHookSetHandshake13RecvcontextHookSetCertificateRecvcontextHookSetLoggingKeyUpdateRequestOneWayTwoWaybyegetNegotiatedProtocol getClientSNIsendDatarecvData recvData' updateKeyBytesgetClientCertificateChainKeyExchangeSignatureAlgKX_ECDSAKX_DSSKX_RSAavailableFFGroupsavailableECGroups mtl-2.2.2Control.Monad.Error.Class MonadError throwError catchErrortransformers-0.5.5.0Control.Monad.Trans.ErrorErrorstrMsgnoMsgErrTrunErrTbaseGHC.Base++GHC.Listfilterzipmap Control.MonadguardjoinMonad>>=>>returnfailFunctorfmap<$ghc-prim GHC.ClassesOrd>=minmax><compare<=Control.Monad.Fail MonadFail Applicativepure<*>*>liftA2<* Data.Foldablefoldrnulllengthfoldlfoldl'foldl1sumproductfoldr1maximumminimumelemData.TraversablemapMsequence Semigroup<>sconcatstimes GHC.MaybeMaybeNothingJust GHC.TypesOrderingLTEQGTWordGHC.WordWord8Word16Word32Word64bytestring-0.10.8.2Data.ByteString.Internal ByteStringData.Semigroupoption mtimesDefaultdiffcycle1MingetMinMaxgetMaxArgArgMinArgMaxFirstgetFirstLastgetLast WrappedMonoid WrapMonoid unwrapMonoidOption getOptionmfilter<$!>unless replicateM_ replicateMfoldM_foldM zipWithM_zipWithM mapAndUnzipMforever<=<>=>filterM Data.ListisSubsequenceOf mapAccumR mapAccumLforMControl.Applicativeoptional WrappedMonad WrapMonad unwrapMonad WrappedArrow WrapArrow unwrapArrowZipList getZipListData.Functor.ConstConstgetConstfindnotElem minimumBy maximumByallanyorand concatMapconcatmsum sequence_forM_mapM_Data.Semigroup.Internal stimesMonoidstimesIdempotentDualgetDualEndoappEndoAllgetAllAnygetAnySumgetSumProduct getProduct Data.OldListunwordswordsunlineslinesunfoldrsortOnsortBysort permutations subsequencestailsinitsgroupBygroupdeleteFirstsByunzip7unzip6unzip5unzip4zipWith7zipWith6zipWith5zipWith4zip7zip6zip5zip4genericReplicate genericIndexgenericSplitAt genericDrop genericTake genericLengthinsertByinsert partition transpose intercalate intersperse intersectBy intersectunionByunion\\deleteBydeletenubBynub isInfixOf isSuffixOf isPrefixOf findIndices findIndex elemIndices elemIndex stripPrefix dropWhileEndData.Ord comparingDown byteSwap64 byteSwap32 byteSwap16 Data.BitstoIntegralSizedpopCountDefaulttestBitDefault bitDefaultBits.&..|.xor complementshiftrotatezeroBitsbitsetBitclearBit complementBittestBit bitSizeMaybebitSizeisSignedshiftL unsafeShiftLshiftR unsafeShiftRrotateLrotateRpopCount FiniteBits finiteBitSizecountLeadingZeroscountTrailingZeros Data.Functorvoid<$>unzip3unzipzipWith3zipWithzip3!!lookupreversebreakspansplitAtdroptake dropWhile takeWhilecycle replicaterepeatiterate'iteratescanr1scanrscanl'scanl1scanlfoldl1'initlasttailunconshead Data.MaybemapMaybe catMaybes listToMaybe maybeToList fromMaybe isNothingisJustmaybeapliftM5liftM4liftM3liftM2liftMwhen=<<liftA3liftA<**> Alternativeempty<|>somemany MonadPlusmzeromplusstimesIdempotentMonoid showBytesHexnewMeasurementaddBytesReceived addBytesSentresetBytesCountersincrementNbHandshakes&cryptonite-0.26-IijLzbS4q70FSbXhABK4Xr Crypto.RandomseedFromInteger seedToIntegerseedNewSeedCrypto.Random.Types MonadRandomgetRandomBytesStateRNG withTLSRNG newStateRNGDHKey DHPrivatedhPublic dhPrivatedhParamsdhGenerateKeyPair dhGetShareddhValiddhUnwrap dhParamsGetP dhParamsGetGdhParamsGetBitsdhUnwrapPublic DirectionRoleCertReqContext MasterSecret SecretPairpairBase pairClient SecretTripletriBase triClient triServerServerTrafficSecretClientTrafficSecret BaseSecretResumptionSecretApplicationSecretHandshakeSecret EarlySecretTxRx ClientRole ServerRolelifetimeageAddtxrxTime estimatedRTT MillisecondSecond invertRoleNullCompression compressionIDcompressionDeflatecompressionInflatecompressionIntersectIDhasHelloExtensionshasExplicitBlockIVSaved&&!bytesEqsaveMVarGHC.MVarMVar restoreMVarsubtakelast partition3 partition6fromJust fmapEithercatchException forEitherM mapChunks_ getChunksdecodeASN1ObjectencodeASN1ObjectCrypto.Number.Serializei2ospOf_i2ospos2ipGroupKey GroupPublic GroupPrivatedhParamsForGroupgroupGenerateKeyPairdhGroupGenerateKeyPairgroupGetPubShareddhGroupGetPubSharedgroupGetSharedencodeGroupPublicdecodeGroupPublickxCanUseRSApkcs1kxCanUseRSApss hashUpdateSSLSignatureParams RSAParams DSSParams ECDSAParams Ed25519Params Ed448Params RSAEncodingRSApkcs1RSApssHashCtx HashContext PrivateKey PublicKeyisKeyExchangeSignatureKeyfindKeyExchangeSignatureAlgfindFiniteFieldGroupfindEllipticCurveGrouphashInit hashUpdate hashFinalhashhashNamehashDigestSize hashBlockSize kxEncrypt kxDecryptkxVerifykxSignlastSupportedCertificateTypeData.X509.DistinguishedNameDistinguishedName EnumSafe16fromEnumSafe16 toEnumSafe16 EnumSafe8 fromEnumSafe8 toEnumSafe8 TypeValuable valToType valOfTypeFinished ClientHello ServerHello Certificates HelloRequestServerHelloDone ClientKeyXchg ServerKeyXchg CertRequest CertVerifyClientKeyXchgAlgorithmDataCKX_RSACKX_DHCKX_ECDHServerKeyXchgAlgorithmData SKX_DH_Anon SKX_DHE_DSS SKX_DHE_RSA SKX_ECDHE_RSASKX_ECDHE_ECDSASKX_RSA SKX_DH_DSS SKX_DH_RSA SKX_Unparsed SKX_UnknownServerRSAParams rsa_modulus rsa_exponentServerECDHParamsServerDHParamsserverDHParams_pserverDHParams_gserverDHParams_yBigNum HandshakeTypeHandshakeType_HelloRequestHandshakeType_ClientHelloHandshakeType_ServerHelloHandshakeType_CertificateHandshakeType_ServerKeyXchgHandshakeType_CertRequestHandshakeType_ServerHelloDoneHandshakeType_CertVerifyHandshakeType_ClientKeyXchgHandshakeType_Finished AlertLevelAlertLevel_WarningAlertLevel_Fatal ExtensionRaw ExtensionID FinishedDataSessionPacketAlertChangeCipherSpecAppDataDigitallySigned Signature CipherDatacipherDataContent cipherDataMACcipherDataPadding CipherType CipherStream CipherBlock CipherAEAD ConnectionEndConnectionServerConnectionClientbigNumToIntegerbigNumFromIntegerserverDHParamsFromserverDHParamsToParamsserverDHParamsToPublic packetTypetypeOfHandshake numericalVerverOfNumHandshakeType13HandshakeType_ClientHello13HandshakeType_ServerHello13HandshakeType_EndOfEarlyData13 HandshakeType_NewSessionTicket13#HandshakeType_EncryptedExtensions13HandshakeType_CertRequest13HandshakeType_Certificate13HandshakeType_CertVerify13HandshakeType_Finished13HandshakeType_KeyUpdate13 ClientHello13 ServerHello13NewSessionTicket13EndOfEarlyData13EncryptedExtensions13 CertRequest13 Certificate13 CertVerify13 Finished13 KeyUpdate13 KeyUpdateUpdateNotRequestedUpdateRequestedPacket13Alert13ChangeCipherSpec13 AppData13typeOfHandshake13 contentTypeprf_TLSmacSSLhmacprf_SHA1prf_MD5 prf_MD5SHA1 prf_SHA256%cereal-0.5.8.1-KRPM4Pfa6l3HK7sjbDz33xData.Serialize.PutputWord8runPutPutData.Serialize.GetgetWord8getBytesisEmpty remainingGet GetResultGotError GotPartial GotSuccessGotSuccessRemainingGetContinuationrunGet runGetErr runGetMaybetryGet getWords8 getWord16 getWords16 getWord24 getWord32 getWord64 getOpaque8 getOpaque16 getOpaque24 getInteger16 getBigNum16getList processBytes putWords8 putWord16 putWord32 putWord64 putWords16 putWord24putBytes putOpaque8 putOpaque16 putOpaque24 putInteger16 putBigNum16 encodeWord16 encodeWord32 encodeWord64cParamsVersioncParamsKeyXchgType getDNames putDNames&decodeReallyServerKeyXchgAlgorithmDatagetPRF CurrentParamsgetBinaryVersionputBinaryVersion decodeHeaderdecodeDeprecatedHeaderLengthdecodeDeprecatedHeader encodeHeaderencodeHeaderNoVer decodeAlert decodeAlerts encodeAlertsdecodeHandshakeRecorddecodeHandshakedecodeDeprecatedHandshakeencodeHandshakeencodeHandshakeHeaderencodeHandshakeContentgetServerRandom32getClientRandom32putClientRandom32putServerRandom32 getSession putSession getExtensions putExtensiongetSignatureHashAlgorithmputSignatureHashAlgorithmdecodeChangeCipherSpecencodeChangeCipherSpecdecodePreMasterSecretencodePreMasterSecretgenerateMasterSecretgenerateExtendedMasterSecgenerateKeyBlockgenerateClientFinishedgenerateServerFinishedgenerateCertificateVerify_SSL!generateCertificateVerify_SSL_DSSencodeSignedDHParamsencodeSignedECDHParamsRecordM runRecordM RecordStatestCipher stCompression stCryptState stMacState RecordOptions recordVersion recordTLS13MacState msSequence CryptStatecstKeycstIV cstMacSecretgetRecordOptionsgetRecordVersionnewRecordStateincrRecordState setRecordIVwithCompression computeDigest makeDigestgetBulkgetMacSequenceRecordfragmentCompressfragmentCipherfragmentUncipherfragmentUncompress recordToRaw rawToRecordrecordToHeader Ciphertext Compressed PlaintextFragmentfragmentGetBytesfragmentPlaintextfragmentCompressedfragmentCiphertextonRecordFragment engageRecorddisengageRecordencodeHandshake13decodeHandshakes13getHandshakeType13decodeHandshakeRecord13decodeHandshake13 CertReqCBdatahstCertReqTokenhstCertReqCBdatahstCertReqSigAlgsCerthstClientCertSenthstCertReqSentfoldHandshakeDigestsetMasterSecretFromPresetMasterSecretsetServerHelloParameters RTT0StatusRTT0NoneRTT0Sent RTT0Accepted RTT0Rejected HandshakeMHandshakeStatehstClientVersionhstClientRandomhstServerRandomhstMasterSecret hstKeyStatehstServerDHParams hstDHPrivatehstServerECDHParamshstGroupPrivatehstHandshakeDigesthstHandshakeMessageshstClientCertChainhstPendingTxStatehstPendingRxStatehstPendingCipherhstPendingCompressionhstExtendedMasterSechstNegotiatedGrouphstTLS13HandshakeModehstTLS13RTT0StatushstTLS13EarlySecrethstTLS13ResumptionSecret hstCCS13SentHandshakeDigestHandshakeMessagesHandshakeDigestContextnewEmptyHandshake runHandshake setPublicKeysetPublicPrivateKeysgetRemotePublicKeygetLocalPublicPrivateKeyssetServerDHParamsgetServerDHParamssetServerECDHParamsgetServerECDHParams setDHPrivate getDHPrivategetGroupPrivatesetGroupPrivatesetExtendedMasterSecgetExtendedMasterSecsetNegotiatedGroupgetNegotiatedGroupsetTLS13HandshakeModegetTLS13HandshakeModesetTLS13RTT0StatusgetTLS13RTT0StatussetTLS13EarlySecretgetTLS13EarlySecretsetTLS13ResumptionSecretgetTLS13ResumptionSecret setCCS13Sent getCCS13SentsetCertReqSentgetCertReqSentsetClientCertSentgetClientCertSentsetClientCertChaingetClientCertChainsetCertReqTokengetCertReqTokensetCertReqCBdatagetCertReqCBdatasetCertReqSigAlgsCertgetCertReqSigAlgsCertgetPendingCipheraddHandshakeMessagegetHandshakeMessagesgetHandshakeMessagesRevupdateHandshakeDigestgetHandshakeDigest hkdfExtract deriveSecrethkdfExpandLabelExtendedMasterSecret#ApplicationLayerProtocolNegotiationSecureRenegotiationMaxFragmentLength ServerName ExtensionsupportedExtensionsCertificateAuthoritiesCookieEarlyDataIndicationPreSharedKeyClientHelloPreSharedKeyServerHello PskIdentityPskKeyExchangeModes PskKexModePSK_KE PSK_DHE_KEKeyShareKeyShareClientHelloKeyShareServerHello KeyShareHRR KeyShareEntrykeyShareEntryGroupkeySHareEntryKeyExchangeSupportedVersionsSupportedVersionsClientHelloSupportedVersionsServerHelloSignatureAlgorithmsCertPostHandshakeAuthSignatureAlgorithms HeartBeatModeHeartBeat_PeerAllowedToSendHeartBeat_PeerNotAllowedToSend HeartBeat SessionTicket EcPointFormatEcPointFormat_Uncompressed'EcPointFormat_AnsiX962_compressed_prime'EcPointFormat_AnsiX962_compressed_char2EcPointFormatsSupportedNegotiatedGroupsMaxFragmentLengthOtherServerNameTypeServerNameHostNameServerNameOtherextensionDecodeextensionEncode extensionID MessageTypeMsgTClientHelloMsgTServerHelloMsgTHelloRetryRequestMsgTEncryptedExtensionsMsgTNewSessionTicketMsgTCertificateRequestextensionID_ServerNameextensionID_MaxFragmentLengthextensionID_NegotiatedGroupsextensionID_EcPointFormatsextensionID_SignatureAlgorithmsextensionID_Heartbeat/extensionID_ApplicationLayerProtocolNegotiation extensionID_ExtendedMasterSecretextensionID_PreSharedKeyextensionID_EarlyDataextensionID_SupportedVersionsextensionID_CookieextensionID_PskKeyExchangeModes"extensionID_CertificateAuthoritiesextensionID_OidFiltersextensionID_PostHandshakeAuth#extensionID_SignatureAlgorithmsCertextensionID_KeyShareextensionID_SecureRenegotiationdefinedExtensionsTLSStTLSState stSessionstSessionResumingstSecureRenegotiationstClientVerifiedDatastServerVerifiedDatastExtensionALPNstHandshakeRecordContstNegotiatedProtocolstHandshakeRecordCont13stClientALPNSuggeststClientGroupSuggeststClientEcPointFormatSuggeststClientCertificateChain stClientSNI stRandomGen stVersionstClientContextstTLS13KeySharestTLS13PreSharedKey stTLS13HRR stTLS13CookiestExporterMasterSecretstClientSupportsPHA runTLSState newTLSStateupdateVerifiedDatafinishHandshakeTypeMaterialfinishHandshakeMaterialcertVerifyHandshakeTypeMaterialcertVerifyHandshakeMaterial setSessionisSessionResuming setVersionsetVersionIfUnset getVersiongetVersionWithDefaultsetSecureRenegotiationgetSecureRenegotiationsetExtensionALPNgetExtensionALPNsetNegotiatedProtocolsetClientALPNSuggestgetClientALPNSuggestsetClientEcPointFormatSuggestgetClientEcPointFormatSuggestsetClientCertificateChain setClientSNIgetVerifiedDataisClientContext genRandomwithRNGsetExporterMasterSecretgetExporterMasterSecretsetTLS13KeySharegetTLS13KeySharesetTLS13PreSharedKeygetTLS13PreSharedKey setTLS13HRR getTLS13HRRsetTLS13CookiegetTLS13CookiesetClientSupportsPHAgetClientSupportsPHA Data.X509getCertificateSignedCertificateData.X509.CertificateChainCertificateChainData.X509.Cert Certificate certVersion certSerialcertSignatureAlg certIssuerDN certValidity certSubjectDN certPubKeycertExtensions'x509-store-1.6.7-2KfjVmmP1gdLOkQn9lhp8cData.X509.CertificateStoreCertificateStorevalidateDefault FailedReasonData.X509.Validation.Types ServiceIDisNullCertificateChaingetCertificateChainLeafwrapCertificateChecks pubkeyType defaultHookscredentialMatchesHashSignatures credentialsListSigningAlgorithmscredentialsFindForSigningcredentialsFindForDecryptingcredentialPublicPrivateKeysTrueFalsemempty CommonParams PendingActionPendingActionHashctxEOF_ctxEstablished_ctxNeedEmptyPacketctxSSLv2ClientHello ctxTxState ctxRxState ctxHandshakectxHooks ctxLockWrite ctxLockRead ctxLockStatectxCertRequests EstablishedNotEstablishedEarlyDataAllowedEarlyDataNotAllowed ctxSupported ctxSharedctxStatectxMeasurementctxDoHandshakectxDoHandshakeWithctxDoRequestCertificatectxDoPostHandshakeAuthWithctxPendingActions ctxKeyLogger updateMeasure withMeasure contextSend contextRecvctxEOFctxHasSSLv2ClientHelloctxDisableSSLv2ClientHellosetEOFctxEstablished ctxWithHookssetEstablishedwithLog throwCorefailOnEitherError usingState usingState_ usingHState getHState saveHState restoreHStatedecideRecordVersion runTxState runRxState getStateRNG withReadLock withWriteLock withRWLock withStateLock tls13orLateraddCertRequest13getCertRequest13 encodePacket encodeRecordMupdateHandshakeprocessPacket13 processPacket decodeRecordM getTxState getRxState setTxState setRxState clearTxState clearRxStatesetHelloParameters13wrapAsMessageHash13transcriptHashsetPendingActionspopPendingAction serverRandom isDowngraded clientRandom hrrRandomisHelloRetryRequestencodePacket13updateHandshake13 PacketFlightM sendPacket recvPacket recvRecord sendPacket13 recvPacket13isRecvComplete checkValidrunPacketFlight loadPacket13checkDigitalSignatureKeyisDigitalSignaturePairsatisfiesEcPredicate encryptRSA signPrivate decryptRSA verifyPublic generateDHE generateECDHEgenerateECDHEShared generateFFDHEgenerateFFDHESharedversionCompatiblegetLocalPublicKeylogKeycertificateCompatiblehashSigToCertType decryptErrorsignatureCompatiblesignatureCompatible13checkCertificateVerifycreateCertificateVerifysignatureParamsdigitallySignDHParamsdigitallySignECDHParamsdigitallySignDHParamsVerifydigitallySignECDHParamsVerifycheckSupportedHashSignatureprocessHandshakeprocessHandshake13startHandshakehandshakeTerminateonRecvStateHandshake storePrivInfo RecvState RecvStateNextRecvStateHandshake RecvStateDonehandshakeFailedhandleException unexpected newSessionsendChangeCipherAndFinishrecvChangeCipherAndFinishrecvPacketHandshake runRecvStateensureRecvCompleteprocessExtendedMasterSecgetSessionDataextensionLookupcheckSupportedGroupisSupportedGroupcertificateRejectedbadCertificaterejectOnExceptionverifyLeafKeyUsage extractCAnamehandshakeTerminate13 CipherChoicecVersioncCiphercHashcZeroRecvHandshake13M makeFinished checkFinishedmakeServerKeySharemakeClientKeySharefromServerKeySharemakeCertVerifycheckCertVerify makePSKBinderreplacePSKBindersendChangeCipherSpec13makeCertRequestcreateTLS13TicketInfoageToObfuscatedAge isAgeValidgetAgecheckFreshnessgetCurrentTimeFromBasegetSessionData13ensureNullCompressionsafeNonNegative32recvHandshake13recvHandshake13hashrunRecvHandshake13isHashSignatureValid13makeCipherChoicecalculateEarlySecretinitEarlySecretcalculateHandshakeSecretcalculateApplicationSecretcalculateResumptionSecret derivePSKhandshakeServerWithrecvClientDatahandshakeServerrequestCertificateServerpostHandshakeAuthServerWithstorePrivInfoClient clientChaingetLocalHashSigAlgsupportedCtypessendClientData onServerHellohandshakeClientWithhandshakeClientpostHandshakeAuthClientWithpostHandshakeAuthWith handshakeWith