h&0G      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ BSD-styleKazu Yamamoto  experimentalunknown Safe-Inferred /9876543210 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred , BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred  BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred~=tlsConnection IO backend?tls,Flush the connection sending buffer, if any.@tlsClose the connection.Atls)Send a bytestring through the connection.Btls6Receive specified number of bytes from the connection. :;<=>?@AB  BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredCtls'record some data about this connection.Etls$number of handshakes on this contextFtls#bytes received since last handshakeGtlsbytes sent since last handshake CDEFG  Safe-Inferred   Safe-InferredHI BSD-styleKazu Yamamoto  experimentalunknown Safe-InferredJtls2048 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 103 bits.Ktls3072 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 125 bits.Ltls4096 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 150 bits.Mtls6144 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 175 bits.Ntls8192 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 192 bits.JKLMNJKLMN  BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredWOtls=Hold both client and server traffic secrets at the same step.PtlsA server traffic secret, typed with a parameter indicating a step in the TLS key schedule.RtlsA client traffic secret, typed with a parameter indicating a step in the TLS key schedule.Ttls4Phantom type indicating application traffic secrets.Utls2Phantom type indicating handshake traffic secrets.Vtls-Phantom type indicating early traffic secret.tls DirectiontlsRoleWtlsCompression identificationXtlsCipher identificationtls(Certificate request context for TLS 1.3.ZtlsSome session flags[tls+Session created with Extended Master Secret\tlsSession data to resumehtls A session IDitlsVersions known to TLSSSL2 is just defined, but this version is and will not be supported..OPQRSTUVWXYZ[\]^_`abcdefghijklmno  BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredptlsA session managerrtlsused on server side to decide whether to resume a client session.stlsused on server side to decide whether to resume a client session for TLS 1.3 0RTT. For a given h%, the implementation must return its \( only once and must not return the same \ after the call.ttls#used when a session is established.utls#used when a session is invalidated.vtls"The session manager to do nothing.pqrstuv BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred[tls0This is the default compression which is a NOOP.wtlsevery compression need to be wrapped in this, to fit in structureytls>supported compression algorithms need to be part of this classtls+return the associated ID for this algorithmtlsdeflate (compress) a bytestring using a compression context and return the result along with the new compression context.tlsinflate (decompress) a bytestring using a compression context and return the result along the new compression context.tlsintersect a list of ids commonly given by the other side with a list of compression the function keeps the list of compression in order, to be able to find quickly the prefered compression.}tlsdefault null compression Wwxyz{|} BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred Safe-Inferred tlsAn opaque newtype wrapper to prevent from poking inside content that has been saved.tlsThis is a strict version of &&.tlsverify that 2 bytestrings are equals. it's a non lazy version, that will compare every bytes. arguments with different length will bail out earlytlsSave the content of an  to restore it later.tlsRestore the content of an  to a previous saved value and return the content that has just been replaced. BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"tlsAttempt to decode a bytestring representing an DER ASN.1 serialized object into the object.tls7Encode an ASN.1 Object to the DER serialized bytestring Safe-Inferred"H BSD-styleKazu Yamamoto  experimentalunknown Safe-Inferred"  Safe-Inferred$ptlsDigest size in bytes.tlsTest the RSASSA-PKCS1 length condition described in RFC 8017 section 9.2, i.e. emLen >= tLen + 11. Lengths are in bytes.tlsTest the RSASSA-PSS length condition described in RFC 8017 section 9.1.1, i.e. emBits >= 8hLen + 8sLen + 9. Lengths are in bits.tls+(for the md5 context, for the sha1 context) /9876543201HI~ BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred6,Gtlsdeprecated alert, should never be sent by compliant implementationtls#The raw content of a TLS extension.tlsIdentifier of a TLS extension.tlsTLS Exceptions related to bad user usage or asynchronous errorstlsEarly termination exception with the reason and the error associatedtls(Handshake failed for the reason attachedtlsUsage error when the connection has not been established and the user is trying to send or receive datatls5TLSError that might be returned through the TLS stacktlsmainly for instance of Errortlshandshake policy failed.tls,Some of the IANA registered code points for  are not currently supported by the library. Nor should they be, they're are either unwise, obsolete or both. There's no point in conveying these to the user in the client certificate request callback. The request callback will be filtered to exclude unsupported values. If the user cannot find a certificate for a supported code point, we'll go ahead without a client certificate and hope for the best, unless the user's callback decides to throw an exception.tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC8422tlsTLS13 and up, synthetictlsTLS13 and up, synthetic | None of the below will ever be presented to the callback. Any future public key algorithms valid for client certificates go above this line.tlsLast supported certificate type, no 'CertificateType that compares greater than this one (based on the  instance, not on the wire code point) will be reported to the application via the client certificate request callback.\]^_`abcdefghijklmno BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred.U  BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred/tlsFor now we ignore the version, but perhaps some day the PRF will depend not only on the cipher PRF algorithm, but also on the protocol version. BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred0tlsCipher algorithmtlsCheck if a specific 2 is allowed to be used with the version specifiedX~ BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred3CtlsHandshake information generated for traffic at application level.tls?Handshake information generated for traffic at handshake level.tls;Handshake information generated for traffic at 0-RTT level.tlsID of the application-level protocol negotiated between client and server. See values listed in the  https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids IANA registry.  BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred@tlsAll AES and ChaCha20-Poly1305 ciphers supported ordered from strong to weak. This choice of ciphersuites should satisfy most normal needs. For otherwise strong ciphers we make little distinction between AES128 and AES256, and list each but the weakest of the AES128 ciphers ahead of the corresponding AES256 ciphers.AEAD ciphers with equivalent security properties are ordered based on CPU hardware-acceleration support. If this dynamic runtime behavior is not desired, use  instead.tlsSame as , but using deterministic preference not influenced by the CPU.tlsThe default ciphersuites + some not recommended last resort ciphers.AEAD ciphers with equivalent security properties are ordered based on CPU hardware-acceleration support. If this dynamic runtime behavior is not desired, use  instead.tlsSame as , but using deterministic preference not influenced by the CPU.tlslist of medium ciphers.tlsThe strongest ciphers supported. For ciphers with PFS, AEAD and SHA2, we list each AES128 variant after the corresponding AES256 and ChaCha20-Poly1305 variants. For weaker constructs, we use just the AES256 form.AEAD ciphers with equivalent security properties are ordered based on CPU hardware-acceleration support. If this dynamic runtime behavior is not desired, use  instead.tlsSame as , but using deterministic preference not influenced by the CPU.tlsDHE-RSA cipher suite. This only includes ciphers bound specifically to DHE-RSA so TLS 1.3 ciphers must be added separately.tls8all unencrypted ciphers, do not use on insecure network.tlsunencrypted cipher using RSA for key exchange and MD5 for digesttlsunencrypted cipher using RSA for key exchange and SHA1 for digesttls/RC4 cipher, RSA key exchange and MD5 for digesttls0RC4 cipher, RSA key exchange and SHA1 for digesttls?3DES cipher (168 bit key), RSA key exchange and SHA1 for digesttls>AES cipher (128 bit key), RSA key exchange and SHA1 for digesttlsAES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for digesttlsAES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for digesttls>AES cipher (256 bit key), RSA key exchange and SHA1 for digesttlsAES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for digesttlsAES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for digesttlsAES cipher (128 bit key), RSA key exchange and SHA256 for digesttlsAES cipher (256 bit key), RSA key exchange and SHA256 for digesttlsAESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.tlsAESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.tlsAESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.tlsAESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.tlsAESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.tlsAESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is used as a PRF, not as a MAC.>> BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredBIJKLMN BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredC4.  BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"F= tlscurrent protocol version tlscurrent key exchange type tls$Decode a list CA distinguished names tls%Encode a list of distinguished names. tlsin certain cases, we haven't manage to decode ServerKeyExchange properly, because the decoding was too eager and the cipher wasn't been set yet. we keep the Server Key Exchange in it unparsed format, and this function is able to really decode the server key xchange if it's unparsed. tlsThe TLS12 PRF is cipher specific, and some TLS12 algorithms use SHA384 instead of the default SHA256..  BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredH*tlsTLS encryption level.tlsUnprotected traffictls(Protected with master secret (TLS < 1.3)tls-Protected with early traffic secret (TLS 1.3)tls1Protected with handshake traffic secret (TLS 1.3)tls3Protected with application traffic secret (TLS 1.3)'   BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredK" tlsRepresent a TLS record. tlsturn a plaintext record into a compressed record using the compression function supplied tlsturn a compressed record into a ciphertext record using the cipher function supplied tlsturn a ciphertext fragment into a compressed fragment using the cipher function supplied tlsturn a compressed fragment into a plaintext fragment using the decompression function supplied tls&turn a record into an header and bytes tls*turn a header and a fragment into a record tlsturn a record into a header  BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredK   BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredL1 ! BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredL " Safe-Inferred"L # BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"Mw $ BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"^6tls5Type to show which handshake mode is used in TLS 1.3.tlsFull handshake is used.tls0Full handshake is used with hello retry request.tls!Server authentication is skipped.tls8Server authentication is skipped and early data is sent. tlsWhen we receive a CertificateRequest from a server, a just-in-time callback is issued to the application to obtain a suitable certificate. Somewhat unfortunately, the callback parameters don't abstract away the details of the TLS 1.2 Certificate Request message, which combines the legacy certificate_types and new supported_signature_algorithms& parameters is a rather subtle way.TLS 1.2 also (again unfortunately, in the opinion of the author of this comment) overloads the signature algorithms parameter to constrain not only the algorithms used in TLS, but also the algorithms used by issuing CAs in the X.509 chain. Best practice is to NOT treat such that restriction as a MUST, but rather take it as merely a preference, when a choice exists. If the best chain available does not match the provided signature algorithm list, go ahead and use it anyway, it will probably work, and the server may not even care about the issuer CAs at all, it may be doing DANE or have explicit mappings for the client's public key, ... The TLS 1.3 CertificateRequest message, drops certificate_types and no longer overloads supported_signature_algorithms to cover X.509. It also includes a new opaque context token that the client must echo back, which makes certain client authentication replay attacks more difficult. We will store that context separately, it does not need to be presented in the user callback. The certificate signature algorithms preferred by the peer are now in the separate signature_algorithms_cert extension, but we cannot report these to the application callback without an API change. The good news is that filtering the X.509 signature types is generally unnecessary, unwise and difficult. So we just ignore this extension.As a result, the information we provide to the callback is no longer a verbatim copy of the certificate request payload. In the case of TLS 1.3 The 6 list is synthetically generated from the server's signature_algorithms extension, and the signature_algorithms_certs extension is ignored.Since the original TLS 1.2  has no provision for the newer certificate types that have appeared in TLS 1.3 we're adding some synthetic values that have no equivalent values in the TLS 1.2  as defined in the IANA < https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 TLS ClientCertificateType Identifiers> registry. These values are inferred from the TLS 1.3 signature_algorithms extension, and will allow clients to present Ed25519 and Ed448 certificates when these become supported. tls>Set to Just-value when a TLS13 certificate request is received tls8Set to Just-value when a certificate request is received tlsIn TLS 1.3, these are separate from the certificate issuer signature algorithm hints in the callback data. In TLS 1.2 the same list is overloaded for both purposes. Not present in TLS 1.1 and earlier tls4Set to true when a client certificate chain was sent tlsSet to true when a certificate request was sent. This applies only to requests sent during handshake (not post-handshake). tlsCompress the whole transcript with the specified function. Function f takes the handshake digest as input and returns an encoded handshake message to replace the transcript with. tls6Generate the master secret from the pre master secret. tlsSet master secret and as a side effect generate the key block with all the right parameters, and setup the pending tx/rx state. tlschosen transmission versiontls2the role (Client or Server) of the generating sidetlsthe pre master secret tlschosen version  % BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"`ptls HKDF-Extract function. Returns the pseudorandom key (PRK) from salt and input keying material (IKM).tlsHKDF-Expand-Label function. Returns output keying material of the specified length from the PRK, customized for a TLS label and context. & BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferredc tlsExtended Master Secret tls-Application Layer Protocol Negotiation (ALPN) tlsSecure Renegotiation tls?Max fragment extension with length from 512 bytes to 4096 bytesRFC 6066 defines: If a server receives a maximum fragment length negotiation request for a value other than the allowed values, it MUST abort the handshake with an "illegal_parameter" alert.So, if a server receives MaxFragmentLengthOther, it must send the alert. tlsServer Name extension including the name type and the associated name. the associated name decoding is dependant of its name type. name type = 0 : hostname tlsExtension class to transform bytes to and from a high level Extension type. tls.all supported extensions by the implementation/0123456789   ' BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferrede7 ( BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferredftls3Certificate Usage callback possible returns values.tlsusage of certificate acceptedtlsusage of certificate rejectedtls&Certificate and Chain rejection reason! #-  ) BSD-style#Vincent Hanquez  experimentalunknown Safe-InferreditlsA collection of hooks actions.tls)called at each handshake message receivedtls5called at each handshake message received for TLS 1.3tls1called at each certificate chain message receivedtls/hooks on IO and packets, receiving and sending.tlsHooks for logging8This is called when sending and receiving packets and IO  * BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferredm"tlstry to create a new credential object from a public certificate and the associated private key that are stored on the filesystem in PEM format.tls similar to  but take the certificate and private key from memory instead of from the filesystem.tls similar to / but also allow specifying chain certificates.tls similar to / but also allow specifying chain certificates. tlsChecks whether certificate signatures in the chain comply with a list of hash/signature algorithm pairs. Currently the verification applies only to the signature of the leaf certificate, and when not self-signed. This may be extended to additional chain elements in the future.tls!public certificate (X.509 format)tlsprivate key associatedtls!public certificate (X.509 format)tls!chain certificates (X.509 format)tlsprivate key associated  + BSD-style#Vincent Hanquez  experimentalunknown Safe-InferredItlsA set of callbacks run by the server for various corners of the TLS establishmenttlsThis action is called when a client certificate chain is received from the client. When it returns a CertificateUsageReject value, the handshake is aborted.The function is not expected to verify the key-usage extension of the certificate. This verification is performed by the library internally. Default: returns the followings: CertificateUsageReject (CertificateRejectOther "no client certificates expected") tlsThis action is called when the client certificate cannot be verified. Return  ' to accept the certificate anyway, or   to fail verification.Default: returns  tlsAllow the server to choose the cipher relative to the the client version and the client list of ciphers.This could be useful with old clients and as a workaround to the BEAST (where RC4 is sometimes prefered with TLS < 1.1)'The client cipher list cannot be empty.$Default: taking the head of ciphers.tlsAllow the server to indicate additional credentials to be used depending on the host name indicated by the client.This is most useful for transparent proxies where credentials must be generated on the fly according to the host the client is trying to connect to.Returned credentials may be ignored if a client does not support the signature algorithms used in the certificate chain.Default: returns  tlsAt each new handshake, we call this hook to see if we allow handshake to happens.Default: returns  tlsAllow the server to choose an application layer protocol suggested from the client through the ALPN (Application Layer Protocol Negotiation) extensions. If the server supports no protocols that the client advertises an empty  should be returned. Default: tlsAllow to modify extensions to be sent in EncryptedExtensions of TLS 1.3.Default: 'return . id'tlsA set of callbacks run by the clients for various corners of TLS establishmenttlsThis action is called when the a certificate request is received from the server. The callback argument is the information from the request. The server, at its discretion, may be willing to continue the handshake without a client certificate. Therefore, the callback is free to return  to indicate that no client certificate should be sent, despite the server's request. In some cases it may be appropriate to get user consent before sending the certificate; the content of the user's certificate may be sensitive and intended only for specific servers.The action should select a certificate chain of one of the given certificate types and one of the certificates in the chain should (if possible) be signed by one of the given distinguished names. Some servers, that don't have a narrow set of preferred issuer CAs, will send an empty  list, rather than send all the names from their trusted CA bundle. If the client does not have a certificate chaining to a matching CA, it may choose a default certificate instead.Each certificate except the last should be signed by the following one. The returned private key must be for the first certificates in the chain. This key will be used to signing the certificate verify message.The public key in the first certificate, and the matching returned private key must be compatible with one of the list of  value when provided. TLS 1.3 changes the meaning of the list elements, adding explicit code points for each supported pair of hash and signature (public key) algorithms, rather than combining separate codes for the hash and key. For details see  1https://tools.ietf.org/html/rfc8446#section-4.2.3RFC 8446 section 4.2.3. When no compatible certificate chain is available, return  if it is OK to continue without a client certificate. Returning a non-matching certificate should result in a handshake failure.While the TLS version is not provided to the callback, the content of the signature_algorithms list provides a strong hint, since TLS 1.3 servers will generally list RSA pairs with a hash component of  Intrinsic (0x08).Note that is is the responsibility of this action to select a certificate matching one of the requested certificate types (public key algorithms). Returning a non-matching one will lead to handshake failure later.Default: returns  anyway.tlsUsed by the client to validate the server certificate. The default implementation calls   which validates according to the default hooks and checks provided by Data.X509.Validation. This can be replaced with a custom validation function using different settings.The function is not expected to verify the key-usage extension of the end-entity certificate, as this depends on the dynamically-selected cipher and this part should not be cached. Key-usage verification is performed by the library internally. Default:  tlsThis action is called when the client sends ClientHello to determine ALPN values such as '["h2", "http/1.1"]'.Default: returns tlsThis action is called to validate DHE parameters when the server selected a finite-field group not part of the "Supported Groups Registry" or not part of  list.With TLS 1.3 custom groups have been removed from the protocol, so this callback is only used when the version negotiated is 1.2 or below.The default behavior with (dh_p, dh_g, dh_size) and pub as follows: rejecting if dh_p is even,rejecting unless 1 < dh_g && dh_g < dh_p - 1+rejecting unless 1 < dh_p && pub < dh_p - 16rejecting if dh_size < 1024 (to prevent Logjam attack)-See RFC 7919 section 3.1 for recommandations.tls Type for 4. This type synonym is to make document readable.tls Type for 4. This type synonym is to make document readable.tls,Group usage callback possible return values.tlsusage of group acceptedtls-usage of group provides insufficient securitytls>usage of group rejected for other reason (specified as string)tls+usage of group with an invalid public valuetls2Parameters that are common to clients and servers.tlsThe list of certificates and private keys that a server will use as part of authentication to clients. Actual credentials that are used are selected dynamically from this list based on client capabilities. Additional credentials returned by  are also considered.When credential list is left empty (the default value), no key exchange can take place. Default:  tlsCallbacks used by clients and servers in order to resume TLS sessions. The default implementation never resumes sessions. Package  7https://hackage.haskell.org/package/tls-session-managertls-session-manager' provides an in-memory implementation. Default: vtlsA collection of trust anchors to be used by a client as part of validation of server certificates. This is set as first argument to function  . Package  /https://hackage.haskell.org/package/x509-system x509-system gives access to a default certificate store configured in the system. Default:  tlsCallbacks that may be used by a client to cache certificate validation results (positive or negative) and avoid expensive signature check. The default implementation does not have any caching.See the default value of -.tls;Additional extensions to be sent during the Hello sequence.For a client this is always included in message ClientHello. For a server, this is sent in messages ServerHello or EncryptedExtensions based on the TLS version. Default: []tls8Client or server policy regarding Extended Master Secrettls"Extended Master Secret is not usedtls!Extended Master Secret is allowedtls"Extended Master Secret is requiredtlsList all the supported algorithms, versions, ciphers, etc supported.tlsSupported versions by this context. On the client side, the highest version will be used to establish the connection. On the server side, the highest version that is less or equal than the client version will be chosen.Versions should be listed in preference order, i.e. higher versions first. Default: [TLS13,TLS12,TLS11,TLS10]tlsSupported cipher methods. The default is empty, specify a suitable cipher list. , is often a good choice. Default: []tlsSupported compressions methods. By default only the "null" compression is supported, which means no compression will be performed. Allowing other compression method is not advised as it causes a connection failure when TLS 1.3 is negotiated. Default: [nullCompression]tlsAll supported hash/signature algorithms pair for client certificate verification and server signature in (EC)DHE, ordered by decreasing priority.This list is sent to the peer as part of the "signature_algorithms" extension. It is used to restrict accepted signatures received from the peer at TLS level (not in X.509 certificates), but only when the TLS version is 1.2 or above. In order to disable SHA-1 one must then also disable earlier protocol versions in .The list also impacts the selection of possible algorithms when generating signatures.Note: with TLS 1.3 some algorithms have been deprecated and will not be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA PKCS#1, DSS.Default:  [ (HashIntrinsic, SignatureEd448) , (HashIntrinsic, SignatureEd25519) , (Struct.HashSHA256, SignatureECDSA) , (Struct.HashSHA384, SignatureECDSA) , (Struct.HashSHA512, SignatureECDSA) , (HashIntrinsic, SignatureRSApssRSAeSHA512) , (HashIntrinsic, SignatureRSApssRSAeSHA384) , (HashIntrinsic, SignatureRSApssRSAeSHA256) , (Struct.HashSHA512, SignatureRSA) , (Struct.HashSHA384, SignatureRSA) , (Struct.HashSHA256, SignatureRSA) , (Struct.HashSHA1, SignatureRSA) , (Struct.HashSHA1, SignatureDSS) ] tls/Secure renegotiation defined in RFC5746. If  7, clients send the renegotiation_info extension. If  , servers handle the extension or the renegotiation SCSV then send the renegotiation_info extension. Default:  tlsIf  , renegotiation is allowed from the client side. This is vulnerable to DOS attacks. If  , renegotiation is allowed only from the server side via HelloRequest. Default:  tlsThe mode regarding extended master secret. Enabling this extension provides better security for TLS versions 1.0 to 1.2. TLS 1.3 provides the security properties natively and does not need the extension.By default the extension is enabled but not required. If mode is set to , the handshake will fail when the peer does not support the extension. It is also advised to disable SSLv3 which does not have this mechanism. Default: tlsSet if we support session. Default:  tls4Support for fallback SCSV defined in RFC7507. If  , servers reject handshakes which suggest a lower protocol than the highest protocol supported. Default:  tlsIn ver <= TLS1.0, block ciphers using CBC are using CBC residue as IV, which can be guessed by an attacker. Hence, an empty packet is normally sent before a normal data packet, to prevent guessability. Some Microsoft TLS-based protocol implementations, however, consider these empty packets as a protocol violation and disconnect. If this parameter is  , empty packets will never be added, which is less secure, but might help in rare cases. Default:  tlsA list of supported elliptic curves and finite-field groups in the preferred order.The list is sent to the server as part of the "supported_groups" extension. It is used in both clients and servers to restrict accepted groups in DH key exchange. Up until TLS v1.2, it is also used by a client to restrict accepted elliptic curves in ECDSA signatures.The default value includes all groups with security strength of 128 bits or more. Default: [X25519,X448,P256,FFDHE3072,FFDHE4096,P384,FFDHE6144,FFDHE8192,P521]tls"Request a certificate from client. Default:  tlsThis is a list of certificates from which the disinguished names are sent in certificate request messages. For TLS1.0, it should not be empty. Default: '[]'tlsServer Optional Diffie Hellman parameters. Setting parameters is necessary for FFDHE key exchange when clients are not compatible with RFC 7919.9Value can be one of the standardized groups from module Network.TLS.Extra.FFDHE& or custom parameters generated with -.. Default: tlsSee the default value of .tlsSee the default value of .tlsSee the default value of .tlsSee the default value of .tlsServer accepts this size of early data in TLS 1.3. 0 (or lower) means that the server does not accept early data. Default: 0tlsLifetime in seconds for session tickets generated by the server. Acceptable value range is 0 to 604800 (7 days). The default lifetime is 86400 seconds (1 day).Default: 86400 (one day)tls Default: tlsDefine the name of the server, along with an extra service identification blob. this is important that the hostname part is properly filled for security reason, as it allow to properly associate the remote side with the given certificate during a handshake.The extra blob is useful to differentiate services running on the same host, but that might have different certificates given. It's only used as part of the X509 validation infrastructure.This value is typically set by .tlsAllow the use of the Server Name Indication TLS extension during handshake, which allow the client to specify which host name, it's trying to access. This is useful to distinguish CNAME aliasing (e.g. web virtual host). Default:  tls1try to establish a connection using this session. Default: tlsSee the default value of .tlsSee the default value of .tlsIn this element, you'll need to override the default empty value of of  with a suitable cipherlist.See the default value of .tlsSee the default value of .tlsClient tries to send this early data in TLS 1.3 if possible. If not accepted by the server, it is application's responsibility to re-sent it. Default: tls-All settings should not be used in productiontlsDisable the true randomness in favor of deterministic seed that will produce a deterministic random from. This is useful for tests and debugging purpose. Do not use in production Default: tlsAdd a way to print the seed that was randomly generated. re-using the same seed will reproduce the same randomness with Default: no printingtls0Force to choose this version in the server side. Default: tlsPrinting master keys.Default: no printing / BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"%&d tlssimple pending action tls=pending action taking transcript hash up to preceding messagetlsA TLS Context keep tls specific state, parameters and backend information.tls6return the backend object associated with this context tlshas the handle EOFed or not. tls0has the handshake been done and been successful. tls-empty packet workaround for CBC guessability. tlsenable the reception of compatibility SSLv2 client hello. the flag will be set to false regardless of its initial value after the first packet received. tls#maximum size of plaintext fragments tlscurrent tx state tlscurrent rx state tlsoptional handshake state tlshooks for this context tls;lock to use for writing data (including updating the state) tls;lock to use for reading data (including updating the state) tlslock used during read/write when receiving and sending packet. it is usually nested in a write or read lock. tlspending PHA requeststls=Information related to a running context, e.g. current ciphertls.A shortcut for 'backendFlush . ctxConnection'.tls.A shortcut for 'backendClose . ctxConnection'.tls%Information about the current contextCDEFG\]^_`abcdefgh      0 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred 1 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferredh tlsrecvRecord receive a full TLS record (header + data), from the other side..The record is disengaged from the record layer tls TLS contexttls1flag to enable SSLv2 compat ClientHello receptiontls;number of AppData bytes to accept above normal maximum size 2 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred 3 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"G 4 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred tlsGenerate a server random suitable for the version selected by the server and its supported versions. We use an 8-byte downgrade suffix when the selected version is lowered because of incomplete client support, but also when a version downgrade has been forced with debugVersionForced. This second part allows to test that the client implementation correctly detects downgrades. The suffix is not used when forcing TLS13 to a server not officially supporting TLS13 (this is not a downgrade scenario but only the consequence of our debug API allowing this). tlsTest if the negotiated version was artificially downgraded (that is, for other reason than the versions supported by the client). 5 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred tlsencodePacket transform a packet into marshalled data related to current state and updating state on the go 6 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferredh tlsState monad used to group several packets together and send them on wire as single flight. When packets are loaded in the monad, they are logged immediately, update the context digest and transcript, but actual sending is deferred. Packets are sent all at once when the monadic computation ends (normal termination but also if interrupted by an exception). tlsSend one packet to the context tlsreceive one packet from the context that contains 1 or many messages (many only in case of handshake). if will returns a TLSError if the packet is unexpected or malformed 7 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred tlsTest whether the argument is a public key supported for signature at the specified TLS version. This also accepts a key for RSA encryption. This test is performed by clients or servers before verifying a remote Certificate Verify. tlsTest whether the argument is matching key pair supported for signature. This also accepts material for RSA encryption. This test is performed by servers or clients before using a credential from the local configuration. tlsTest whether the public key satisfies a predicate about the elliptic curve. When the public key is not suitable for ECDSA, like RSA for instance, the predicate is not used and the result is  . 8 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"X tls0Check that the key is compatible with a list of  values. Ed25519 and Ed448 have no assigned code point and are checked with extension "signature_algorithms" only. tls Translate a  to an acceptable . Perhaps this needs to take supported groups into account, so that, for example, if we don't support any shared ECDSA groups with the server, we return  rather than .Therefore, this interface is preliminary. It gets us moving in the right direction. The interplay between all the various TLS extensions and certificate selection is rather complex.The goal is to ensure that the client certificate request callback only sees  values that are supported by the library and also compatible with the server signature algorithms extension.Since we don't yet support ECDSA private keys, the caller will use , to filter those out for now, leaving just RSA as the only supported client certificate algorithm for TLS 1.3.1FIXME: Add RSA_PSS_PSS signatures when supported. 9 BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred : Safe-Inferred"5tlsReturn the message that a TLS endpoint can add to its local log for the specified library error. tls1when a new handshake is done, wrap up & clean up. tls?process a list of handshakes message in the recv state machine. tlsStore the specified keypair. Whether the public key and private key actually match is left for the peer to discover. We're not presently burning CPU to detect that misconfiguration. We verify only that the types of keys match and that it does not include an algorithm that would not be safe.  ; BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred < BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"ȸ tls1TLS13 handshake wrap up & clean up. Contrary to handshakeTerminate, this does not handle session, which is managed separately for TLS 1.3. This does not reset byte counters because renegotiation is not allowed. And a few more state attributes are preserved, necessary for TLS13 handshake modes, session tickets and post-handshake authentication.( = BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"͠tls)Put the server context in handshake mode.Expect a client hello message as parameter. This is useful when the client hello has been already poped from the recv layer to inspect the packet.When the function returns, a new handshake has been succesfully negociated. On any error, a HandshakeFailed exception is raised.handshake protocol ( - receiving, - sending, [] optional): (no session) (session resumption) <- client hello <- client hello -> server hello -> server hello -> [certificate] -> [server key xchg] -> [cert request] -> hello done <- [certificate] <- client key xchg <- [cert verify]  -change cipher - change cipher  -finish - finish -> change cipher <- change cipher -> finish <- finishtls>receive Client data in handshake until the Finished handshake.<- [certificate] <- client key xchg <- [cert verify] <- change cipher <- finish> BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred" tlsStore the keypair and check that it is compatible with the current protocol version and a list of  values.tlsWhen the server requests a client certificate, we try to obtain a suitable certificate chain and private key via the callback in the client parameters. It is OK for the callback to return an empty chain, in many cases the client certificate is optional. If the client wishes to abort the handshake for lack of a suitable certificate, it can throw an exception in the callback.The return value is  when no CertificateRequest was received and no  Certificate? message needs to be sent. An empty chain means that an empty  Certificate> message needs to be sent to the server, naturally without a CertificateVerify. A non-empty   is the chain to send to the server along with a corresponding CertificateVerify.With TLS < 1.2 the server's CertificateRequest does not carry a signature algorithm list. It has a list of supported public key signing algorithms in the certificate_types' field. The hash is implicit. It is  for DSS and  for RSA.With TLS == 1.2 the server's CertificateRequest always has a supported_signature_algorithms list, as a fixed component of the structure. This list is (wrongly) overloaded to also limit X.509 signatures in the client's certificate chain. The BCP strategy is to find a compatible chain if possible, but else ignore the constraint, and let the server verify the chain as it sees fit. The supported_signature_algorithms field is only obligatory with respect to signatures on TLS messages, in this case the CertificateVerify message. The certificate_types field is still included.With TLS 1.3 the server's CertificateRequest has a mandatory signature_algorithms extension, the signature_algorithms_cert extension, which is optional, carries a list of algorithms the server promises to support in verifying the certificate chain. As with TLS 1.2, the client's makes a  best-effort to deliver a compatible certificate chain where all the CA signatures are known to be supported, but it should not abort the connection just because the chain might not work out, just send the best chain you have and let the server worry about the rest. The supported public key algorithms are now inferred from the signature_algorithms extension and certificate_types is gone.(With TLS 1.3, we synthesize and store a certificate_types& field at the time that the server's CertificateRequest message is received. This is then present across all the protocol versions, and can be used to determine whether a CertificateRequest was received or not.If signature_algorithms is ), then we're doing TLS 1.0 or 1.1. The signature_algorithms_cert extension is optional in TLS 1.3, and so the application callback will not be able to distinguish between TLS 1.[01] and TLS 1.3 with no certificate algorithm hints, but this just simplifies the chain selection process, all CA signatures are OK.tlsReturn a most preferred HandAndSignatureAlgorithm that is compatible with the local key and server's signature algorithms (both already saved). Must only be called for TLS versions 1.2 and up, with compatibility function   or   based on version.The values in the server's signature_algorithms extension are in descending order of preference. However here the algorithms are selected by client preference in  cHashSigs.tlsReturn the supported  values that are compatible with at least one supported signature algorithm.tlsTLS 1.2 and below. Send the client handshake messages that follow the  ServerHello, etc. except for CCS and Finished.XXX: Is any buffering done here to combined these messages into a single TCP packet? Otherwise we're prone to Nagle delays, or in any case needlessly generate multiple small packets, where a single larger packet will do. The TLS 1.3 code path seems to separating record generation and transmission and sending multiple records in a single packet.> [certificate]> client key exchange> [cert verify]tls experimentalunknown Safe-Inferred?tls:Post-handshake certificate request with TLS 1.3. Returns   if the request was possible, i.e. if TLS 1.3 is used and the remote client supports post-handshake authentication.@ BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred2tlsHandshake for a new TLS connection This is to be called at the beginning of a connection, and during renegotiationA BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferredtlscreate a new context using the backend and parameters specified.tls"create a new context on an handle.tls!create a new context on a socket.tlsGet TLS Finished sent to peertls#Get TLS Finished received from peertlsBackend abstraction with specific method to interact with the connection type.tlsParameters of the context.tlsHandle of the connection.tlsParameters of the context.tlsSocket of the connection.tlsParameters of the context.      B BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred" tlsHow to update keys in TLS 1.3tlsUnidirectional key updatetls&Bidirectional key update (normal case)tlsnotify the context that this side wants to close connection. this is important that it is called before closing the handle, otherwise the session might not be resumable (for version < TLS1.2).&this doesn't actually close the handletlsIf the ALPN extensions have been used, this will return get the protocol agreed upon.tlsIf the Server Name Indication extension has been used, return the hostname specified by the client.tlssendData sends a bunch of data. It will automatically chunk data to acceptable packet sizetlsGet data out of Data packet, and automatically renegotiate if a Handshake ClientHello is received. An empty result means EOF.tls/same as recvData but returns a lazy bytestring.tlsUpdating appication traffic secrets for TLS 1.3. If this API is called for TLS 1.3,   is returned. Otherwise,   is returned.  BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred"tlsCallbacks implemented by QUIC and to be called by TLS at specific points during the handshake. TLS may invoke them from external threads but calls are not concurrent. Only a single callback function is called at a given point in time.tlsCalled by TLS so that QUIC sends one or more handshake fragments. The content transiting on this API is the plaintext of the fragments and QUIC responsability is to encrypt this payload with the key material given for the specified level and an appropriate encryption scheme.The size of the fragments may exceed QUIC datagram limits so QUIC may break them into smaller fragments.The handshake protocol sometimes combines content at two levels in a single flight. The TLS library does its best to provide this in the same quicSend call and with a multi-valued argument. QUIC can then decide how to transmit this optimally.tlsCalled by TLS to receive from QUIC the next plaintext handshake fragment. The argument specifies with which encryption level the fragment should be decrypted.?QUIC may return partial fragments to TLS. TLS will then call quicRecv again as long as necessary. Note however that fragments must be returned in the correct sequence, i.e. the order the TLS peer emitted them.The function may return an error to TLS if end of stream is reached or if a protocol error has been received, believing the handshake cannot proceed any longer. If the TLS handshake protocol cannot recover from this error, the failure condition will be reported back to QUIC through the control interface.tlsCalled by TLS when new encryption material is ready to be used in the handshake. The next  or  may now use the associated encryption level (although the previous level is also possible: directions Send/Recv do not change at the same time).tlsCalled by TLS when QUIC-specific extensions have been received from the peer.tls Called when  is done. ' is finished after calling this hook.  calls : after calling this hook to wait for new session tickets.tlsArgument given to ' when encryption material is available.tls6Key material and parameters for traffic at 0-RTT leveltls:Key material and parameters for traffic at handshake leveltls experimentalunknown Safe-Inferred& \gfedcba`_]^hionmljk  BSD-style#Vincent Hanquez  experimentalunknown Safe-Inferred_tlsGetting certificates from a client, if any. Note that the certificates are not sent by a client on resumption even if client authentication is required. So, this API would be replaced by the one which can treat both cases of full-negotiation and resumption. "! #'&%$()-,+*./0123456789:;<=>?@ABCDEFGHIWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~:;<=>?@ABCDEFGpqrstuvh\]^_`abcdefgZ[Y-,+*()'&%$#ijklmnowx}/0123456789HI.yz{|W ~X"! DEFDEGDEHDEIDEJDEKDELDEMDNODNPDNQDNRDNSDNTDNUDNVDNWDNXYZ[YZ\YZ]YZ^YZ_YZ`YZaYZbYZcYZdYZdYZeYZfYZgYZhYZiYZiYjkYjlYjmYjnYjoYjpYjqYjrYjsYjtYjtuvwxyz{|}~                                               ,$$$$$%%&&&&&&((((((((())))))))))))*******+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//////////////////:?@AAAAAAAAAABBBBBBBBBB                                                     D                                                                                                                                                                                         " " " " " " " " # # # # # $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ % & & & & & & & & & & & & & && & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '' ' ' ' ' '' '' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' D D  D  D  D  D  D D D D D D D D  YZ YZ Y  ( ( ( ( ) * * * * *    + / / / / / / / / / / / / / / / / / / / / / / / // / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / 0 0 0 1 1 2 2 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 5 5 5 5 6 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 8 8 8 8 8 9 9 9 : : : : : : : : : : : : : : : : : : : : : : ; ; ; ; ; < < < < < < < < < < < < <<<<<<<<<<<<<<<<<<<<<<<<<<<<=====>>>>>>>>>?@ tls-1.7.0-8OGZhQ4pTOBLPiUWWYkEaN Network.TLSNetwork.TLS.Extra.FFDHENetwork.TLS.QUICNetwork.TLS.Extra.CipherNetwork.TLS.Crypto.TypesNetwork.TLS.ErrTNetwork.TLS.ImportsNetwork.TLS.BackendNetwork.TLS.MeasurementNetwork.TLS.RNGNetwork.TLS.Crypto.DHNetwork.TLS.TypesNetwork.TLS.SessionNetwork.TLS.CompressionNetwork.TLS.CapNetwork.TLS.UtilNetwork.TLS.Util.ASN1Network.TLS.Util.SerializationNetwork.TLS.Crypto.IESNetwork.TLS.CryptoNetwork.TLS.StructNetwork.TLS.Struct13Network.TLS.MACNetwork.TLS.CipherNetwork.TLS.Handshake.ControlNetwork.TLS.ExtraNetwork.TLS.WireNetwork.TLS.PacketNetwork.TLS.Record.StateNetwork.TLS.Record.TypesNetwork.TLS.Record.EngageNetwork.TLS.Record.DisengageNetwork.TLS.RecordNetwork.TLS.Record.LayerNetwork.TLS.Packet13Network.TLS.Handshake.StateNetwork.TLS.KeyScheduleNetwork.TLS.ExtensionNetwork.TLS.StateNetwork.TLS.X509Network.TLS.HooksNetwork.TLS.CredentialsNetwork.TLS.Parametersciphersuite_defaultCrypto.PubKey.DHgenerateParamsNetwork.TLS.Context.InternalNetwork.TLS.Record.WritingNetwork.TLS.Record.ReadingNetwork.TLS.ReceivingNetwork.TLS.Handshake.State13Network.TLS.Handshake.RandomNetwork.TLS.SendingNetwork.TLS.IONetwork.TLS.Handshake.KeyNetwork.TLS.Handshake.SignatureNetwork.TLS.Handshake.ProcessNetwork.TLS.Handshake.Common!Network.TLS.Handshake.CertificateNetwork.TLS.Handshake.Common13Network.TLS.Handshake.ServerNetwork.TLS.Handshake.ClientNetwork.TLS.PostHandshakeNetwork.TLS.HandshakeNetwork.TLS.ContextNetwork.TLS.CoreNetwork.TLS.Internal)crypton-x509-1.7.6-IttiISMbafL289qSq38FRqData.X509.PrivateKey PrivKeyEd448PrivKeyEd25519 PrivKeyX448 PrivKeyX25519 PrivKeyEC PrivKeyDSA PrivKeyRSAPrivKeyData.X509.PublicKey PubKeyUnknown PubKeyEd448 PubKeyEd25519 PubKeyX448 PubKeyX25519PubKeyECPubKeyDH PubKeyDSA PubKeyRSAPubKey5crypton-x509-validation-1.6.12-5UYJTqD8TU89pvFJxvXBrEData.X509.Validation checkFQHNcheckLeafKeyPurposecheckLeafKeyUsage checkLeafV3checkExhaustivecheckCAConstraintscheckStrictOrdering checkAtTimecheckTimeValidityValidationCheckshookFilterReasonhookValidateNamehookValidateTimehookMatchSubjectIssuerValidationHooksData.X509.Validation.CacheexceptionValidationCacheValidationCacheUnknownValidationCacheDeniedValidationCachePassValidationCacheResultValidationCacheQueryCallbackValidationCacheAddCallbackcacheAdd cacheQueryValidationCache%network-3.1.4.0-B2siKM4RZ608EJIWCrOTuNetwork.Socket.InfoHostNameGroupP256P384P521X25519X448 FFDHE2048 FFDHE3072 FFDHE4096 FFDHE6144 FFDHE8192 HasBackendinitializeBackend getBackendBackend backendFlush backendClose backendSend backendRecv Measurement nbHandshakes bytesReceived bytesSentDHParamsDHPublic ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192TrafficSecretsServerTrafficSecretClientTrafficSecretApplicationSecretHandshakeSecret EarlySecret CompressionIDCipherIDTLS13TicketInfo SessionFlag SessionEMS SessionDatasessionVersion sessionCiphersessionCompressionsessionClientSNI sessionSecret sessionGroupsessionTicketInfo sessionALPNsessionMaxEarlyDataSize sessionFlags SessionIDVersionSSL2SSL3TLS10TLS11TLS12TLS13SessionManager sessionResumesessionResumeOnlyOncesessionEstablishsessionInvalidatenoSessionManager Compression CompressionCcompressionCIDcompressionCDeflatecompressionCInflatenullCompressionHashMD5SHA1SHA224SHA256SHA384SHA512SHA1_MD5KxErrorRSAError KxUnsupportedhashDigestSize HandshakeAlertDescription CloseNotifyUnexpectedMessage BadRecordMacDecryptionFailedRecordOverflowDecompressionFailureHandshakeFailureBadCertificateUnsupportedCertificateCertificateRevokedCertificateExpiredCertificateUnknownIllegalParameter UnknownCa AccessDenied DecodeError DecryptErrorExportRestrictionProtocolVersionInsufficientSecurity InternalErrorInappropriateFallback UserCanceledNoRenegotiationMissingExtensionUnsupportedExtensionCertificateUnobtainableUnrecognizedNameBadCertificateStatusResponseBadCertificateHashValueUnknownPskIdentityCertificateRequiredNoApplicationProtocol ExtensionRaw ExtensionID ClientRandomunClientRandom ServerRandomunServerRandomHeader TLSException TerminatedHandshakeFailedConnectionNotEstablishedTLSError Error_MiscError_ProtocolError_CertificateError_HandshakePolicy Error_EOF Error_PacketError_Packet_unexpectedError_Packet_Parsing ProtocolTypeProtocolType_ChangeCipherSpecProtocolType_AlertProtocolType_HandshakeProtocolType_AppData ProtocolType_DeprecatedHandshakeHashAndSignatureAlgorithmSignatureAlgorithmSignatureAnonymous SignatureRSA SignatureDSSSignatureECDSASignatureRSApssRSAeSHA256SignatureRSApssRSAeSHA384SignatureRSApssRSAeSHA512SignatureEd25519SignatureEd448SignatureRSApsspssSHA256SignatureRSApsspssSHA384SignatureRSApsspssSHA512SignatureOther HashAlgorithmHashNoneHashMD5HashSHA1 HashSHA224 HashSHA256 HashSHA384 HashSHA512 HashIntrinsic HashOtherCertificateTypeCertificateType_RSA_SignCertificateType_DSS_SignCertificateType_ECDSA_SignCertificateType_Ed25519_SignCertificateType_Ed448_SignCertificateType_RSA_Fixed_DHCertificateType_DSS_Fixed_DH CertificateType_RSA_Ephemeral_DH CertificateType_DSS_Ephemeral_DHCertificateType_fortezza_dmsCertificateType_RSA_Fixed_ECDH CertificateType_ECDSA_Fixed_ECDHCertificateType_Unknown Handshake13CiphercipherID cipherName cipherHash cipherBulkcipherKeyExchange cipherMinVer cipherPRFHashBulkbulkName bulkKeySize bulkIVSizebulkExplicitIVbulkAuthTagLen bulkBlockSizebulkFCipherKeyExchangeTypeCipherKeyExchange_RSACipherKeyExchange_DH_AnonCipherKeyExchange_DHE_RSACipherKeyExchange_ECDHE_RSACipherKeyExchange_DHE_DSSCipherKeyExchange_DH_DSSCipherKeyExchange_DH_RSACipherKeyExchange_ECDH_ECDSACipherKeyExchange_ECDH_RSACipherKeyExchange_ECDHE_ECDSACipherKeyExchange_TLS13 BulkFunctions BulkBlockF BulkStreamF BulkAeadF BulkDirection BulkEncrypt BulkDecryptBulkAEAD BulkBlock BulkStream BulkStateBulkStateStreamBulkStateBlock BulkStateAEADBulkStateUninitializedBulkAdditionalData BulkNonceBulkIVBulkKeybulkInithasMAC hasRecordIVcipherKeyBlockSizecipherAllowedForVersionApplicationSecretInfoHandshakeSecretInfoEarlySecretInfoNegotiatedProtocolciphersuite_default_detciphersuite_allciphersuite_all_detciphersuite_mediumciphersuite_strongciphersuite_strong_detciphersuite_dhe_rsaciphersuite_dhe_dssciphersuite_unencryptedcipher_null_MD5cipher_null_SHA1cipher_RC4_128_MD5cipher_RC4_128_SHA1cipher_RSA_3DES_EDE_CBC_SHA1cipher_AES128_SHA1cipher_DHE_DSS_AES128_SHA1cipher_DHE_RSA_AES128_SHA1cipher_AES256_SHA1cipher_DHE_DSS_AES256_SHA1cipher_DHE_RSA_AES256_SHA1cipher_AES128_SHA256cipher_AES256_SHA256cipher_DHE_DSS_RC4_SHA1cipher_DHE_RSA_AES128_SHA256cipher_DHE_RSA_AES256_SHA256cipher_AES128CCM_SHA256cipher_AES128CCM8_SHA256cipher_AES128GCM_SHA256cipher_AES256CCM_SHA256cipher_AES256CCM8_SHA256cipher_AES256GCM_SHA384cipher_DHE_RSA_AES128CCM_SHA256 cipher_DHE_RSA_AES128CCM8_SHA256cipher_DHE_RSA_AES128GCM_SHA256cipher_DHE_RSA_AES256CCM_SHA256 cipher_DHE_RSA_AES256CCM8_SHA256cipher_DHE_RSA_AES256GCM_SHA384(cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256*cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256&cipher_DHE_RSA_CHACHA20POLY1305_SHA256cipher_TLS13_AES128GCM_SHA256cipher_TLS13_AES256GCM_SHA384$cipher_TLS13_CHACHA20POLY1305_SHA256cipher_TLS13_AES128CCM_SHA256cipher_TLS13_AES128CCM8_SHA256 cipher_ECDHE_ECDSA_AES128CBC_SHA cipher_ECDHE_ECDSA_AES256CBC_SHAcipher_ECDHE_RSA_AES128CBC_SHAcipher_ECDHE_RSA_AES256CBC_SHA!cipher_ECDHE_RSA_AES128CBC_SHA256!cipher_ECDHE_RSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CBC_SHA256#cipher_ECDHE_ECDSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CCM_SHA256$cipher_ECDHE_ECDSA_AES128CCM8_SHA256#cipher_ECDHE_ECDSA_AES128GCM_SHA256#cipher_ECDHE_ECDSA_AES256CCM_SHA256$cipher_ECDHE_ECDSA_AES256CCM8_SHA256#cipher_ECDHE_ECDSA_AES256GCM_SHA384!cipher_ECDHE_RSA_AES128GCM_SHA256!cipher_ECDHE_RSA_AES256GCM_SHA384 CryptLevel CryptInitialCryptMasterSecretCryptEarlySecretCryptHandshakeSecretCryptApplicationSecretHandshakeMode13 FullHandshakeHelloRetryRequest PreSharedKeyRTT0 hkdfExtracthkdfExpandLabelMaxFragmentEnumMaxFragment512MaxFragment1024MaxFragment2048MaxFragment4096#extensionID_QuicTransportParametersCertificateUsageCertificateUsageAcceptCertificateUsageRejectCertificateRejectReasonCertificateRejectExpiredCertificateRejectRevokedCertificateRejectUnknownCACertificateRejectAbsentCertificateRejectOtherHookshookRecvHandshakehookRecvHandshake13hookRecvCertificates hookLoggingLoggingloggingPacketSentloggingPacketRecv loggingIOSent loggingIORecv Credentials CredentialcredentialLoadX509credentialLoadX509FromMemorycredentialLoadX509Chain!credentialLoadX509ChainFromMemory ServerHooksonClientCertificateonUnverifiedClientCertonCipherChoosingonServerNameIndicationonNewHandshakeonALPNClientSuggestonEncryptedExtensionsCreating ClientHooksonCertificateRequestonServerCertificate onSuggestALPNonCustomFFDHEGroupOnServerCertificateOnCertificateRequest GroupUsageGroupUsageValidGroupUsageInsecureGroupUsageUnsupportedGroupUsageInvalidPublicSharedsharedCredentialssharedSessionManager sharedCAStoresharedValidationCachesharedHelloExtensionsEMSModeNoEMSAllowEMS RequireEMS SupportedsupportedVersionssupportedCipherssupportedCompressionssupportedHashSignaturessupportedSecureRenegotiation%supportedClientInitiatedRenegotiationsupportedExtendedMasterSecsupportedSessionsupportedFallbackScsvsupportedEmptyPacketsupportedGroups ServerParamsserverWantClientCertserverCACertificatesserverDHEParams serverHooks serverSharedserverSupported serverDebugserverEarlyDataSizeserverTicketLifetime ClientParamsclientUseMaxFragmentLengthclientServerIdentificationclientUseServerNameIndicationclientWantSessionResume clientShared clientHooksclientSupported clientDebugclientEarlyData DebugParams debugSeeddebugPrintSeeddebugVersionForceddebugKeyLoggerdefaultParamsClientContext ctxConnection Information infoVersion infoCipherinfoCompressioninfoMasterSecretinfoExtendedMasterSecinfoClientRandominfoServerRandominfoNegotiatedGroupinfoTLS13HandshakeModeinfoIsEarlyDataAccepted contextFlush contextClosecontextGetInformationcontextModifyHookserrorToAlertMessagerequestCertificate handshake TLSParams contextNewcontextNewOnHandlecontextNewOnSocketcontextHookSetHandshakeRecvcontextHookSetHandshake13RecvcontextHookSetCertificateRecvcontextHookSetLogging getFinishedgetPeerFinishedKeyUpdateRequestOneWayTwoWaybyegetNegotiatedProtocol getClientSNIsendDatarecvData recvData' updateKey QUICCallbacksquicSendquicRecvquicInstallKeysquicNotifyExtensionsquicDoneKeyScheduleEventInstallEarlyKeysInstallHandshakeKeysInstallApplicationKeys tlsQUICClient tlsQUICServererrorTLSerrorToAlertDescriptionfromAlertDescriptiontoAlertDescriptiondefaultSupportedquicMaxEarlyDataSizeBytesgetClientCertificateChainKeyExchangeSignatureAlgKX_ECDSAKX_DSSKX_RSAavailableFFGroupsavailableECGroups mtl-2.2.2Control.Monad.Error.Class MonadError throwError catchErrorErrTrunErrTbaseGHC.Base++GHC.Listfilterzipmap Control.MonadguardjoinMonad>>=return>>Functor<$fmapghc-prim GHC.ClassesOrd<<=>maxmincompare>=Control.Monad.Fail MonadFailfail ApplicativeliftA2<*pure*><*> Data.Foldablesumproductnullminimummaximumfoldr1foldl1foldl'elemfoldlfoldrlengthData.TraversablemapMsequence Semigroupstimes<>sconcat GHC.MaybeMaybeNothingJust GHC.TypesOrderingGTLTEQWordGHC.WordWord8Word16Word32Word64bytestring-0.11.3.1Data.ByteString.Internal ByteStringforM_mapM_Data.Semigroup WrappedMonoid WrapMonoid unwrapMonoidMingetMinMaxgetMaxLastgetLastFirstgetFirstArgMinArgMaxArg mtimesDefaultdiffcycle1 zipWithM_zipWithMunless replicateM_ replicateMmfilter mapAndUnzipMforeverfoldM_foldMfilterM>=><=<<$!> Data.ListisSubsequenceOf mapAccumR mapAccumLforMControl.ApplicativeZipList getZipList WrappedMonad WrapMonad unwrapMonad WrappedArrow WrapArrow unwrapArrowoptionalData.Functor.ConstConstgetConst sequence_ornotElemmsum minimumBy maximumByfind concatMapconcatasumanyandall Data.OldListzipWith7zipWith6zipWith5zipWith4zip7zip6zip5zip4wordsunzip7unzip6unzip5unzip4unwordsunlinesunionByunionunfoldr transposetails subsequences stripPrefixsortOnsortBysort singleton permutations partitionnubBynublines isSuffixOf isPrefixOf isInfixOf intersperse intersectBy intersect intercalateinsertByinsertinitsgroupBygroup genericTakegenericSplitAtgenericReplicate genericLength genericIndex genericDrop findIndices findIndex elemIndices elemIndex dropWhileEnddeleteFirstsBydeleteBydelete\\Data.Semigroup.InternalSumgetSumProduct getProductEndoappEndoDualgetDualAnygetAnyAllgetAll stimesMonoidstimesIdempotentData.OrdDowngetDown comparingclamp Data.BitsXorgetXorIorgetIorIffgetIffAndgetAndoneBits byteSwap64 byteSwap32 byteSwap16 bitReverse8 bitReverse64 bitReverse32 bitReverse16GHC.Bits FiniteBits finiteBitSizecountLeadingZeroscountTrailingZerosBitszeroBitsxor unsafeShiftR unsafeShiftLtestBitshiftRshiftLshiftsetBitrotateRrotateLrotatepopCountisSigned complementBit complementclearBit bitSizeMaybebitSizebit.&..|.toIntegralSizedtestBitDefaultpopCountDefault bitDefaultzipWith3zipWithzip3unzip3unzipuncons takeWhiletaketailsplitAtspanscanr1scanrscanl1scanl'scanlreverse replicaterepeatlookuplastiterate'iterateinitheadfoldl1' dropWhiledropcyclebreak!! Data.Maybe maybeToListmaybemapMaybe listToMaybe isNothingisJust fromMaybe catMaybes Data.Functorvoid<&><$> MonadPlusmplusmzero Alternativesomemanyempty<|>whenliftM5liftM4liftM3liftM2liftMliftA3liftAap=<<<**>stimesIdempotentMonoid showBytesHexnewMeasurementaddBytesReceived addBytesSentresetBytesCountersincrementNbHandshakes"crypton-0.31-8dKVjJp3hRzBNjPnw4xL9 Crypto.RandomseedFromInteger seedToIntegerseedNewSeedCrypto.Random.Types MonadRandomgetRandomBytesStateRNG withTLSRNG newStateRNGDHKey DHPrivatedhPublic dhPrivatedhParamsdhGenerateKeyPair dhGetShareddhValiddhUnwrap dhParamsGetP dhParamsGetGdhParamsGetBitsdhUnwrapPublic DirectionRoleCertReqContext MasterSecret SecretPairpairBase pairClient SecretTripletriBase triClient triServerAnyTrafficSecret BaseSecretResumptionSecretTxRx ClientRole ServerRolelifetimeageAddtxrxTime estimatedRTT MillisecondSecond invertRoleNullCompression compressionIDcompressionDeflatecompressionInflatecompressionIntersectIDhasHelloExtensionshasExplicitBlockIVSaved&&!bytesEqsaveMVarGHC.MVarMVar restoreMVarsubtakelast partition3 partition6fromJust fmapEithercatchException forEitherM mapChunks_ getChunksdecodeASN1ObjectencodeASN1ObjectCrypto.Number.Serializei2ospOf_i2ospos2ipGroupKey GroupPublic GroupPrivatedhParamsForGroupgroupGenerateKeyPairdhGroupGenerateKeyPairgroupGetPubShareddhGroupGetPubSharedgroupGetSharedencodeGroupPublicdecodeGroupPublickxCanUseRSApkcs1kxCanUseRSApss hashUpdateSSLSignatureParams RSAParams DSSParams ECDSAParams Ed25519Params Ed448Params RSAEncodingRSApkcs1RSApssHashCtx HashContext PrivateKey PublicKeyisKeyExchangeSignatureKeyfindKeyExchangeSignatureAlgfindFiniteFieldGroupfindEllipticCurveGrouphashInit hashUpdate hashFinalhashhashName hashBlockSize kxEncrypt kxDecryptkxVerifykxSignkxSupportedPrivKeyEClastSupportedCertificateTypeData.X509.DistinguishedNameDistinguishedName EnumSafe16fromEnumSafe16 toEnumSafe16 EnumSafe8 fromEnumSafe8 toEnumSafe8 TypeValuable valOfType valToTypeFinished ClientHello ServerHello Certificates HelloRequestServerHelloDone ClientKeyXchg ServerKeyXchg CertRequest CertVerifyClientKeyXchgAlgorithmDataCKX_RSACKX_DHCKX_ECDHServerKeyXchgAlgorithmData SKX_DH_Anon SKX_DHE_DSS SKX_DHE_RSA SKX_ECDHE_RSASKX_ECDHE_ECDSASKX_RSA SKX_DH_DSS SKX_DH_RSA SKX_Unparsed SKX_UnknownServerRSAParams rsa_modulus rsa_exponentServerECDHParamsServerDHParamsserverDHParams_pserverDHParams_gserverDHParams_yBigNum HandshakeTypeHandshakeType_HelloRequestHandshakeType_ClientHelloHandshakeType_ServerHelloHandshakeType_CertificateHandshakeType_ServerKeyXchgHandshakeType_CertRequestHandshakeType_ServerHelloDoneHandshakeType_CertVerifyHandshakeType_ClientKeyXchgHandshakeType_Finished AlertLevelAlertLevel_WarningAlertLevel_Fatal FinishedDataSessionPacketAlertChangeCipherSpecAppDataDigitallySigned Signature CipherDatacipherDataContent cipherDataMACcipherDataPadding CipherType CipherStream CipherBlock CipherAEAD ConnectionEndConnectionServerConnectionClientbigNumToIntegerbigNumFromIntegerserverDHParamsFromserverDHParamsToParamsserverDHParamsToPublic packetTypetypeOfHandshake numericalVerverOfNumHandshakeType13HandshakeType_ClientHello13HandshakeType_ServerHello13HandshakeType_EndOfEarlyData13 HandshakeType_NewSessionTicket13#HandshakeType_EncryptedExtensions13HandshakeType_CertRequest13HandshakeType_Certificate13HandshakeType_CertVerify13HandshakeType_Finished13HandshakeType_KeyUpdate13 ClientHello13 ServerHello13NewSessionTicket13EndOfEarlyData13EncryptedExtensions13 CertRequest13 Certificate13 CertVerify13 Finished13 KeyUpdate13 KeyUpdateUpdateNotRequestedUpdateRequestedPacket13Alert13ChangeCipherSpec13 AppData13typeOfHandshake13 contentTypeprf_TLSmacSSLhmacprf_SHA1prf_MD5 prf_MD5SHA1 prf_SHA256 ServerStateSendServerHelloSendServerFinished ClientStateSendClientHelloRecvServerHelloSendClientFinished%cereal-0.5.8.3-LILlnsZTZ6u7ywUJbh6rHjData.Serialize.PutputWord8runPutPutData.Serialize.GetgetWord8getBytesisEmpty remainingGet GetResultGotError GotPartial GotSuccessGotSuccessRemainingGetContinuationrunGet runGetErr runGetMaybetryGet getWords8 getWord16 getWords16 getWord24 getWord32 getWord64 getOpaque8 getOpaque16 getOpaque24 getInteger16 getBigNum16getList processBytes putWords8 putWord16 putWord32 putWord64 putWords16 putWord24putBytes putOpaque8 putOpaque16 putOpaque24 putInteger16 putBigNum16 encodeWord16 encodeWord32 encodeWord64cParamsVersioncParamsKeyXchgType getDNames putDNames&decodeReallyServerKeyXchgAlgorithmDatagetPRF CurrentParamsgetBinaryVersionputBinaryVersion decodeHeaderdecodeDeprecatedHeaderLengthdecodeDeprecatedHeader encodeHeaderencodeHeaderNoVer decodeAlert decodeAlerts encodeAlertsdecodeHandshakeRecorddecodeHandshakedecodeDeprecatedHandshakeencodeHandshakeencodeHandshakeHeaderencodeHandshakeContentgetServerRandom32getClientRandom32putClientRandom32putServerRandom32 getSession putSession getExtensions putExtensiongetSignatureHashAlgorithmputSignatureHashAlgorithmdecodeChangeCipherSpecencodeChangeCipherSpecdecodePreMasterSecretencodePreMasterSecretgenerateMasterSecretgenerateExtendedMasterSecgenerateKeyBlockgenerateClientFinishedgenerateServerFinishedgenerateCertificateVerify_SSL!generateCertificateVerify_SSL_DSSencodeSignedDHParamsencodeSignedECDHParamsRecordM runRecordM RecordStatestCipher stCompression stCryptLevel stCryptState stMacState HasCryptLevel getCryptLevel RecordOptions recordVersion recordTLS13MacState msSequence CryptStatecstKeycstIV cstMacSecretgetRecordOptionsgetRecordVersionnewRecordStateincrRecordState setRecordIVwithCompression computeDigest makeDigestgetBulkgetMacSequenceRecordfragmentCompressfragmentCipherfragmentUncipherfragmentUncompress recordToRaw rawToRecordrecordToHeader Ciphertext Compressed PlaintextFragmentfragmentGetBytesfragmentPlaintextfragmentCompressedfragmentCiphertextonRecordFragment engageRecorddisengageRecord RecordLayer recordEncoderecordEncode13recordSendBytes recordRecv recordRecv13newTransparentRecordLayerencodeHandshake13decodeHandshakes13getHandshakeType13decodeHandshakeRecord13decodeHandshake13 CertReqCBdatahstCertReqTokenhstCertReqCBdatahstCertReqSigAlgsCerthstClientCertSenthstCertReqSentfoldHandshakeDigestsetMasterSecretFromPresetMasterSecretsetServerHelloParameters RTT0StatusRTT0NoneRTT0Sent RTT0Accepted RTT0Rejected HandshakeMHandshakeStatehstClientVersionhstClientRandomhstServerRandomhstMasterSecret hstKeyStatehstServerDHParams hstDHPrivatehstServerECDHParamshstGroupPrivatehstHandshakeDigesthstHandshakeMessageshstClientCertChainhstPendingTxStatehstPendingRxStatehstPendingCipherhstPendingCompressionhstExtendedMasterSechstNegotiatedGrouphstTLS13HandshakeModehstTLS13RTT0StatushstTLS13EarlySecrethstTLS13ResumptionSecret hstCCS13SentHandshakeDigestHandshakeMessagesHandshakeDigestContextnewEmptyHandshake runHandshake setPublicKeysetPublicPrivateKeysgetRemotePublicKeygetLocalPublicPrivateKeyssetServerDHParamsgetServerDHParamssetServerECDHParamsgetServerECDHParams setDHPrivate getDHPrivategetGroupPrivatesetGroupPrivatesetExtendedMasterSecgetExtendedMasterSecsetNegotiatedGroupgetNegotiatedGroupsetTLS13HandshakeModegetTLS13HandshakeModesetTLS13RTT0StatusgetTLS13RTT0StatussetTLS13EarlySecretgetTLS13EarlySecretsetTLS13ResumptionSecretgetTLS13ResumptionSecret setCCS13Sent getCCS13SentsetCertReqSentgetCertReqSentsetClientCertSentgetClientCertSentsetClientCertChaingetClientCertChainsetCertReqTokengetCertReqTokensetCertReqCBdatagetCertReqCBdatasetCertReqSigAlgsCertgetCertReqSigAlgsCertgetPendingCipheraddHandshakeMessagegetHandshakeMessagesgetHandshakeMessagesRevupdateHandshakeDigestgetHandshakeDigest deriveSecretExtendedMasterSecret#ApplicationLayerProtocolNegotiationSecureRenegotiationMaxFragmentLength ServerName ExtensionsupportedExtensionsCertificateAuthoritiesCookieEarlyDataIndicationPreSharedKeyClientHelloPreSharedKeyServerHello PskIdentityPskKeyExchangeModes PskKexModePSK_KE PSK_DHE_KEKeyShareKeyShareClientHelloKeyShareServerHello KeyShareHRR KeyShareEntrykeyShareEntryGroupkeyShareEntryKeyExchangeSupportedVersionsSupportedVersionsClientHelloSupportedVersionsServerHelloSignatureAlgorithmsCertPostHandshakeAuthSignatureAlgorithms HeartBeatModeHeartBeat_PeerAllowedToSendHeartBeat_PeerNotAllowedToSend HeartBeat SessionTicket EcPointFormatEcPointFormat_Uncompressed'EcPointFormat_AnsiX962_compressed_prime'EcPointFormat_AnsiX962_compressed_char2EcPointFormatsSupportedNegotiatedGroupsMaxFragmentLengthOtherServerNameTypeServerNameHostNameServerNameOtherextensionDecodeextensionEncode extensionID MessageTypeMsgTClientHelloMsgTServerHelloMsgTHelloRetryRequestMsgTEncryptedExtensionsMsgTNewSessionTicketMsgTCertificateRequestextensionID_ServerNameextensionID_MaxFragmentLengthextensionID_NegotiatedGroupsextensionID_EcPointFormatsextensionID_SignatureAlgorithmsextensionID_Heartbeat/extensionID_ApplicationLayerProtocolNegotiation extensionID_ExtendedMasterSecretextensionID_PreSharedKeyextensionID_EarlyDataextensionID_SupportedVersionsextensionID_CookieextensionID_PskKeyExchangeModes"extensionID_CertificateAuthoritiesextensionID_OidFiltersextensionID_PostHandshakeAuth#extensionID_SignatureAlgorithmsCertextensionID_KeyShareextensionID_SecureRenegotiationdefinedExtensionsTLSStTLSState stSessionstSessionResumingstSecureRenegotiationstClientVerifiedDatastServerVerifiedDatastExtensionALPNstHandshakeRecordContstNegotiatedProtocolstHandshakeRecordCont13stClientALPNSuggeststClientGroupSuggeststClientEcPointFormatSuggeststClientCertificateChain stClientSNI stRandomGen stVersionstClientContextstTLS13KeySharestTLS13PreSharedKey stTLS13HRR stTLS13CookiestExporterMasterSecretstClientSupportsPHA runTLSState newTLSStateupdateVerifiedDatafinishHandshakeTypeMaterialfinishHandshakeMaterialcertVerifyHandshakeTypeMaterialcertVerifyHandshakeMaterial setSessionisSessionResuming setVersionsetVersionIfUnset getVersiongetVersionWithDefaultsetSecureRenegotiationgetSecureRenegotiationsetExtensionALPNgetExtensionALPNsetNegotiatedProtocolsetClientALPNSuggestgetClientALPNSuggestsetClientEcPointFormatSuggestgetClientEcPointFormatSuggestsetClientCertificateChain setClientSNIgetVerifiedDataisClientContext genRandomwithRNGsetExporterMasterSecretgetExporterMasterSecretsetTLS13KeySharegetTLS13KeySharesetTLS13PreSharedKeygetTLS13PreSharedKey setTLS13HRR getTLS13HRRsetTLS13CookiegetTLS13CookiesetClientSupportsPHAgetClientSupportsPHA Data.X509getCertificateSignedCertificateData.X509.CertificateChainCertificateChainData.X509.Cert Certificate certVersion certSerialcertSignatureAlg certIssuerDN certValidity certSubjectDN certPubKeycertExtensions/crypton-x509-store-1.6.9-CquRS2s5ZxvGpnPhhDRUt2Data.X509.CertificateStoreCertificateStorevalidateDefault FailedReasonData.X509.Validation.Types ServiceIDisNullCertificateChaingetCertificateChainLeafwrapCertificateChecks pubkeyType defaultHookscredentialMatchesHashSignatures credentialsListSigningAlgorithmscredentialsFindForSigningcredentialsFindForDecryptingcredentialPublicPrivateKeysTrueFalsemempty CommonParams PendingActionPendingActionHashctxEOF_ctxEstablished_ctxNeedEmptyPacketctxSSLv2ClientHelloctxFragmentSize ctxTxState ctxRxState ctxHandshakectxHooks ctxLockWrite ctxLockRead ctxLockStatectxCertRequests EstablishedNotEstablishedEarlyDataAllowedEarlyDataNotAllowed HandshakeSync ctxSupported ctxSharedctxStatectxMeasurementctxDoHandshakectxDoHandshakeWithctxDoRequestCertificatectxDoPostHandshakeAuthWithctxPendingActions ctxKeyLoggerctxRecordLayerctxHandshakeSync ctxQUICMode ctxFinishedctxPeerFinishedupdateRecordLayer updateMeasure withMeasure contextSend contextRecvctxEOFctxHasSSLv2ClientHelloctxDisableSSLv2ClientHellosetEOFctxEstablished ctxWithHookssetEstablishedwithLog throwCorefailOnEitherError usingState usingState_ usingHState getHState saveHState restoreHStatedecideRecordVersion runTxState runRxState getStateRNG withReadLock withWriteLock withRWLock withStateLock tls13orLateraddCertRequest13getCertRequest13 encodeRecordencodeRecord13 sendBytes recvRecord recvRecord13 processPacketprocessPacket13 TrafficSecret getTxState getRxState setTxState setRxState clearTxState clearRxStatesetHelloParameters13wrapAsMessageHash13transcriptHashsetPendingActionspopPendingAction serverRandom isDowngraded clientRandom hrrRandomisHelloRetryRequest encodePacketupdateHandshakeencodePacket13updateHandshake13 PacketFlightM sendPacket recvPacket sendPacket13 recvPacket13isRecvComplete checkValidrunPacketFlight loadPacket13checkDigitalSignatureKeyisDigitalSignaturePairsatisfiesEcPredicate encryptRSA signPrivate decryptRSA verifyPublic generateDHE generateECDHEgenerateECDHEShared generateFFDHEgenerateFFDHESharedversionCompatiblegetLocalPublicKeylogKeycertificateCompatiblehashSigToCertType decryptErrorsignatureCompatiblesignatureCompatible13checkCertificateVerifycreateCertificateVerifysignatureParamsdigitallySignDHParamsdigitallySignECDHParamsdigitallySignDHParamsVerifydigitallySignECDHParamsVerifycheckSupportedHashSignatureprocessHandshakeprocessHandshake13startHandshakehandshakeTerminateonRecvStateHandshake storePrivInfo RecvState RecvStateNextRecvStateHandshake RecvStateDonehandshakeFailedhandleException errorToAlert unexpected newSessionsendChangeCipherAndFinishrecvChangeCipherAndFinishrecvPacketHandshake runRecvStateensureRecvCompleteprocessExtendedMasterSecgetSessionDataextensionLookupcheckSupportedGroupisSupportedGroupcertificateRejectedbadCertificaterejectOnExceptionverifyLeafKeyUsage extractCAnamehandshakeTerminate13 CipherChoicecVersioncCiphercHashcZeroRecvHandshake13M makeFinished checkFinishedmakeServerKeySharemakeClientKeySharefromServerKeySharemakeCertVerifycheckCertVerify makePSKBinderreplacePSKBindersendChangeCipherSpec13makeCertRequestcreateTLS13TicketInfoageToObfuscatedAge isAgeValidgetAgecheckFreshnessgetCurrentTimeFromBasegetSessionData13ensureNullCompressionsafeNonNegative32recvHandshake13recvHandshake13hashrunRecvHandshake13isHashSignatureValid13makeCipherChoicecalculateEarlySecretinitEarlySecretcalculateHandshakeSecretcalculateApplicationSecretcalculateResumptionSecret derivePSKcheckKeyShareKeyLengthhandshakeServerWithrecvClientDatahandshakeServerrequestCertificateServerpostHandshakeAuthServerWithstorePrivInfoClient clientChaingetLocalHashSigAlgsupportedCtypessendClientData onServerHellohandshakeClientWithhandshakeClientpostHandshakeAuthClientWithpostHandshakeAuthWith handshakeWith