package tls

  1. Overview
  2. Docs

Configuration of the TLS stack

Config type

type certchain = Core.Cert.t list * Mirage_crypto_pk.Rsa.priv

certificate chain and private key of the first certificate

type own_cert = [
  1. | `None
  2. | `Single of certchain
  3. | `Multiple of certchain list
  4. | `Multiple_default of certchain * certchain list
]

polymorphic variant of own certificates

type session_cache = Core.SessionID.t -> Core.epoch_data option
type config = private {
  1. ciphers : Ciphersuite.ciphersuite list;
    (*

    ordered list (regarding preference) of supported cipher suites

    *)
  2. protocol_versions : Core.tls_version * Core.tls_version;
    (*

    supported protocol versions (min, max)

    *)
  3. hashes : Mirage_crypto.Hash.hash list;
    (*

    ordered list of supported hash algorithms (regarding preference)

    *)
  4. use_reneg : bool;
    (*

    endpoint should accept renegotiation requests

    *)
  5. authenticator : X509.Authenticator.t option;
    (*

    optional X509 authenticator

    *)
  6. peer_name : string option;
    (*

    optional name of other endpoint (used for SNI RFC4366)

    *)
  7. own_certificates : own_cert;
    (*

    optional default certificate chain and other certificate chains

    *)
  8. acceptable_cas : X509.Distinguished_name.t list;
    (*

    ordered list of acceptable certificate authorities

    *)
  9. session_cache : session_cache;
  10. cached_session : Core.epoch_data option;
  11. alpn_protocols : string list;
    (*

    optional ordered list of accepted alpn_protocols

    *)
}

configuration parameters

val config_of_sexp : Sexplib.Sexp.t -> config
val sexp_of_config : config -> Sexplib.Sexp.t
type client

opaque type of a client configuration

val client_of_sexp : Sexplib.Sexp.t -> client
val sexp_of_client : client -> Sexplib.Sexp.t
type server

opaque type of a server configuration

val server_of_sexp : Sexplib.Sexp.t -> server
val sexp_of_server : server -> Sexplib.Sexp.t

Constructors

val client : authenticator:X509.Authenticator.t -> ?peer_name:string -> ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?hashes:Mirage_crypto.Hash.hash list -> ?reneg:bool -> ?certificates:own_cert -> ?cached_session:Core.epoch_data -> ?alpn_protocols:string list -> unit -> client

client authenticator ?peer_name ?ciphers ?version ?hashes ?reneg ?certificates ?alpn_protocols is client configuration with the given parameters.

  • raises Invalid_argument

    if the configuration is invalid

val server : ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?hashes:Mirage_crypto.Hash.hash list -> ?reneg:bool -> ?certificates:own_cert -> ?acceptable_cas:X509.Distinguished_name.t list -> ?authenticator:X509.Authenticator.t -> ?session_cache:session_cache -> ?alpn_protocols:string list -> unit -> server

server ?ciphers ?version ?hashes ?reneg ?certificates ?acceptable_cas ?authenticator ?alpn_protocols is server configuration with the given parameters.

  • raises Invalid_argument

    if the configuration is invalid

val peer : client -> string -> client

peer client name is client with name as peer_name

Note on ALPN protocol selection

Both client and server constructors accept an alpn_protocols list. The list for server should be given in a descending order of preference. In the case of protocol selection, the server will iterate its list and select the first element that the client's list also advertises.

For example, if the client advertises ["foo"; "bar"; "baz"] and the server has ["bar"; "foo"], "bar" will be selected as the protocol of the handshake.

Utility functions

val default_hashes : Mirage_crypto.Hash.hash list

default_hashes is a list of hash algorithms used by default

val supported_hashes : Mirage_crypto.Hash.hash list

supported_hashes is a list of supported hash algorithms by this library

val min_dh_size : int

min_dh_size is minimal diffie hellman group size in bits (currently 1024)

dh_group is the default Diffie-Hellman group (currently the ffdhe2048 group from Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS)

val min_rsa_key_size : int

min_rsa_key_size is minimal RSA modulus key size in bits (currently 1024)

module Ciphers : sig ... end

Cipher selection

Internal use only

val of_client : client -> config

of_client client is a client configuration for client

val of_server : server -> config

of_server server is a server configuration for server

val with_authenticator : config -> X509.Authenticator.t -> config

with_authenticator config auth is config with auth as authenticator

val with_own_certificates : config -> own_cert -> config

with_own_certificates config cert is config with cert as own_cert

val with_acceptable_cas : config -> X509.Distinguished_name.t list -> config

with_acceptable_cas config cas is config with cas as accepted_cas

OCaml

Innovation. Community. Security.