Library
Module
Module type
Parameter
Class
Class type
Configuration of the TLS stack
type certchain = Core.Cert.t list * Mirage_crypto_pk.Rsa.priv
certificate chain and private key of the first certificate
type own_cert = [
| `None
| `Single of certchain
| `Multiple of certchain list
| `Multiple_default of certchain * certchain list
]
polymorphic variant of own certificates
type session_cache = Core.SessionID.t -> Core.epoch_data option
type config = private {
ciphers : Ciphersuite.ciphersuite list;
ordered list (regarding preference) of supported cipher suites
*)protocol_versions : Core.tls_version * Core.tls_version;
supported protocol versions (min, max)
*)hashes : Mirage_crypto.Hash.hash list;
ordered list of supported hash algorithms (regarding preference)
*)use_reneg : bool;
endpoint should accept renegotiation requests
*)authenticator : X509.Authenticator.t option;
optional X509 authenticator
*)peer_name : string option;
optional name of other endpoint (used for SNI RFC4366)
*)own_certificates : own_cert;
optional default certificate chain and other certificate chains
*)acceptable_cas : X509.Distinguished_name.t list;
ordered list of acceptable certificate authorities
*)session_cache : session_cache;
cached_session : Core.epoch_data option;
alpn_protocols : string list;
optional ordered list of accepted alpn_protocols
*)}
configuration parameters
val config_of_sexp : Sexplib.Sexp.t -> config
val sexp_of_config : config -> Sexplib.Sexp.t
val client_of_sexp : Sexplib.Sexp.t -> client
val sexp_of_client : client -> Sexplib.Sexp.t
val server_of_sexp : Sexplib.Sexp.t -> server
val sexp_of_server : server -> Sexplib.Sexp.t
val client :
authenticator:X509.Authenticator.t ->
?peer_name:string ->
?ciphers:Ciphersuite.ciphersuite list ->
?version:(Core.tls_version * Core.tls_version) ->
?hashes:Mirage_crypto.Hash.hash list ->
?reneg:bool ->
?certificates:own_cert ->
?cached_session:Core.epoch_data ->
?alpn_protocols:string list ->
unit ->
client
client authenticator ?peer_name ?ciphers ?version ?hashes ?reneg ?certificates ?alpn_protocols
is client
configuration with the given parameters.
val server :
?ciphers:Ciphersuite.ciphersuite list ->
?version:(Core.tls_version * Core.tls_version) ->
?hashes:Mirage_crypto.Hash.hash list ->
?reneg:bool ->
?certificates:own_cert ->
?acceptable_cas:X509.Distinguished_name.t list ->
?authenticator:X509.Authenticator.t ->
?session_cache:session_cache ->
?alpn_protocols:string list ->
unit ->
server
server ?ciphers ?version ?hashes ?reneg ?certificates ?acceptable_cas ?authenticator ?alpn_protocols
is server
configuration with the given parameters.
Both client
and server
constructors accept an alpn_protocols
list. The list for server should be given in a descending order of preference. In the case of protocol selection, the server will iterate its list and select the first element that the client's list also advertises.
For example, if the client advertises ["foo"; "bar"; "baz"]
and the server has ["bar"; "foo"]
, "bar"
will be selected as the protocol of the handshake.
default_hashes
is a list of hash algorithms used by default
supported_hashes
is a list of supported hash algorithms by this library
val dh_group : Mirage_crypto_pk.Dh.group
dh_group
is the default Diffie-Hellman group (currently the ffdhe2048 group from Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS)
module Ciphers : sig ... end
Cipher selection
val with_authenticator : config -> X509.Authenticator.t -> config
with_authenticator config auth
is config
with auth
as authenticator
with_own_certificates config cert
is config
with cert
as own_cert
val with_acceptable_cas : config -> X509.Distinguished_name.t list -> config
with_acceptable_cas config cas
is config
with cas
as accepted_cas