package tls

  1. Overview
  2. Docs
Transport Layer Security purely in OCaml

Install

Dune Dependency

github.com Readme Changelog BSD-2-Clause License Edit opam file Versions (36)

Authors

  1. D
    David Kaloper <david@numm.org>
  2. H
    Hannes Mehnert <hannes@mehnert.org>

Maintainers

  1. H
    Hannes Mehnert <hannes@mehnert.org>
  2. D
    David Kaloper <david@numm.org>

Sources

tls-v0.12.8.tbz
sha256=ca889a1593780b896be5139037865e7de21e620088b2c0e9d3d65565ddbef769
sha512=da21f3d1fc5e02feac774be8a1568e9acb2218d0ffdbd8551a845210969d16ce537a46badb03fb424dc0d3f31593bd0cc3f0d16b80a7e02c7ad287f8dd1ea977

doc/tls/Tls/Config/index.html

Module Tls.ConfigSource

Configuration of the TLS stack

Config type

certificate chain and private key of the first certificate

Sourcetype own_cert = [
  1. | `None
  2. | `Single of certchain
  3. | `Multiple of certchain list
  4. | `Multiple_default of certchain * certchain list
]

polymorphic variant of own certificates

Sourcetype session_cache = Core.SessionID.t -> Core.epoch_data option
Sourcetype ticket_cache = {
  1. lookup : Cstruct.t -> (Core.psk13 * Core.epoch_data) option;
  2. ticket_granted : Core.psk13 -> Core.epoch_data -> unit;
  3. lifetime : int32;
  4. timestamp : unit -> Core.Ptime.t;
}
Sourcetype ticket_cache_opt = ticket_cache option
Sourcetype config = private {
  1. ciphers : Ciphersuite.ciphersuite list;
    (*

    ordered list (regarding preference) of supported cipher suites

    *)
  2. protocol_versions : Core.tls_version * Core.tls_version;
    (*

    supported protocol versions (min, max)

    *)
  3. signature_algorithms : Core.signature_algorithm list;
    (*

    ordered list of supported signature algorithms (regarding preference)

    *)
  4. use_reneg : bool;
    (*

    endpoint should accept renegotiation requests

    *)
  5. authenticator : X509.Authenticator.t option;
    (*

    optional X509 authenticator

    *)
  6. peer_name : string option;
    (*

    optional name of other endpoint (used for SNI RFC4366)

    *)
  7. own_certificates : own_cert;
    (*

    optional default certificate chain and other certificate chains

    *)
  8. acceptable_cas : X509.Distinguished_name.t list;
    (*

    ordered list of acceptable certificate authorities

    *)
  9. session_cache : session_cache;
  10. ticket_cache : ticket_cache_opt;
  11. cached_session : Core.epoch_data option;
  12. cached_ticket : (Core.psk13 * Core.epoch_data) option;
  13. alpn_protocols : string list;
    (*

    optional ordered list of accepted alpn_protocols

    *)
  14. groups : Core.group list;
    (*

    the first FFDHE will be used for TLS 1.2 and below if a DHE ciphersuite is used

    *)
  15. zero_rtt : int32;
}

configuration parameters

Sourceval config_of_sexp : Sexplib.Sexp.t -> config
Sourceval sexp_of_config : config -> Sexplib.Sexp.t
Sourceval ciphers13 : config -> Ciphersuite.ciphersuite13 list

ciphers13 config are the ciphersuites for TLS 1.3 in the configuration.

Sourcetype client

opaque type of a client configuration

Sourceval client_of_sexp : Sexplib.Sexp.t -> client
Sourceval sexp_of_client : client -> Sexplib.Sexp.t
Sourcetype server

opaque type of a server configuration

Sourceval server_of_sexp : Sexplib.Sexp.t -> server
Sourceval sexp_of_server : server -> Sexplib.Sexp.t

Constructors

Sourceval client : authenticator:X509.Authenticator.t -> ?peer_name:string -> ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?signature_algorithms:Core.signature_algorithm list -> ?reneg:bool -> ?certificates:own_cert -> ?cached_session:Core.epoch_data -> ?cached_ticket:(Core.psk13 * Core.epoch_data) -> ?ticket_cache:ticket_cache -> ?alpn_protocols:string list -> ?groups:Core.group list -> unit -> client

client authenticator ?peer_name ?ciphers ?version ?hashes ?reneg ?certificates ?alpn_protocols is client configuration with the given parameters.

Sourceval server : ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?signature_algorithms:Core.signature_algorithm list -> ?reneg:bool -> ?certificates:own_cert -> ?acceptable_cas:X509.Distinguished_name.t list -> ?authenticator:X509.Authenticator.t -> ?session_cache:session_cache -> ?ticket_cache:ticket_cache -> ?alpn_protocols:string list -> ?groups:Core.group list -> ?zero_rtt:int32 -> unit -> server

server ?ciphers ?version ?hashes ?reneg ?certificates ?acceptable_cas ?authenticator ?alpn_protocols is server configuration with the given parameters.

Sourceval peer : client -> string -> client

peer client name is client with name as peer_name

Note on ALPN protocol selection

Both client and server constructors accept an alpn_protocols list. The list for server should be given in a descending order of preference. In the case of protocol selection, the server will iterate its list and select the first element that the client's list also advertises.

For example, if the client advertises ["foo"; "bar"; "baz"] and the server has ["bar"; "foo"], "bar" will be selected as the protocol of the handshake.

Utility functions

Sourceval default_signature_algorithms : Core.signature_algorithm list

default_signature_algorithms is a list of signature algorithms used by default

Sourceval supported_signature_algorithms : Core.signature_algorithm list

supported_signature_algorithms is a list of supported signature algorithms by this library

Sourceval min_dh_size : int

min_dh_size is minimal diffie hellman group size in bits (currently 1024)

Sourceval supported_groups : Core.group list

supported_groups are the Diffie-Hellman groups supported in this library.

Sourceval elliptic_curve : Core.group -> bool

elliptic_curve group is true if group is an elliptic curve, false otherwise.

Sourceval min_rsa_key_size : int

min_rsa_key_size is minimal RSA modulus key size in bits (currently 1024)

Sourcemodule Ciphers : sig ... end

Cipher selection

Internal use only

Sourceval of_client : client -> config

of_client client is a client configuration for client

Sourceval of_server : server -> config

of_server server is a server configuration for server

Sourceval with_authenticator : config -> X509.Authenticator.t -> config

with_authenticator config auth is config with auth as authenticator

Sourceval with_own_certificates : config -> own_cert -> config

with_own_certificates config cert is config with cert as own_cert

Sourceval with_acceptable_cas : config -> X509.Distinguished_name.t list -> config

with_acceptable_cas config cas is config with cas as accepted_cas

OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events OCaml Planet Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct