Config type
type certchain = Core.Cert.t list * Mirage_crypto_pk.Rsa.priv
certificate chain and private key of the first certificate
type own_cert = [
| `None |
| `Single of certchain |
| `Multiple of certchain list |
| `Multiple_default of certchain * certchain list |
]
polymorphic variant of own certificates
type session_cache = Core.SessionID.t -> Core.epoch_data option
type ticket_cache = {
lookup : Cstruct.t -> (Core.psk13 * Core.epoch_data) option; |
ticket_granted : Core.psk13 -> Core.epoch_data -> unit; |
lifetime : int32; |
timestamp : unit -> Core.Ptime.t; |
}
type ticket_cache_opt = ticket_cache option
type config = private {
ciphers : Ciphersuite.ciphersuite list; | ordered list (regarding preference) of supported cipher suites |
protocol_versions : Core.tls_version * Core.tls_version; | supported protocol versions (min, max) |
signature_algorithms : Core.signature_algorithm list; | ordered list of supported signature algorithms (regarding preference) |
use_reneg : bool; | endpoint should accept renegotiation requests |
authenticator : X509.Authenticator.t option; | optional X509 authenticator |
peer_name : string option; | optional name of other endpoint (used for SNI RFC4366) |
own_certificates : own_cert; | optional default certificate chain and other certificate chains |
acceptable_cas : X509.Distinguished_name.t list; | ordered list of acceptable certificate authorities |
session_cache : session_cache; | |
ticket_cache : ticket_cache_opt; | |
cached_session : Core.epoch_data option; | |
cached_ticket : (Core.psk13 * Core.epoch_data) option; | |
alpn_protocols : string list; | optional ordered list of accepted alpn_protocols |
groups : Core.group list; | the first FFDHE will be used for TLS 1.2 and below if a DHE ciphersuite is used |
zero_rtt : int32; |
}
configuration parameters
val config_of_sexp : Sexplib.Sexp.t -> config
val sexp_of_config : config -> Sexplib.Sexp.t
val ciphers13 : config -> Ciphersuite.ciphersuite13 list
ciphers13 config
are the ciphersuites for TLS 1.3 in the configuration.
val client_of_sexp : Sexplib.Sexp.t -> client
val sexp_of_client : client -> Sexplib.Sexp.t
val server_of_sexp : Sexplib.Sexp.t -> server
val sexp_of_server : server -> Sexplib.Sexp.t
Constructors
val client : authenticator:X509.Authenticator.t -> ?peer_name:string -> ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?signature_algorithms:Core.signature_algorithm list -> ?reneg:bool -> ?certificates:own_cert -> ?cached_session:Core.epoch_data -> ?cached_ticket:(Core.psk13 * Core.epoch_data) -> ?ticket_cache:ticket_cache -> ?alpn_protocols:string list -> ?groups:Core.group list -> unit -> client
client authenticator ?peer_name ?ciphers ?version ?hashes ?reneg ?certificates ?alpn_protocols
is client
configuration with the given parameters.
- raises Invalid_argument
if the configuration is invalid
val server : ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?signature_algorithms:Core.signature_algorithm list -> ?reneg:bool -> ?certificates:own_cert -> ?acceptable_cas:X509.Distinguished_name.t list -> ?authenticator:X509.Authenticator.t -> ?session_cache:session_cache -> ?ticket_cache:ticket_cache -> ?alpn_protocols:string list -> ?groups:Core.group list -> ?zero_rtt:int32 -> unit -> server
server ?ciphers ?version ?hashes ?reneg ?certificates ?acceptable_cas ?authenticator ?alpn_protocols
is server
configuration with the given parameters.
- raises Invalid_argument
if the configuration is invalid
Note on ALPN protocol selection
Utility functions
val default_signature_algorithms : Core.signature_algorithm list
default_signature_algorithms
is a list of signature algorithms used by default
val supported_signature_algorithms : Core.signature_algorithm list
supported_signature_algorithms
is a list of supported signature algorithms by this library
val supported_groups : Core.group list
supported_groups
are the Diffie-Hellman groups supported in this library.
val elliptic_curve : Core.group -> bool
elliptic_curve group
is true
if group is an elliptic curve, false
otherwise.
module Ciphers : sig ... end
Cipher selection
Internal use only
val with_authenticator : config -> X509.Authenticator.t -> config
with_authenticator config auth
is config
with auth
as authenticator
with_own_certificates config cert
is config
with cert
as own_cert
val with_acceptable_cas : config -> X509.Distinguished_name.t list -> config
with_acceptable_cas config cas
is config
with cas
as accepted_cas