Config (tls.Tls.Config)

Config type

type certchain = Core.Cert.t list * Mirage_crypto_pk.Rsa.priv

certificate chain and private key of the first certificate

type own_cert = [

| `None

| `Single of certchain

| `Multiple of certchain list

| `Multiple_default of certchain * certchain list

]

polymorphic variant of own certificates

type session_cache = Core.SessionID.t -> Core.epoch_data option

type ticket_cache = {

lookup : Cstruct.t -> (Core.psk13 * Core.epoch_data) option;

ticket_granted : Core.psk13 -> Core.epoch_data -> unit;

lifetime : int32;

timestamp : unit -> Core.Ptime.t;

}

type ticket_cache_opt = ticket_cache option

type config = private {

`ciphers : Ciphersuite.ciphersuite list;`	ordered list (regarding preference) of supported cipher suites
`protocol_versions : Core.tls_version * Core.tls_version;`	supported protocol versions (min, max)
`signature_algorithms : Core.signature_algorithm list;`	ordered list of supported signature algorithms (regarding preference)
`use_reneg : bool;`	endpoint should accept renegotiation requests
`authenticator : X509.Authenticator.t option;`	optional X509 authenticator
`peer_name : string option;`	optional name of other endpoint (used for SNI RFC4366)
`own_certificates : own_cert;`	optional default certificate chain and other certificate chains
`acceptable_cas : X509.Distinguished_name.t list;`	ordered list of acceptable certificate authorities
`session_cache : session_cache;`
`ticket_cache : ticket_cache_opt;`
`cached_session : Core.epoch_data option;`
`cached_ticket : (Core.psk13 * Core.epoch_data) option;`
`alpn_protocols : string list;`	optional ordered list of accepted alpn_protocols
`groups : Core.group list;`	the first FFDHE will be used for TLS 1.2 and below if a DHE ciphersuite is used
`zero_rtt : int32;`

}

configuration parameters

val config_of_sexp : Sexplib.Sexp.t -> config

val sexp_of_config : config -> Sexplib.Sexp.t

val ciphers13 : config -> Ciphersuite.ciphersuite13 list

ciphers13 config are the ciphersuites for TLS 1.3 in the configuration.

type client

opaque type of a client configuration

val client_of_sexp : Sexplib.Sexp.t -> client

val sexp_of_client : client -> Sexplib.Sexp.t

type server

opaque type of a server configuration

val server_of_sexp : Sexplib.Sexp.t -> server

val sexp_of_server : server -> Sexplib.Sexp.t

Constructors

val client : authenticator:X509.Authenticator.t -> ?⁠peer_name:string -> ?⁠ciphers:Ciphersuite.ciphersuite list -> ?⁠version:(Core.tls_version * Core.tls_version) -> ?⁠signature_algorithms:Core.signature_algorithm list -> ?⁠reneg:bool -> ?⁠certificates:own_cert -> ?⁠cached_session:Core.epoch_data -> ?⁠cached_ticket:(Core.psk13 * Core.epoch_data) -> ?⁠ticket_cache:ticket_cache -> ?⁠alpn_protocols:string list -> ?⁠groups:Core.group list -> unit -> client

client authenticator ?peer_name ?ciphers ?version ?hashes ?reneg ?certificates ?alpn_protocols is client configuration with the given parameters.

raises Invalid_argument: if the configuration is invalid

val server : ?⁠ciphers:Ciphersuite.ciphersuite list -> ?⁠version:(Core.tls_version * Core.tls_version) -> ?⁠signature_algorithms:Core.signature_algorithm list -> ?⁠reneg:bool -> ?⁠certificates:own_cert -> ?⁠acceptable_cas:X509.Distinguished_name.t list -> ?⁠authenticator:X509.Authenticator.t -> ?⁠session_cache:session_cache -> ?⁠ticket_cache:ticket_cache -> ?⁠alpn_protocols:string list -> ?⁠groups:Core.group list -> ?⁠zero_rtt:int32 -> unit -> server

server ?ciphers ?version ?hashes ?reneg ?certificates ?acceptable_cas ?authenticator ?alpn_protocols is server configuration with the given parameters.

raises Invalid_argument: if the configuration is invalid

val peer : client -> string -> client

peer client name is client with name as peer_name

Note on ALPN protocol selection

Utility functions

val default_signature_algorithms : Core.signature_algorithm list

default_signature_algorithms is a list of signature algorithms used by default

val supported_signature_algorithms : Core.signature_algorithm list

supported_signature_algorithms is a list of supported signature algorithms by this library

val min_dh_size : int

min_dh_size is minimal diffie hellman group size in bits (currently 1024)

val supported_groups : Core.group list

supported_groups are the Diffie-Hellman groups supported in this library.

val elliptic_curve : Core.group -> bool

elliptic_curve group is true if group is an elliptic curve, false otherwise.

val min_rsa_key_size : int

min_rsa_key_size is minimal RSA modulus key size in bits (currently 1024)

module Ciphers : sig ... end

Cipher selection

Internal use only

val of_client : client -> config

of_client client is a client configuration for client

val of_server : server -> config

of_server server is a server configuration for server

val with_authenticator : config -> X509.Authenticator.t -> config

with_authenticator config auth is config with auth as authenticator

val with_own_certificates : config -> own_cert -> config

with_own_certificates config cert is config with cert as own_cert

val with_acceptable_cas : config -> X509.Distinguished_name.t list -> config

with_acceptable_cas config cas is config with cas as accepted_cas