http-io-streams 0.1.6.4 → 0.1.7.0
raw patch · 4 files changed
+69/−14 lines, 4 filesdep ~networkPVP ok
version bump matches the API change (PVP)
Dependency ranges changed: network
API changes (from Hackage documentation)
+ Network.Http.Client: contextSetCASystemStore :: SSLContext -> IO Bool
+ Network.Http.Client: voidContextSSL :: IO SSLContext
Files
- CHANGELOG.md +11/−1
- http-io-streams.cabal +1/−1
- http-streams/lib/Network/Http/Client.hs +2/−0
- http-streams/lib/Network/Http/Inconvenience.hs +55/−12
CHANGELOG.md view
@@ -1,5 +1,12 @@ See also http://pvp.haskell.org/faq +### 0.1.7.0++* New function `voidContextSSL` for creating a _void_ SSL Context which rejects any TLS handshake attempts+* New function `contextSetCASystemStore` exposing functionality embedded in `baselineContextSSL`++NB: These functions were originally introduced in the retroactively deprecated 0.1.6.0 release but due to an oversight were dropped again in 0.1.6.1 inadvertently. This minor release reintroduces them in a PVP-compliant way.+ #### 0.1.6.4 * Depend on `directory` rather than `system-fileio` ([PR #18](https://github.com/haskell-hvr/http-io-streams/pull/18)).@@ -26,9 +33,12 @@ #### 0.1.6.1 * Build with GHC 9.2 and `ghc-prim-0.8` (via `base-4.16`).+* Accidentally removed function `voidContextSSL` and `contextSetCASystemStore` introduced in 0.1.6.0 -### 0.1.6.0+### 0.1.6.0 **deprecated** +* New function `voidContextSSL` for creating a _void_ SSL Context which rejects any TLS handshake attempts+* New function `contextSetCASystemStore` exposing functionality embedded in `baselineContextSSL` * New function `openConnectionAddress''` supporting supplying local `SSLContext`s as well as modifying the `SSL` connection before initiating the client SSL handshake. * New function `openConnectionSSL'` which allows to customize the SSL connection _before_ a client SSL handshake is attempted. * New convenience function `getContextSSL` function allowing to retrieve global `SSLContext`.
http-io-streams.cabal view
@@ -1,6 +1,6 @@ cabal-version: 2.2 name: http-io-streams-version: 0.1.6.4+version: 0.1.7.0 synopsis: HTTP and WebSocket client based on io-streams description:
http-streams/lib/Network/Http/Client.hs view
@@ -177,6 +177,8 @@ openConnectionSSL, openConnectionSSL', baselineContextSSL,+ voidContextSSL,+ contextSetCASystemStore, modifyContextSSL, getContextSSL, establishConnection,
http-streams/lib/Network/Http/Inconvenience.hs view
@@ -28,6 +28,8 @@ encodedFormBody, put, baselineContextSSL,+ voidContextSSL,+ contextSetCASystemStore, concatHandler', TooManyRedirects(..), HttpClientError(..),@@ -402,6 +404,7 @@ -- you are encouraged to install the system -- certificates somewhere and create your own 'SSLContext'. --+-- See also 'contextSetCASystemStore' {- We would like to turn certificate verification on for everyone, but this has proved contingent on leveraging platform specific mechanisms@@ -412,26 +415,66 @@ baselineContextSSL = withOpenSSL $ do ctx <- SSL.context SSL.contextSetDefaultCiphers ctx++ caSet <- contextSetCASystemStore ctx+ if caSet+ then SSL.contextSetVerificationMode ctx (SSL.VerifyPeer True True Nothing)+ else SSL.contextSetVerificationMode ctx SSL.VerifyNone++ return ctx++-- | Construct a /void/ 'SSL.Context' in a configuration which uses+-- the @HIGH@ cipher-suite and rejects /any/ presented server+-- certificate.+--+-- This is mostly useful for testing purposes or intentionally+-- thwarting any attempt to connect to @https://@ uris.+--+-- @since 0.1.6.0+voidContextSSL :: IO SSLContext+voidContextSSL = do+ ctx <- SSL.context+ SSL.contextSetCiphers ctx "HIGH"+ SSL.contextSetVerificationMode ctx (SSL.VerifyPeer True True (Just (\_ _ -> return False)))+ return ctx++-- | Configure system-wide certificate store based on OS-specific heuristics.+--+-- This function returns 'True' if the 'SSLContext' was configured; or+-- 'False' if the location couldn't be termined for the current OS.+--+-- This function is used by 'baselineContextSSL' but in contrast does+-- *not* invoke 'SSL.contextSetDefaultCiphers' nor+-- 'SSL.contextSetVerificationMode'. See source-code for details on+-- the heuristic used to determine the location of the system+-- certificate store.+--+-- @since 0.1.6.0+contextSetCASystemStore :: SSLContext -> IO Bool+contextSetCASystemStore ctx = do #if defined(darwin_HOST_OS)- SSL.contextSetVerificationMode ctx SSL.VerifyNone+ return False #elif defined(mingw32_HOST_OS)- SSL.contextSetVerificationMode ctx SSL.VerifyNone+ return False #elif defined(freebsd_HOST_OS) SSL.contextSetCAFile ctx "/usr/local/etc/ssl/cert.pem"- SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing+ return True #elif defined(openbsd_HOST_OS) SSL.contextSetCAFile ctx "/etc/ssl/cert.pem"- SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing+ return True #else- fedora <- doesDirectoryExist "/etc/pki/tls"- if fedora- then do- SSL.contextSetCAFile ctx "/etc/pki/tls/certs/ca-bundle.crt"- else do- SSL.contextSetCADirectory ctx "/etc/ssl/certs"- SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing+ hasFedoraEtcPkiTls <- doesDirectoryExist "/etc/pki/tls"+ if hasFedoraEtcPkiTls+ then do+ SSL.contextSetCAFile ctx "/etc/pki/tls/certs/ca-bundle.crt"+ return True+ else do+ -- Setting this as fallback effectively will cause systems to+ -- either fail to verify any certificates (if peer+ -- verification is enabled) if the folder doesn't exist.+ SSL.contextSetCADirectory ctx "/etc/ssl/certs"+ return True #endif- return ctx parseURL :: URL -> URI