packages feed

warp-tls 3.2.1 → 3.2.2

raw patch · 3 files changed

+39/−11 lines, 3 filesdep +cryptonitedep ~tls

Dependencies added: cryptonite

Dependency ranges changed: tls

Files

ChangeLog.md view
@@ -1,3 +1,8 @@+## 3.2.2++* New settting parameter: tlsServerDHEParams [#556](https://github.com/yesodweb/wai/pull/556)+* Preventing socket leakage [#559](https://github.com/yesodweb/wai/pull/559)+ ## 3.2.1  * Removing dependency to cprng-aes.
Network/Wai/Handler/WarpTLS.hs view
@@ -30,6 +30,7 @@     , tlsCiphers     , tlsWantClientCert     , tlsServerHooks+    , tlsServerDHEParams     , onInsecure     , OnInsecure (..)     -- * Runner@@ -37,6 +38,8 @@     , runTLSSocket     -- * Exception     , WarpTLSException (..)+    , DH.Params+    , DH.generateParams     ) where  #if __GLASGOW_HASKELL__ < 709@@ -55,6 +58,7 @@ import Network.Socket (Socket, sClose, withSocketsDo, SockAddr, accept) import Network.Socket.ByteString (sendAll) import qualified Network.TLS as TLS+import qualified Crypto.PubKey.DH as DH import qualified Network.TLS.Extra as TLSExtra import Network.Wai (Application) import Network.Wai.Handler.Warp@@ -118,6 +122,13 @@     -- Default: def     --     -- Since 3.0.2+  , tlsServerDHEParams :: Maybe DH.Params+    -- ^ Configuration for ServerDHEParams+    -- more function lives in `cryptonite` package+    --+    -- Default: Nothing+    --+    -- Since 3.2.2   }  -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).@@ -135,6 +146,7 @@   , tlsCiphers = ciphers   , tlsWantClientCert = False   , tlsServerHooks = def+  , tlsServerDHEParams = Nothing   }  -- taken from stunnel example in tls-extra@@ -250,7 +262,7 @@     params = def { -- TLS.ServerParams         TLS.serverWantClientCert = tlsWantClientCert       , TLS.serverCACertificates = []-      , TLS.serverDHEParams      = Nothing+      , TLS.serverDHEParams      = tlsServerDHEParams       , TLS.serverHooks          = hooks       , TLS.serverShared         = shared       , TLS.serverSupported      = supported@@ -297,12 +309,14 @@     return (mkConn tlsset s params, sa)  mkConn :: TLS.TLSParams params => TLSSettings -> Socket -> params -> IO (Connection, Transport)-mkConn tlsset s params = do-    firstBS <- safeRecv s 4096-    (if not (S.null firstBS) && S.head firstBS == 0x16 then-        httpOverTls tlsset s firstBS params-      else-        plainHTTP tlsset s firstBS) `onException` sClose s+mkConn tlsset s params = switch `onException` sClose s+  where+    switch = do+        firstBS <- safeRecv s 4096+        if not (S.null firstBS) && S.head firstBS == 0x16 then+            httpOverTls tlsset s firstBS params+          else+            plainHTTP tlsset s firstBS  ---------------------------------------------------------------- @@ -434,8 +448,16 @@                 }         return (conn'', TCP)     DenyInsecure lbs -> do-        -- FIXME: what about HTTP/2?-        -- http://tools.ietf.org/html/rfc2817#section-4.2+        -- Listening port 443 but TLS records do not arrive.+        -- We want to let the browser know that TLS is required.+        -- So, we use 426.+        --     http://tools.ietf.org/html/rfc2817#section-4.2+        --     https://tools.ietf.org/html/rfc7231#section-6.5.15+        -- FIXME: should we distinguish HTTP/1.1 and HTTP/2?+        --        In the case of HTTP/2, should we send+        --        GOAWAY + INADEQUATE_SECURITY?+        -- FIXME: Content-Length:+        -- FIXME: TLS/<version>         sendAll s "HTTP/1.1 426 Upgrade Required\         \r\nUpgrade: TLS/1.0, HTTP/1.1\         \r\nConnection: Upgrade\
warp-tls.cabal view
@@ -1,5 +1,5 @@ Name:                warp-tls-Version:             3.2.1+Version:             3.2.2 Synopsis:            HTTP over TLS support for Warp via the TLS package License:             MIT License-file:        LICENSE@@ -22,7 +22,8 @@                    , wai                           >= 3.2      && < 3.3                    , warp                          >= 3.2      && < 3.3                    , data-default-class            >= 0.0.1-                   , tls                           >= 1.3.2+                   , tls                           >= 1.3.5+                   , cryptonite                    >= 0.12                    , network                       >= 2.2.1                    , streaming-commons   Exposed-modules:   Network.Wai.Handler.WarpTLS