warp-tls 3.2.1 → 3.2.2
raw patch · 3 files changed
+39/−11 lines, 3 filesdep +cryptonitedep ~tls
Dependencies added: cryptonite
Dependency ranges changed: tls
Files
- ChangeLog.md +5/−0
- Network/Wai/Handler/WarpTLS.hs +31/−9
- warp-tls.cabal +3/−2
ChangeLog.md view
@@ -1,3 +1,8 @@+## 3.2.2++* New settting parameter: tlsServerDHEParams [#556](https://github.com/yesodweb/wai/pull/556)+* Preventing socket leakage [#559](https://github.com/yesodweb/wai/pull/559)+ ## 3.2.1 * Removing dependency to cprng-aes.
Network/Wai/Handler/WarpTLS.hs view
@@ -30,6 +30,7 @@ , tlsCiphers , tlsWantClientCert , tlsServerHooks+ , tlsServerDHEParams , onInsecure , OnInsecure (..) -- * Runner@@ -37,6 +38,8 @@ , runTLSSocket -- * Exception , WarpTLSException (..)+ , DH.Params+ , DH.generateParams ) where #if __GLASGOW_HASKELL__ < 709@@ -55,6 +58,7 @@ import Network.Socket (Socket, sClose, withSocketsDo, SockAddr, accept) import Network.Socket.ByteString (sendAll) import qualified Network.TLS as TLS+import qualified Crypto.PubKey.DH as DH import qualified Network.TLS.Extra as TLSExtra import Network.Wai (Application) import Network.Wai.Handler.Warp@@ -118,6 +122,13 @@ -- Default: def -- -- Since 3.0.2+ , tlsServerDHEParams :: Maybe DH.Params+ -- ^ Configuration for ServerDHEParams+ -- more function lives in `cryptonite` package+ --+ -- Default: Nothing+ --+ -- Since 3.2.2 } -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).@@ -135,6 +146,7 @@ , tlsCiphers = ciphers , tlsWantClientCert = False , tlsServerHooks = def+ , tlsServerDHEParams = Nothing } -- taken from stunnel example in tls-extra@@ -250,7 +262,7 @@ params = def { -- TLS.ServerParams TLS.serverWantClientCert = tlsWantClientCert , TLS.serverCACertificates = []- , TLS.serverDHEParams = Nothing+ , TLS.serverDHEParams = tlsServerDHEParams , TLS.serverHooks = hooks , TLS.serverShared = shared , TLS.serverSupported = supported@@ -297,12 +309,14 @@ return (mkConn tlsset s params, sa) mkConn :: TLS.TLSParams params => TLSSettings -> Socket -> params -> IO (Connection, Transport)-mkConn tlsset s params = do- firstBS <- safeRecv s 4096- (if not (S.null firstBS) && S.head firstBS == 0x16 then- httpOverTls tlsset s firstBS params- else- plainHTTP tlsset s firstBS) `onException` sClose s+mkConn tlsset s params = switch `onException` sClose s+ where+ switch = do+ firstBS <- safeRecv s 4096+ if not (S.null firstBS) && S.head firstBS == 0x16 then+ httpOverTls tlsset s firstBS params+ else+ plainHTTP tlsset s firstBS ---------------------------------------------------------------- @@ -434,8 +448,16 @@ } return (conn'', TCP) DenyInsecure lbs -> do- -- FIXME: what about HTTP/2?- -- http://tools.ietf.org/html/rfc2817#section-4.2+ -- Listening port 443 but TLS records do not arrive.+ -- We want to let the browser know that TLS is required.+ -- So, we use 426.+ -- http://tools.ietf.org/html/rfc2817#section-4.2+ -- https://tools.ietf.org/html/rfc7231#section-6.5.15+ -- FIXME: should we distinguish HTTP/1.1 and HTTP/2?+ -- In the case of HTTP/2, should we send+ -- GOAWAY + INADEQUATE_SECURITY?+ -- FIXME: Content-Length:+ -- FIXME: TLS/<version> sendAll s "HTTP/1.1 426 Upgrade Required\ \r\nUpgrade: TLS/1.0, HTTP/1.1\ \r\nConnection: Upgrade\
warp-tls.cabal view
@@ -1,5 +1,5 @@ Name: warp-tls-Version: 3.2.1+Version: 3.2.2 Synopsis: HTTP over TLS support for Warp via the TLS package License: MIT License-file: LICENSE@@ -22,7 +22,8 @@ , wai >= 3.2 && < 3.3 , warp >= 3.2 && < 3.3 , data-default-class >= 0.0.1- , tls >= 1.3.2+ , tls >= 1.3.5+ , cryptonite >= 0.12 , network >= 2.2.1 , streaming-commons Exposed-modules: Network.Wai.Handler.WarpTLS