warp-tls 3.2.3 → 3.2.4
raw patch · 2 files changed
+25/−32 lines, 2 filesdep +tls-session-managerdep ~tls
Dependencies added: tls-session-manager
Dependency ranges changed: tls
Files
- Network/Wai/Handler/WarpTLS.hs +22/−30
- warp-tls.cabal +3/−2
Network/Wai/Handler/WarpTLS.hs view
@@ -31,6 +31,7 @@ , tlsWantClientCert , tlsServerHooks , tlsServerDHEParams+ , tlsSessionManagerConfig , onInsecure , OnInsecure (..) -- * Runner@@ -60,6 +61,7 @@ import qualified Network.TLS as TLS import qualified Crypto.PubKey.DH as DH import qualified Network.TLS.Extra as TLSExtra+import qualified Network.TLS.SessionManager as SM import Network.Wai (Application) import Network.Wai.Handler.Warp import Network.Wai.Handler.Warp.Internal@@ -102,7 +104,7 @@ -- ^ The TLS ciphers this server accepts. -- -- >>> tlsCiphers defaultTlsSettings- -- [ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,DHE-RSA-AES256-SHA1,DHE-RSA-AES128-SHA1,DHE-DSA-AES128-SHA1,DHE-DSA-AES256-SHA1,RSA-aes128-sha1,RSA-aes256-sha1]+ -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1] -- -- Since 1.4.2 , tlsWantClientCert :: Bool@@ -129,6 +131,15 @@ -- Default: Nothing -- -- Since 3.2.2+ , tlsSessionManagerConfig :: Maybe SM.Config+ -- ^ Configuration for in-memory TLS session manager.+ -- If Nothing, 'TLS.noSessionManager' is used.+ -- Otherwise, an in-memory TLS session manager is created+ -- according to 'Config'.+ --+ -- Default: Nothing+ --+ -- Since 3.2.4 } -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).@@ -147,24 +158,12 @@ , tlsWantClientCert = False , tlsServerHooks = def , tlsServerDHEParams = Nothing+ , tlsSessionManagerConfig = Nothing } -- taken from stunnel example in tls-extra ciphers :: [TLS.Cipher]-ciphers =- [ TLSExtra.cipher_ECDHE_RSA_AES128GCM_SHA256- , TLSExtra.cipher_ECDHE_RSA_AES128CBC_SHA256- , TLSExtra.cipher_ECDHE_RSA_AES128CBC_SHA- , TLSExtra.cipher_DHE_RSA_AES128GCM_SHA256- , TLSExtra.cipher_DHE_RSA_AES256_SHA256- , TLSExtra.cipher_DHE_RSA_AES128_SHA256- , TLSExtra.cipher_DHE_RSA_AES256_SHA1- , TLSExtra.cipher_DHE_RSA_AES128_SHA1- , TLSExtra.cipher_DHE_DSS_AES128_SHA1- , TLSExtra.cipher_DHE_DSS_AES256_SHA1- , TLSExtra.cipher_AES128_SHA1- , TLSExtra.cipher_AES256_SHA1- ]+ciphers = TLSExtra.ciphersuite_strong ---------------------------------------------------------------- @@ -252,10 +251,13 @@ key <- maybe (S.readFile keyFile) return mkey either error return $ TLS.credentialLoadX509ChainFromMemory cert chainCertsMemory key- runTLSSocket' tlsset set credential sock app+ mgr <- case tlsSessionManagerConfig of+ Nothing -> return TLS.noSessionManager+ Just config -> SM.newSessionManager config+ runTLSSocket' tlsset set credential mgr sock app -runTLSSocket' :: TLSSettings -> Settings -> TLS.Credential -> Socket -> Application -> IO ()-runTLSSocket' tlsset@TLSSettings{..} set credential sock app =+runTLSSocket' :: TLSSettings -> Settings -> TLS.Credential -> TLS.SessionManager -> Socket -> Application -> IO ()+runTLSSocket' tlsset@TLSSettings{..} set credential mgr sock app = runSettingsConnectionMakerSecure set get app where get = getter tlsset sock params@@ -273,20 +275,13 @@ (if settingsHTTP2Enabled set then Just alpn else Nothing) } shared = def {- TLS.sharedCredentials = TLS.Credentials [credential]+ TLS.sharedCredentials = TLS.Credentials [credential]+ , TLS.sharedSessionManager = mgr } supported = def { -- TLS.Supported TLS.supportedVersions = tlsAllowedVersions , TLS.supportedCiphers = tlsCiphers , TLS.supportedCompressions = [TLS.nullCompression]- , TLS.supportedHashSignatures = [- -- Safari 8 and go tls have bugs on SHA 512 and SHA 384.- -- So, we don't specify them here at this moment.- (TLS.HashSHA256, TLS.SignatureRSA)- , (TLS.HashSHA224, TLS.SignatureRSA)- , (TLS.HashSHA1, TLS.SignatureRSA)- , (TLS.HashSHA1, TLS.SignatureDSS)- ] , TLS.supportedSecureRenegotiation = True , TLS.supportedClientInitiatedRenegotiation = False , TLS.supportedSession = True@@ -296,9 +291,6 @@ alpn :: [S.ByteString] -> IO S.ByteString alpn xs | "h2" `elem` xs = return "h2"- | "h2-16" `elem` xs = return "h2-16"- | "h2-15" `elem` xs = return "h2-15"- | "h2-14" `elem` xs = return "h2-14" | otherwise = return "http/1.1" ----------------------------------------------------------------
warp-tls.cabal view
@@ -1,5 +1,5 @@ Name: warp-tls-Version: 3.2.3+Version: 3.2.4 Synopsis: HTTP over TLS support for Warp via the TLS package License: MIT License-file: LICENSE@@ -23,10 +23,11 @@ , wai >= 3.2 && < 3.3 , warp >= 3.2.10 && < 3.3 , data-default-class >= 0.0.1- , tls >= 1.3.5+ , tls >= 1.3.10 , cryptonite >= 0.12 , network >= 2.2.1 , streaming-commons+ , tls-session-manager Exposed-modules: Network.Wai.Handler.WarpTLS ghc-options: -Wall