warp-tls 3.3.1 → 3.3.2
raw patch · 4 files changed
+150/−118 lines, 4 files
Files
- ChangeLog.md +5/−0
- Network/Wai/Handler/WarpTLS.hs +2/−116
- Network/Wai/Handler/WarpTLS/Internal.hs +141/−0
- warp-tls.cabal +2/−2
ChangeLog.md view
@@ -1,3 +1,8 @@+## 3.3.2++* Providing the Internal module.+ [#841](https://github.com/yesodweb/wai/issues/841)+ ## 3.3.1 * Move exception handling over to `unliftio` for better async exception support [#845](https://github.com/yesodweb/wai/issues/845)
Network/Wai/Handler/WarpTLS.hs view
@@ -29,6 +29,7 @@ -- ** From references , tlsSettingsRef , tlsSettingsChainRef+ , CertSettings -- * Accessors , tlsCredentials , tlsLogging@@ -74,123 +75,15 @@ import Network.Wai (Application) import Network.Wai.Handler.Warp import Network.Wai.Handler.Warp.Internal+import Network.Wai.Handler.WarpTLS.Internal(CertSettings(..), TLSSettings(..), OnInsecure(..)) import System.IO.Error (isEOFError, ioeGetErrorType) --------------------------------------------------------------------- | Determines where to load the certificate, chain --- certificates, and key from.-data CertSettings - = CertFromFile !FilePath ![FilePath] !FilePath- | CertFromMemory !S.ByteString ![S.ByteString] !S.ByteString- | CertFromRef !(I.IORef S.ByteString) ![I.IORef S.ByteString] !(I.IORef S.ByteString)- -- | The default 'CertSettings'. defaultCertSettings :: CertSettings defaultCertSettings = CertFromFile "certificate.pem" [] "key.pem" ---------------------------------------------------------------- --- | Settings for WarpTLS.-data TLSSettings = TLSSettings {- certSettings :: CertSettings- -- ^ Where are the certificate, chain certificates, and key- -- loaded from?- --- -- >>> certSettings defaultTlsSettings- -- tlsSettings "certificate.pem" "key.pem"- -- - -- @since 3.3.0- , onInsecure :: OnInsecure- -- ^ Do we allow insecure connections with this server as well?- --- -- >>> onInsecure defaultTlsSettings- -- DenyInsecure "This server only accepts secure HTTPS connections."- --- -- Since 1.4.0- , tlsLogging :: TLS.Logging- -- ^ The level of logging to turn on.- --- -- Default: 'TLS.defaultLogging'.- --- -- Since 1.4.0- , tlsAllowedVersions :: [TLS.Version]-#if MIN_VERSION_tls(1,5,0)- -- ^ The TLS versions this server accepts.- --- -- >>> tlsAllowedVersions defaultTlsSettings- -- [TLS13,TLS12,TLS11,TLS10]- --- -- Since 1.4.2-#else- -- ^ The TLS versions this server accepts.- --- -- >>> tlsAllowedVersions defaultTlsSettings- -- [TLS12,TLS11,TLS10]- --- -- Since 1.4.2-#endif- , tlsCiphers :: [TLS.Cipher]-#if MIN_VERSION_tls(1,5,0)- -- ^ The TLS ciphers this server accepts.- --- -- >>> tlsCiphers defaultTlsSettings- -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1,AES128GCM-SHA256,AES256GCM-SHA384]- --- -- Since 1.4.2-#else- -- ^ The TLS ciphers this server accepts.- --- -- >>> tlsCiphers defaultTlsSettings- -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1]- --- -- Since 1.4.2-#endif- , tlsWantClientCert :: Bool- -- ^ Whether or not to demand a certificate from the client. If this- -- is set to True, you must handle received certificates in a server hook- -- or all connections will fail.- --- -- >>> tlsWantClientCert defaultTlsSettings- -- False- --- -- Since 3.0.2- , tlsServerHooks :: TLS.ServerHooks- -- ^ The server-side hooks called by the tls package, including actions- -- to take when a client certificate is received. See the "Network.TLS"- -- module for details.- --- -- Default: def- --- -- Since 3.0.2- , tlsServerDHEParams :: Maybe DH.Params- -- ^ Configuration for ServerDHEParams- -- more function lives in `cryptonite` package- --- -- Default: Nothing- --- -- Since 3.2.2- , tlsSessionManagerConfig :: Maybe SM.Config- -- ^ Configuration for in-memory TLS session manager.- -- If Nothing, 'TLS.noSessionManager' is used.- -- Otherwise, an in-memory TLS session manager is created- -- according to 'Config'.- --- -- Default: Nothing- --- -- Since 3.2.4- , tlsCredentials :: Maybe TLS.Credentials- -- ^ Specifying 'TLS.Credentials' directly. If this value is- -- specified, other fields such as 'certFile' are ignored.- --- -- Since 3.2.12- , tlsSessionManager :: Maybe TLS.SessionManager- -- ^ Specifying 'TLS.SessionManager' directly. If this value is- -- specified, 'tlsSessionManagerConfig' is ignored.- --- -- Since 3.2.12- }- -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors). defaultTlsSettings :: TLSSettings defaultTlsSettings = TLSSettings {@@ -214,13 +107,6 @@ -- taken from stunnel example in tls-extra ciphers :: [TLS.Cipher] ciphers = TLSExtra.ciphersuite_strong---------------------------------------------------------------------- | An action when a plain HTTP comes to HTTP over TLS/SSL port.-data OnInsecure = DenyInsecure L.ByteString- | AllowInsecure- deriving (Show) ----------------------------------------------------------------
+ Network/Wai/Handler/WarpTLS/Internal.hs view
@@ -0,0 +1,141 @@+{-# LANGUAGE CPP #-}++module Network.Wai.Handler.WarpTLS.Internal (+ CertSettings(..)+ , TLSSettings(..)+ , OnInsecure(..)+ -- * Accessors+ , getCertSettings+ ) where++import qualified Crypto.PubKey.DH as DH+import qualified Data.ByteString as S+import qualified Data.ByteString.Lazy as L+import qualified Data.IORef as I+import qualified Network.TLS as TLS+import qualified Network.TLS.SessionManager as SM++----------------------------------------------------------------++-- | Determines where to load the certificate, chain +-- certificates, and key from.+data CertSettings + = CertFromFile !FilePath ![FilePath] !FilePath+ | CertFromMemory !S.ByteString ![S.ByteString] !S.ByteString+ | CertFromRef !(I.IORef S.ByteString) ![I.IORef S.ByteString] !(I.IORef S.ByteString)++----------------------------------------------------------------++-- | An action when a plain HTTP comes to HTTP over TLS/SSL port.+data OnInsecure = DenyInsecure L.ByteString+ | AllowInsecure+ deriving (Show)++----------------------------------------------------------------++-- | Settings for WarpTLS.+data TLSSettings = TLSSettings {+ certSettings :: CertSettings+ -- ^ Where are the certificate, chain certificates, and key+ -- loaded from?+ --+ -- >>> certSettings defaultTlsSettings+ -- tlsSettings "certificate.pem" "key.pem"+ -- + -- @since 3.3.0+ , onInsecure :: OnInsecure+ -- ^ Do we allow insecure connections with this server as well?+ --+ -- >>> onInsecure defaultTlsSettings+ -- DenyInsecure "This server only accepts secure HTTPS connections."+ --+ -- Since 1.4.0+ , tlsLogging :: TLS.Logging+ -- ^ The level of logging to turn on.+ --+ -- Default: 'TLS.defaultLogging'.+ --+ -- Since 1.4.0+ , tlsAllowedVersions :: [TLS.Version]+#if MIN_VERSION_tls(1,5,0)+ -- ^ The TLS versions this server accepts.+ --+ -- >>> tlsAllowedVersions defaultTlsSettings+ -- [TLS13,TLS12,TLS11,TLS10]+ --+ -- Since 1.4.2+#else+ -- ^ The TLS versions this server accepts.+ --+ -- >>> tlsAllowedVersions defaultTlsSettings+ -- [TLS12,TLS11,TLS10]+ --+ -- Since 1.4.2+#endif+ , tlsCiphers :: [TLS.Cipher]+#if MIN_VERSION_tls(1,5,0)+ -- ^ The TLS ciphers this server accepts.+ --+ -- >>> tlsCiphers defaultTlsSettings+ -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1,AES128GCM-SHA256,AES256GCM-SHA384]+ --+ -- Since 1.4.2+#else+ -- ^ The TLS ciphers this server accepts.+ --+ -- >>> tlsCiphers defaultTlsSettings+ -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1]+ --+ -- Since 1.4.2+#endif+ , tlsWantClientCert :: Bool+ -- ^ Whether or not to demand a certificate from the client. If this+ -- is set to True, you must handle received certificates in a server hook+ -- or all connections will fail.+ --+ -- >>> tlsWantClientCert defaultTlsSettings+ -- False+ --+ -- Since 3.0.2+ , tlsServerHooks :: TLS.ServerHooks+ -- ^ The server-side hooks called by the tls package, including actions+ -- to take when a client certificate is received. See the "Network.TLS"+ -- module for details.+ --+ -- Default: def+ --+ -- Since 3.0.2+ , tlsServerDHEParams :: Maybe DH.Params+ -- ^ Configuration for ServerDHEParams+ -- more function lives in `cryptonite` package+ --+ -- Default: Nothing+ --+ -- Since 3.2.2+ , tlsSessionManagerConfig :: Maybe SM.Config+ -- ^ Configuration for in-memory TLS session manager.+ -- If Nothing, 'TLS.noSessionManager' is used.+ -- Otherwise, an in-memory TLS session manager is created+ -- according to 'Config'.+ --+ -- Default: Nothing+ --+ -- Since 3.2.4+ , tlsCredentials :: Maybe TLS.Credentials+ -- ^ Specifying 'TLS.Credentials' directly. If this value is+ -- specified, other fields such as 'certFile' are ignored.+ --+ -- Since 3.2.12+ , tlsSessionManager :: Maybe TLS.SessionManager+ -- ^ Specifying 'TLS.SessionManager' directly. If this value is+ -- specified, 'tlsSessionManagerConfig' is ignored.+ --+ -- Since 3.2.12+ }+++-- Since 3.3.1+-- | Some programs need access to cert settings+getCertSettings :: TLSSettings -> CertSettings+getCertSettings tlsSetgs = certSettings tlsSetgs+
warp-tls.cabal view
@@ -1,5 +1,5 @@ Name: warp-tls-Version: 3.3.1+Version: 3.3.2 Synopsis: HTTP over TLS support for Warp via the TLS package License: MIT License-file: LICENSE@@ -29,7 +29,7 @@ , streaming-commons , tls-session-manager >= 0.0.4 , unliftio- Exposed-modules: Network.Wai.Handler.WarpTLS+ Exposed-modules: Network.Wai.Handler.WarpTLS, Network.Wai.Handler.WarpTLS.Internal ghc-options: -Wall if os(windows) Cpp-Options: -DWINDOWS