warp-tls 3.3.7 → 3.4.14
raw patch · 4 files changed
Files
- ChangeLog.md +69/−0
- Network/Wai/Handler/WarpTLS.hs +391/−237
- Network/Wai/Handler/WarpTLS/Internal.hs +71/−54
- warp-tls.cabal +6/−6
ChangeLog.md view
@@ -1,5 +1,74 @@ # ChangeLog +## 3.4.14++* Build with `warp-3.4.13`.+ [#1071](https://github.com/yesodweb/wai/pull/1071)++## 3.4.13++* Introduced new smart constructor `tlsSettingsSni` to make it more convenient+ to dynamically change certificates. Deprecates `tlsSettingsRef` and+ `tlsSettingsChainRef`.+ [#1025](https://github.com/yesodweb/wai/pull/1025)++## 3.4.12++* Rethrowing asynchronous exceptions+ [#1013](https://github.com/yesodweb/wai/pull/1013)++## 3.4.11++* Removing `unliftio`.++## 3.4.10++* Removed `data-default` dependency entirely. Does now require `>= tls-2.1.3`.+ [#1011](https://github.com/yesodweb/wai/pull/1011)++## 3.4.9++* Using `timeout` for `handshake` to prevent thread leaks.++## 3.4.8++* Substituted `data-default-class` for `data-default` [#1010](https://github.com/yesodweb/wai/pull/1010)++## 3.4.7++* Expose `attachConn` to use post-handshake TLS connection.+ [#1007](https://github.com/yesodweb/wai/pull/1007)++## 3.4.6++* Preparing for tls v2.1++## 3.4.5++* Making mkConn of WarpTLS interruptible+ [#984](https://github.com/yesodweb/wai/pull/984)++## 3.4.4++* Allow warp v3.4.++## 3.4.3++* Install shutdown handlers passed via `Settings` to `run...` functions++## 3.4.2++* Requiring warp v3.3.29.++## 3.4.1++* Supporting `tls` v1.8.0.++## 3.4.0++* Major version up to deprecate v3.3.7 due to the incompatibility+ against cryptonite.+ ## 3.3.7 * Using crypton instead of cryptonite.
Network/Wai/Handler/WarpTLS.hs view
@@ -1,9 +1,9 @@ {-# LANGUAGE CPP #-}+{-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE PatternGuards #-} {-# LANGUAGE RankNTypes #-} {-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE DeriveDataTypeable #-}-{-# LANGUAGE PatternGuards #-} -- | HTTP over TLS support for Warp via the TLS package. --@@ -11,56 +11,83 @@ -- Otherwise HTTP\/1.1 over TLS is used. -- -- Support for SSL is now obsoleted.- module Network.Wai.Handler.WarpTLS ( -- * Runner- runTLS- , runTLSSocket+ runTLS,+ runTLSSocket,+ -- * Settings- , TLSSettings- , defaultTlsSettings+ TLSSettings,+ defaultTlsSettings,+ -- * Smart constructors+ -- ** From files- , tlsSettings- , tlsSettingsChain+ tlsSettings,+ tlsSettingsChain,+ -- ** From memory- , tlsSettingsMemory- , tlsSettingsChainMemory+ tlsSettingsMemory,+ tlsSettingsChainMemory,+ -- ** From references- , tlsSettingsRef- , tlsSettingsChainRef- , CertSettings+ tlsSettingsRef,+ tlsSettingsChainRef,+ CertSettings,++ -- ** Dynamically retrieved+ tlsSettingsSni,+ -- * Accessors- , tlsCredentials- , tlsLogging- , tlsAllowedVersions- , tlsCiphers- , tlsWantClientCert- , tlsServerHooks- , tlsServerDHEParams- , tlsSessionManagerConfig- , tlsSessionManager- , onInsecure- , OnInsecure (..)+ tlsCredentials,+ tlsLogging,+ tlsAllowedVersions,+ tlsCiphers,+ tlsWantClientCert,+ tlsServerHooks,+ tlsServerDHEParams,+ tlsSessionManagerConfig,+ tlsSessionManager,+ onInsecure,+ OnInsecure (..),+ -- * Exception- , WarpTLSException (..)- ) where+ WarpTLSException (..), + -- * Low-level+ attachConn+) where+ import Control.Applicative ((<|>))-import UnliftIO.Exception (Exception, throwIO, bracket, finally, handleAny, try, IOException, onException, SomeException(..), handleJust)-import qualified UnliftIO.Exception as E-import Control.Monad (void, guard)+#if MIN_VERSION_warp(3,4,13)+import Control.Concurrent.STM (newTVarIO, TVar)+#endif+import Control.Exception (+ Exception,+ IOException,+ SomeException (..),+ bracket,+ finally,+ fromException,+ handle,+ handleJust,+ onException,+ throwIO,+ try,+ )+import qualified Control.Exception as E+import Control.Monad (guard, void) import qualified Data.ByteString as S import qualified Data.ByteString.Lazy as L-import Data.Default.Class (def) import qualified Data.IORef as I import Data.Streaming.Network (bindPortTCP, safeRecv) import Data.Typeable (Typeable)-import GHC.IO.Exception (IOErrorType(..))+import GHC.IO.Exception (IOErrorType (..)) import Network.Socket ( SockAddr, Socket, close,+ getSocketName, #if MIN_VERSION_network(3,1,1) gracefulClose, #endif@@ -69,218 +96,270 @@ import Network.Socket.BufferPool import Network.Socket.ByteString (sendAll) import qualified Network.TLS as TLS-import qualified Network.TLS.Extra as TLSExtra import qualified Network.TLS.SessionManager as SM import Network.Wai (Application) import Network.Wai.Handler.Warp import Network.Wai.Handler.Warp.Internal-import Network.Wai.Handler.WarpTLS.Internal(CertSettings(..), TLSSettings(..), OnInsecure(..))+import Network.Wai.Handler.WarpTLS.Internal import System.IO.Error (ioeGetErrorType, isEOFError)-import UnliftIO.Exception (handle, fromException)---- | The default 'CertSettings'.-defaultCertSettings :: CertSettings-defaultCertSettings = CertFromFile "certificate.pem" [] "key.pem"---------------------------------------------------------------------- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).-defaultTlsSettings :: TLSSettings-defaultTlsSettings = TLSSettings {- certSettings = defaultCertSettings- , onInsecure = DenyInsecure "This server only accepts secure HTTPS connections."- , tlsLogging = def-#if MIN_VERSION_tls(1,5,0)- , tlsAllowedVersions = [TLS.TLS13,TLS.TLS12,TLS.TLS11,TLS.TLS10]-#else- , tlsAllowedVersions = [TLS.TLS12,TLS.TLS11,TLS.TLS10]-#endif- , tlsCiphers = ciphers- , tlsWantClientCert = False- , tlsServerHooks = def- , tlsServerDHEParams = Nothing- , tlsSessionManagerConfig = Nothing- , tlsCredentials = Nothing- , tlsSessionManager = Nothing- , tlsSupportedHashSignatures = TLS.supportedHashSignatures def- }---- taken from stunnel example in tls-extra-ciphers :: [TLS.Cipher]-ciphers = TLSExtra.ciphersuite_strong+import System.Timeout (timeout) ---------------------------------------------------------------- -- | A smart constructor for 'TLSSettings' based on 'defaultTlsSettings'.-tlsSettings :: FilePath -- ^ Certificate file- -> FilePath -- ^ Key file- -> TLSSettings-tlsSettings cert key = defaultTlsSettings {- certSettings = CertFromFile cert [] key- }+tlsSettings+ :: FilePath+ -- ^ Certificate file+ -> FilePath+ -- ^ Key file+ -> TLSSettings+tlsSettings cert key =+ defaultTlsSettings+ { certSettings = CertFromFile cert [] key+ } -- | A smart constructor for 'TLSSettings' that allows specifying -- chain certificates based on 'defaultTlsSettings'. -- -- Since 3.0.3 tlsSettingsChain- :: FilePath -- ^ Certificate file- -> [FilePath] -- ^ Chain certificate files- -> FilePath -- ^ Key file- -> TLSSettings-tlsSettingsChain cert chainCerts key = defaultTlsSettings {- certSettings = CertFromFile cert chainCerts key- }+ :: FilePath+ -- ^ Certificate file+ -> [FilePath]+ -- ^ Chain certificate files+ -> FilePath+ -- ^ Key file+ -> TLSSettings+tlsSettingsChain cert chainCerts key =+ defaultTlsSettings+ { certSettings = CertFromFile cert chainCerts key+ } -- | A smart constructor for 'TLSSettings', but uses in-memory representations -- of the certificate and key based on 'defaultTlsSettings'. -- -- Since 3.0.1 tlsSettingsMemory- :: S.ByteString -- ^ Certificate bytes- -> S.ByteString -- ^ Key bytes+ :: S.ByteString+ -- ^ Certificate bytes+ -> S.ByteString+ -- ^ Key bytes -> TLSSettings-tlsSettingsMemory cert key = defaultTlsSettings {- certSettings = CertFromMemory cert [] key- }+tlsSettingsMemory cert key =+ defaultTlsSettings+ { certSettings = CertFromMemory cert [] key+ } -- | A smart constructor for 'TLSSettings', but uses in-memory representations -- of the certificate and key based on 'defaultTlsSettings'. -- -- Since 3.0.3 tlsSettingsChainMemory- :: S.ByteString -- ^ Certificate bytes- -> [S.ByteString] -- ^ Chain certificate bytes- -> S.ByteString -- ^ Key bytes+ :: S.ByteString+ -- ^ Certificate bytes+ -> [S.ByteString]+ -- ^ Chain certificate bytes+ -> S.ByteString+ -- ^ Key bytes -> TLSSettings-tlsSettingsChainMemory cert chainCerts key = defaultTlsSettings {- certSettings = CertFromMemory cert chainCerts key- }+tlsSettingsChainMemory cert chainCerts key =+ defaultTlsSettings+ { certSettings = CertFromMemory cert chainCerts key+ } +-- | Smart constructor for TLS settings that obtains its credentials during+-- Server Name Indication. Can be used to return different credentials+-- depending on the hostname but also to retrieve dynamically updated+-- credentials from an IORef. Credentials can be loaded from PEM-encoded chain+-- and key files using 'TLS.credentialLoadX509'.+--+-- @since 3.4.13+tlsSettingsSni :: (Maybe TLS.HostName -> IO TLS.Credentials) -> TLSSettings+tlsSettingsSni onServerNameIndicationHook =+ defaultTlsSettings+ { tlsCredentials = Just (TLS.Credentials [])+ , tlsServerHooks = (tlsServerHooks defaultTlsSettings)+ { TLS.onServerNameIndication = onServerNameIndicationHook+ }+ }+ -- | A smart constructor for 'TLSSettings', but uses references to in-memory -- representations of the certificate and key based on 'defaultTlsSettings'. -- -- @since 3.3.0 tlsSettingsRef- :: I.IORef S.ByteString -- ^ Reference to certificate bytes- -> I.IORef S.ByteString -- ^ Reference to key bytes+ :: I.IORef S.ByteString+ -- ^ Reference to certificate bytes+ -> I.IORef S.ByteString+ -- ^ Reference to key bytes -> TLSSettings-tlsSettingsRef cert key = defaultTlsSettings {- certSettings = CertFromRef cert [] key- }+tlsSettingsRef cert key =+ defaultTlsSettings+ { certSettings = CertFromRef cert [] key+ } +{-# DEPRECATED tlsSettingsRef "This function was added to allow Warp to serve new certificates without restarting, but it has always behaved the same as 'tlsSettingsMemory'. It will be removed in the next major release. To retain existing behavior, swich to 'tlsSettingsMemory'. To dynamically update credentials, see 'tlsSettingsSni'." #-}+ -- | A smart constructor for 'TLSSettings', but uses references to in-memory -- representations of the certificate and key based on 'defaultTlsSettings'. -- -- @since 3.3.0 tlsSettingsChainRef- :: I.IORef S.ByteString -- ^ Reference to certificate bytes- -> [I.IORef S.ByteString] -- ^ Reference to chain certificate bytes- -> I.IORef S.ByteString -- ^ Reference to key bytes+ :: I.IORef S.ByteString+ -- ^ Reference to certificate bytes+ -> [I.IORef S.ByteString]+ -- ^ Reference to chain certificate bytes+ -> I.IORef S.ByteString+ -- ^ Reference to key bytes -> TLSSettings-tlsSettingsChainRef cert chainCerts key = defaultTlsSettings {- certSettings = CertFromRef cert chainCerts key- }+tlsSettingsChainRef cert chainCerts key =+ defaultTlsSettings+ { certSettings = CertFromRef cert chainCerts key+ } +{-# DEPRECATED tlsSettingsChainRef "This function was added to allow Warp to serve new certificates without restarting, but it has always behaved the same as 'tlsSettingsChainMemory'. It will be removed in the next major release. To retain existing behavior, swich to 'tlsSettingsChainMemory'. To dynamically update credentials, see 'tlsSettingsSni'." #-}+ ---------------------------------------------------------------- -- | Running 'Application' with 'TLSSettings' and 'Settings'. runTLS :: TLSSettings -> Settings -> Application -> IO ()-runTLS tset set app = withSocketsDo $- bracket- (bindPortTCP (getPort set) (getHost set))- close- (\sock -> do- setSocketCloseOnExec sock- runTLSSocket tset set sock app)+runTLS tset set app =+ withSocketsDo $+ bracket+ (bindPortTCP (getPort set) (getHost set))+ close+ ( \sock -> do+ setSocketCloseOnExec sock+ runTLSSocket tset set sock app+ ) ---------------------------------------------------------------- loadCredentials :: TLSSettings -> IO TLS.Credentials-loadCredentials TLSSettings{ tlsCredentials = Just creds } = return creds+loadCredentials TLSSettings{tlsCredentials = Just creds} = return creds loadCredentials TLSSettings{..} = case certSettings of- CertFromFile cert chainFiles key -> do- cred <- either error id <$> TLS.credentialLoadX509Chain cert chainFiles key- return $ TLS.Credentials [cred]- CertFromRef certRef chainCertsRef keyRef -> do- cert <- I.readIORef certRef- chainCerts <- mapM I.readIORef chainCertsRef- key <- I.readIORef keyRef- cred <- either error return $ TLS.credentialLoadX509ChainFromMemory cert chainCerts key- return $ TLS.Credentials [cred]- CertFromMemory certMemory chainCertsMemory keyMemory -> do- cred <- either error return $ TLS.credentialLoadX509ChainFromMemory certMemory chainCertsMemory keyMemory- return $ TLS.Credentials [cred]+ CertFromFile cert chainFiles key -> do+ cred <- either error id <$> TLS.credentialLoadX509Chain cert chainFiles key+ return $ TLS.Credentials [cred]+ CertFromRef certRef chainCertsRef keyRef -> do+ cert <- I.readIORef certRef+ chainCerts <- mapM I.readIORef chainCertsRef+ key <- I.readIORef keyRef+ cred <-+ either error return $ TLS.credentialLoadX509ChainFromMemory cert chainCerts key+ return $ TLS.Credentials [cred]+ CertFromMemory certMemory chainCertsMemory keyMemory -> do+ cred <-+ either error return $+ TLS.credentialLoadX509ChainFromMemory certMemory chainCertsMemory keyMemory+ return $ TLS.Credentials [cred] getSessionManager :: TLSSettings -> IO TLS.SessionManager-getSessionManager TLSSettings{ tlsSessionManager = Just mgr } = return mgr+getSessionManager TLSSettings{tlsSessionManager = Just mgr} = return mgr getSessionManager TLSSettings{..} = case tlsSessionManagerConfig of- Nothing -> return TLS.noSessionManager- Just config -> SM.newSessionManager config+ Nothing -> return TLS.noSessionManager+ Just config -> SM.newSessionManager config -- | Running 'Application' with 'TLSSettings' and 'Settings' using -- specified 'Socket'. runTLSSocket :: TLSSettings -> Settings -> Socket -> Application -> IO () runTLSSocket tlsset set sock app = do+ settingsInstallShutdownHandler set (close sock) credentials <- loadCredentials tlsset mgr <- getSessionManager tlsset runTLSSocket' tlsset set credentials mgr sock app -runTLSSocket' :: TLSSettings -> Settings -> TLS.Credentials -> TLS.SessionManager -> Socket -> Application -> IO ()-runTLSSocket' tlsset@TLSSettings{..} set credentials mgr sock =- runSettingsConnectionMakerSecure set get+runTLSSocket'+ :: TLSSettings+ -> Settings+ -> TLS.Credentials+ -> TLS.SessionManager+ -> Socket+ -> Application+ -> IO ()+runTLSSocket' tlsset@TLSSettings{..} set credentials mgr sock app = do+#if MIN_VERSION_warp(3,4,13)+ (_, newSettings) <- makeServerState set+ let get = getter tlsset newSettings sock params+ runSettingsConnectionMakerSecure newSettings get app+#else+ let get = getter tlsset set sock params+ runSettingsConnectionMakerSecure set get app+#endif where- get = getter tlsset set sock params- params = def { -- TLS.ServerParams- TLS.serverWantClientCert = tlsWantClientCert- , TLS.serverCACertificates = []- , TLS.serverDHEParams = tlsServerDHEParams- , TLS.serverHooks = hooks- , TLS.serverShared = shared- , TLS.serverSupported = supported+ params =+ TLS.defaultParamsServer+ { TLS.serverWantClientCert = tlsWantClientCert+ , TLS.serverCACertificates = []+ , TLS.serverDHEParams = tlsServerDHEParams+ , TLS.serverHooks = hooks+ , TLS.serverShared = shared+ , TLS.serverSupported = supported #if MIN_VERSION_tls(1,5,0)- , TLS.serverEarlyDataSize = 2018+ , TLS.serverEarlyDataSize = 2018 #endif- }+ } -- Adding alpn to user's tlsServerHooks.- hooks = tlsServerHooks {- TLS.onALPNClientSuggest = TLS.onALPNClientSuggest tlsServerHooks <|>- (if settingsHTTP2Enabled set then Just alpn else Nothing)- }- shared = def {- TLS.sharedCredentials = credentials- , TLS.sharedSessionManager = mgr- }- supported = def { -- TLS.Supported- TLS.supportedVersions = tlsAllowedVersions- , TLS.supportedCiphers = tlsCiphers- , TLS.supportedCompressions = [TLS.nullCompression]- , TLS.supportedSecureRenegotiation = True- , TLS.supportedClientInitiatedRenegotiation = False- , TLS.supportedSession = True- , TLS.supportedFallbackScsv = True- , TLS.supportedHashSignatures = tlsSupportedHashSignatures+ hooks =+ tlsServerHooks+ { TLS.onALPNClientSuggest =+ TLS.onALPNClientSuggest tlsServerHooks+ <|> (if settingsHTTP2Enabled set then Just alpn else Nothing)+ }+ shared =+ TLS.defaultShared+ { TLS.sharedCredentials = credentials+ , TLS.sharedSessionManager = mgr+ }+ supported =+ TLS.defaultSupported+ { TLS.supportedVersions = tlsAllowedVersions+ , TLS.supportedCiphers = tlsCiphers+ , TLS.supportedCompressions = [TLS.nullCompression]+ , TLS.supportedSecureRenegotiation = True+ , TLS.supportedClientInitiatedRenegotiation = False+ , TLS.supportedSession = True+ , TLS.supportedFallbackScsv = True+ , TLS.supportedHashSignatures = tlsSupportedHashSignatures #if MIN_VERSION_tls(1,5,0)- , TLS.supportedGroups = [TLS.X25519,TLS.P256,TLS.P384]+ , TLS.supportedGroups = [TLS.X25519,TLS.P256,TLS.P384] #endif- }+ } alpn :: [S.ByteString] -> IO S.ByteString alpn xs- | "h2" `elem` xs = return "h2"- | otherwise = return "http/1.1"+ | "h2" `elem` xs = return "h2"+ | otherwise = return "http/1.1" ---------------------------------------------------------------- -getter :: TLS.TLSParams params => TLSSettings -> Settings -> Socket -> params -> IO (IO (Connection, Transport), SockAddr)+getter+ :: TLS.TLSParams params+ => TLSSettings+ -> Settings+ -> Socket+ -> params+ -> IO (IO (Connection, Transport), SockAddr) getter tlsset set@Settings{settingsAccept = accept'} sock params = do (s, sa) <- accept' sock setSocketCloseOnExec s return (mkConn tlsset set s params, sa) -mkConn :: TLS.TLSParams params => TLSSettings -> Settings -> Socket -> params -> IO (Connection, Transport)-mkConn tlsset set s params = (safeRecv s 4096 >>= switch) `onException` close s+mkConn+ :: TLS.TLSParams params+ => TLSSettings+ -> Settings+ -> Socket+ -> params+ -> IO (Connection, Transport)+mkConn tlsset set s params = do+ let tm = settingsTimeout set * 1000000+ mbs <- timeout tm recvFirstBS+ case mbs of+ Nothing -> throwIO IncompleteHeaders+ Just bs -> switch bs where+ recvFirstBS = safeRecv s 4096 `onException` close s switch firstBS | S.null firstBS = close s >> throwIO ClientClosedConnectionPrematurely | S.head firstBS == 0x16 = httpOverTls tlsset set s firstBS params@@ -288,113 +367,186 @@ ---------------------------------------------------------------- -httpOverTls :: TLS.TLSParams params => TLSSettings -> Settings -> Socket -> S.ByteString -> params -> IO (Connection, Transport)-httpOverTls TLSSettings{..} _set s bs0 params = do- pool <- newBufferPool 2048 16384- rawRecvN <- makeRecvN bs0 $ receive s pool- let recvN = wrappedRecvN rawRecvN- ctx <- TLS.contextNew (backend recvN) params- TLS.contextHookSetLogging ctx tlsLogging- TLS.handshake ctx+isAsyncException :: Exception e => e -> Bool+isAsyncException e =+ case E.fromException (E.toException e) of+ Just (E.SomeAsyncException _) -> True+ Nothing -> False++throughAsync :: IO a -> SomeException -> IO a+throughAsync action (SomeException e)+ | isAsyncException e = E.throwIO e+ | otherwise = action++httpOverTls+ :: TLS.TLSParams params+ => TLSSettings+ -> Settings+ -> Socket+ -> S.ByteString+ -> params+ -> IO (Connection, Transport)+httpOverTls TLSSettings{..} set s bs0 params =+ makeConn `onException` close s+ where+ makeConn = do+ pool <- newBufferPool 2048 16384+#if MIN_VERSION_warp(3,4,13)+ appsInProgress <- newTVarIO 0+ (ss, _) <- makeServerState set+ let recv = makeGracefulRecv s pool ss appsInProgress+#else+ let recv = receive s pool+#endif+ rawRecvN <- makeRecvN bs0 recv+ let recvN = wrappedRecvN rawRecvN+ ctx <- TLS.contextNew (backend recvN) params+ TLS.contextHookSetLogging ctx tlsLogging+ let tm = settingsTimeout set * 1000000+ mconn <- timeout tm $ do+ TLS.handshake ctx+ mysa <- getSocketName s+#if MIN_VERSION_warp(3,4,13)+ attachConn mysa ctx appsInProgress+#else+ attachConn mysa ctx+#endif+ case mconn of+ Nothing -> throwIO IncompleteHeaders+ Just conn -> return conn+ wrappedRecvN recvN n = handle (throughAsync (return "")) $ recvN n+ backend recvN =+ TLS.Backend+ { TLS.backendFlush = return ()+#if MIN_VERSION_network(3,1,1)+ , TLS.backendClose =+ gracefulClose s 5000 `E.catch` throughAsync (return ())+#else+ , TLS.backendClose = close s+#endif+ , TLS.backendSend = sendAll' s+ , TLS.backendRecv = recvN+ }+ sendAll' sock bs =+ E.handleJust+ ( \e ->+ if ioeGetErrorType e == ResourceVanished+ then Just ConnectionClosedByPeer+ else Nothing+ )+ throwIO+ $ sendAll sock bs++-- | Get "Connection" and "Transport" for a TLS connection that is already did the handshake.+-- @since 3.4.7+attachConn+ :: SockAddr+ -> TLS.Context+#if MIN_VERSION_warp(3,4,13)+ -> TVar Int -> IO (Connection, Transport)+attachConn mysa ctx appsInProgress = do+#else+ -> IO (Connection, Transport)+attachConn mysa ctx = do+#endif h2 <- (== Just "h2") <$> TLS.getNegotiatedProtocol ctx isH2 <- I.newIORef h2 writeBuffer <- createWriteBuffer 16384 writeBufferRef <- I.newIORef writeBuffer -- Creating a cache for leftover input data. tls <- getTLSinfo ctx- return (conn ctx writeBufferRef isH2, tls)+ return (conn writeBufferRef isH2, tls) where- backend recvN = TLS.Backend {- TLS.backendFlush = return ()-#if MIN_VERSION_network(3,1,1)- , TLS.backendClose = gracefulClose s 5000 `E.catch` \(SomeException _) -> return ()-#else- , TLS.backendClose = close s+ conn writeBufferRef isH2 =+ Connection+ { connSendMany = TLS.sendData ctx . L.fromChunks+ , connSendAll = sendall+ , connSendFile = sendfile+ , connClose = close'+ , connRecv = recv+ , connRecvBuf = \_ _ -> return True -- obsoleted+ , connWriteBuffer = writeBufferRef+ , connHTTP2 = isH2+ , connMySockAddr = mysa+#if MIN_VERSION_warp(3,4,13)+ , connAppsInProgress = appsInProgress #endif- , TLS.backendSend = sendAll' s- , TLS.backendRecv = recvN- }- sendAll' sock bs = E.handleJust- (\ e -> if ioeGetErrorType e == ResourceVanished- then Just ConnectionClosedByPeer- else Nothing)- throwIO- $ sendAll sock bs- conn ctx writeBufferRef isH2 = Connection {- connSendMany = TLS.sendData ctx . L.fromChunks- , connSendAll = sendall- , connSendFile = sendfile- , connClose = close'- , connRecv = recv- , connRecvBuf = \_ _ -> return True -- obsoleted- , connWriteBuffer = writeBufferRef- , connHTTP2 = isH2- }+ } where sendall = TLS.sendData ctx . L.fromChunks . return recv = handle onEOF $ TLS.recvData ctx where onEOF e- | Just TLS.Error_EOF <- fromException e = return S.empty- | Just ioe <- fromException e, isEOFError ioe = return S.empty | otherwise = throwIO e+#if MIN_VERSION_tls(1,8,0)+ | Just (TLS.PostHandshake TLS.Error_EOF) <- E.fromException e = return S.empty+#else+ | Just TLS.Error_EOF <- fromException e = return S.empty+#endif+ | Just ioe <- fromException e, isEOFError ioe = return S.empty+ | otherwise = throwIO e sendfile fid offset len hook headers = do writeBuffer <- I.readIORef writeBufferRef- readSendFile (bufBuffer writeBuffer) (bufSize writeBuffer) sendall fid offset len hook headers+ readSendFile+ (bufBuffer writeBuffer)+ (bufSize writeBuffer)+ sendall+ fid+ offset+ len+ hook+ headers - close' = void (tryIO sendBye) `finally`- TLS.contextClose ctx+ close' =+ void (tryIO sendBye)+ `finally` TLS.contextClose ctx sendBye =- -- It's fine if the connection was closed by the other side before- -- receiving close_notify, see RFC 5246 section 7.2.1.- handleJust- (\e -> guard (e == ConnectionClosedByPeer) >> return e)- (const (return ()))- (TLS.bye ctx)--- wrappedRecvN recvN n = handleAny handler $ recvN n- handler :: SomeException -> IO S.ByteString- handler _ = return ""+ -- It's fine if the connection was closed by the other side before+ -- receiving close_notify, see RFC 5246 section 7.2.1.+ handleJust+ (\e -> guard (e == ConnectionClosedByPeer) >> return e)+ (const (return ()))+ (TLS.bye ctx) getTLSinfo :: TLS.Context -> IO Transport getTLSinfo ctx = do proto <- TLS.getNegotiatedProtocol ctx minfo <- TLS.contextGetInformation ctx case minfo of- Nothing -> return TCP- Just TLS.Information{..} -> do- let (major, minor) = case infoVersion of- TLS.SSL2 -> (2,0)- TLS.SSL3 -> (3,0)- TLS.TLS10 -> (3,1)- TLS.TLS11 -> (3,2)- TLS.TLS12 -> (3,3)-#if MIN_VERSION_tls(1,5,0)- TLS.TLS13 -> (3,4)-#endif+ Nothing -> return TCP+ Just info -> do+ let (major, minor) = case TLS.infoVersion info of+ TLS.SSL2 -> (2, 0)+ TLS.SSL3 -> (3, 0)+ TLS.TLS10 -> (3, 1)+ TLS.TLS11 -> (3, 2)+ TLS.TLS12 -> (3, 3)+ _ -> (3,4) clientCert <- TLS.getClientCertificateChain ctx- return TLS {- tlsMajorVersion = major- , tlsMinorVersion = minor- , tlsNegotiatedProtocol = proto- , tlsChiperID = TLS.cipherID infoCipher- , tlsClientCertificate = clientCert- }+ return+ TLS+ { tlsMajorVersion = major+ , tlsMinorVersion = minor+ , tlsNegotiatedProtocol = proto+ , tlsChiperID = TLS.cipherID $ TLS.infoCipher info+ , tlsClientCertificate = clientCert+ } tryIO :: IO a -> IO (Either IOException a) tryIO = try ---------------------------------------------------------------- -plainHTTP :: TLSSettings -> Settings -> Socket -> S.ByteString -> IO (Connection, Transport)+plainHTTP+ :: TLSSettings -> Settings -> Socket -> S.ByteString -> IO (Connection, Transport) plainHTTP TLSSettings{..} set s bs0 = case onInsecure of AllowInsecure -> do conn' <- socketConnection set s cachedRef <- I.newIORef bs0- let conn'' = conn'- { connRecv = recvPlain cachedRef (connRecv conn')- }+ let conn'' =+ conn'+ { connRecv = recvPlain cachedRef (connRecv conn')+ } return (conn'', TCP) DenyInsecure lbs -> do -- Listening port 443 but TLS records do not arrive.@@ -407,10 +559,12 @@ -- GOAWAY + INADEQUATE_SECURITY? -- FIXME: Content-Length: -- FIXME: TLS/<version>- sendAll s "HTTP/1.1 426 Upgrade Required\- \r\nUpgrade: TLS/1.0, HTTP/1.1\- \r\nConnection: Upgrade\- \r\nContent-Type: text/plain\r\n\r\n"+ sendAll+ s+ "HTTP/1.1 426 Upgrade Required\+ \\r\nUpgrade: TLS/1.0, HTTP/1.1\+ \\r\nConnection: Upgrade\+ \\r\nContent-Type: text/plain\r\n\r\n" mapM_ (sendAll s) $ L.toChunks lbs close s throwIO InsecureConnectionDenied
Network/Wai/Handler/WarpTLS/Internal.hs view
@@ -1,17 +1,20 @@-{-# LANGUAGE CPP #-}+{-# LANGUAGE OverloadedStrings #-} module Network.Wai.Handler.WarpTLS.Internal (- CertSettings(..)- , TLSSettings(..)- , OnInsecure(..)+ CertSettings (..),+ TLSSettings (..),+ defaultTlsSettings,+ OnInsecure (..),+ -- * Accessors- , getCertSettings- ) where+ getCertSettings,+) where import qualified Data.ByteString as S import qualified Data.ByteString.Lazy as L import qualified Data.IORef as I import qualified Network.TLS as TLS+import qualified Network.TLS.Extra as TLSExtra import qualified Network.TLS.SessionManager as SM ----------------------------------------------------------------@@ -19,75 +22,61 @@ -- | Determines where to load the certificate, chain -- certificates, and key from. data CertSettings- = CertFromFile !FilePath ![FilePath] !FilePath- | CertFromMemory !S.ByteString ![S.ByteString] !S.ByteString- | CertFromRef !(I.IORef S.ByteString) ![I.IORef S.ByteString] !(I.IORef S.ByteString)+ = CertFromFile !FilePath ![FilePath] !FilePath+ | CertFromMemory !S.ByteString ![S.ByteString] !S.ByteString+ | CertFromRef+ !(I.IORef S.ByteString)+ ![I.IORef S.ByteString]+ !(I.IORef S.ByteString) +instance Show CertSettings where+ show (CertFromFile a b c) = "CertFromFile " ++ show a ++ " " ++ show b ++ " " ++ show c+ show (CertFromMemory a b c) = "CertFromMemory " ++ show a ++ " " ++ show b ++ " " ++ show c+ show CertFromRef{} = "CertFromRef"+ ---------------------------------------------------------------- -- | An action when a plain HTTP comes to HTTP over TLS/SSL port.-data OnInsecure = DenyInsecure L.ByteString- | AllowInsecure- deriving (Show)+data OnInsecure+ = DenyInsecure L.ByteString+ | AllowInsecure+ deriving (Show) ---------------------------------------------------------------- -- | Settings for WarpTLS.-data TLSSettings = TLSSettings {- certSettings :: CertSettings+data TLSSettings = TLSSettings+ { certSettings :: CertSettings -- ^ Where are the certificate, chain certificates, and key -- loaded from? -- -- >>> certSettings defaultTlsSettings- -- tlsSettings "certificate.pem" "key.pem"+ -- CertFromFile "certificate.pem" [] "key.pem" -- -- @since 3.3.0- , onInsecure :: OnInsecure+ , onInsecure :: OnInsecure -- ^ Do we allow insecure connections with this server as well? -- -- >>> onInsecure defaultTlsSettings -- DenyInsecure "This server only accepts secure HTTPS connections." -- -- Since 1.4.0- , tlsLogging :: TLS.Logging+ , tlsLogging :: TLS.Logging -- ^ The level of logging to turn on. -- -- Default: 'TLS.defaultLogging'. -- -- Since 1.4.0- , tlsAllowedVersions :: [TLS.Version]-#if MIN_VERSION_tls(1,5,0)+ , tlsAllowedVersions :: [TLS.Version] -- ^ The TLS versions this server accepts. --- -- >>> tlsAllowedVersions defaultTlsSettings- -- [TLS13,TLS12,TLS11,TLS10]- -- -- Since 1.4.2-#else- -- ^ The TLS versions this server accepts.- --- -- >>> tlsAllowedVersions defaultTlsSettings- -- [TLS12,TLS11,TLS10]- --- -- Since 1.4.2-#endif- , tlsCiphers :: [TLS.Cipher]-#if MIN_VERSION_tls(1,5,0)+ , tlsCiphers+ :: [TLS.Cipher] -- ^ The TLS ciphers this server accepts. --- -- >>> tlsCiphers defaultTlsSettings- -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1,AES128GCM-SHA256,AES256GCM-SHA384]- -- -- Since 1.4.2-#else- -- ^ The TLS ciphers this server accepts.- --- -- >>> tlsCiphers defaultTlsSettings- -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1]- --- -- Since 1.4.2-#endif- , tlsWantClientCert :: Bool+ , tlsWantClientCert :: Bool -- ^ Whether or not to demand a certificate from the client. If this -- is set to True, you must handle received certificates in a server hook -- or all connections will fail.@@ -96,22 +85,22 @@ -- False -- -- Since 3.0.2- , tlsServerHooks :: TLS.ServerHooks+ , tlsServerHooks :: TLS.ServerHooks -- ^ The server-side hooks called by the tls package, including actions -- to take when a client certificate is received. See the "Network.TLS" -- module for details. --- -- Default: def+ -- Default: defaultServerHooks -- -- Since 3.0.2- , tlsServerDHEParams :: Maybe TLS.DHParams+ , tlsServerDHEParams :: Maybe TLS.DHParams -- ^ Configuration for ServerDHEParams -- more function lives in `crypton` package -- -- Default: Nothing -- -- Since 3.2.2- , tlsSessionManagerConfig :: Maybe SM.Config+ , tlsSessionManagerConfig :: Maybe SM.Config -- ^ Configuration for in-memory TLS session manager. -- If Nothing, 'TLS.noSessionManager' is used. -- Otherwise, an in-memory TLS session manager is created@@ -120,25 +109,53 @@ -- Default: Nothing -- -- Since 3.2.4- , tlsCredentials :: Maybe TLS.Credentials+ , tlsCredentials :: Maybe TLS.Credentials -- ^ Specifying 'TLS.Credentials' directly. If this value is -- specified, other fields such as 'certFile' are ignored. -- -- Since 3.2.12- , tlsSessionManager :: Maybe TLS.SessionManager+ , tlsSessionManager :: Maybe TLS.SessionManager -- ^ Specifying 'TLS.SessionManager' directly. If this value is -- specified, 'tlsSessionManagerConfig' is ignored. -- -- Since 3.2.12- , tlsSupportedHashSignatures :: [TLS.HashAndSignatureAlgorithm]+ , tlsSupportedHashSignatures :: [TLS.HashAndSignatureAlgorithm] -- ^ Specifying supported hash/signature algorithms, ordered by decreasing -- priority. See the "Network.TLS" module for details -- -- Since 3.3.3- }-+ } -- Since 3.3.1+ -- | Some programs need access to cert settings getCertSettings :: TLSSettings -> CertSettings-getCertSettings tlsSetgs = certSettings tlsSetgs+getCertSettings = certSettings++-- | The default 'CertSettings'.+defaultCertSettings :: CertSettings+defaultCertSettings = CertFromFile "certificate.pem" [] "key.pem"++----------------------------------------------------------------++-- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).+defaultTlsSettings :: TLSSettings+defaultTlsSettings =+ TLSSettings+ { certSettings = defaultCertSettings+ , onInsecure = DenyInsecure "This server only accepts secure HTTPS connections."+ , tlsLogging = TLS.defaultLogging+ , tlsAllowedVersions = TLS.supportedVersions TLS.defaultSupported+ , tlsCiphers = ciphers+ , tlsWantClientCert = False+ , tlsServerHooks = TLS.defaultServerHooks+ , tlsServerDHEParams = Nothing+ , tlsSessionManagerConfig = Nothing+ , tlsCredentials = Nothing+ , tlsSessionManager = Nothing+ , tlsSupportedHashSignatures = TLS.supportedHashSignatures TLS.defaultSupported+ }++-- taken from stunnel example in tls-extra+ciphers :: [TLS.Cipher]+ciphers = TLSExtra.ciphersuite_strong
warp-tls.cabal view
@@ -1,5 +1,5 @@ Name: warp-tls-Version: 3.3.7+Version: 3.4.14 Synopsis: HTTP over TLS support for Warp via the TLS package License: MIT License-file: LICENSE@@ -21,13 +21,12 @@ Build-Depends: base >= 4.12 && < 5 , bytestring >= 0.9 , wai >= 3.2 && < 3.3- , warp >= 3.3.23 && < 3.4- , data-default-class >= 0.0.1- , tls >= 1.7+ , warp >= 3.3.29 && < 3.5+ , tls >= 2.1.3 && < 2.5 , network >= 2.2.1 , streaming-commons+ , stm >= 2.3 , tls-session-manager >= 0.0.4- , unliftio , recv >= 0.1.0 && < 0.2.0 Exposed-modules: Network.Wai.Handler.WarpTLS Network.Wai.Handler.WarpTLS.Internal@@ -41,4 +40,5 @@ source-repository head type: git- location: git://github.com/yesodweb/wai.git+ location: https://github.com/yesodweb/wai.git+ subdir: warp-tls