hs-tls/README.md

haskell TLS
===========

This library provides native Haskell TLS and SSL protocol implementation for server and client.

Description
-----------

This provides a high-level implementation of a sensitive security protocol,
eliminating a common set of security issues through the use of the advanced
type system, high level constructions and common Haskell features.

Features
--------

* tiny codebase (more than 20 times smaller than OpenSSL, and 10 times smaller than gnuTLS)
* client certificates
* permissive license: BSD3
* supported versions: SSL3, TLS1.0, TLS1.1, TLS1.2
* key exchange supported: RSA, DHE-RSA, DHE-DSS
* bulk algorithm supported: any stream or block ciphers
* supported extensions: secure renegociation, next protocol negotiation (draft 2), server name indication

Common Issues
=============

The tools mentioned below are all available from the tls-debug package.

Certificate issues
------------------

It's useful to run the following command, which will connect to the destination and
retrieve the certificate chained used.

    tls-retrievecertificate -d <destination> -p <port> -v -c

As an output it will print every certificate in the chain and will give the issuer and subjects of each.
It creates a chain where issuer of certificate is the subject of the next certificate part of the chain:

    (subject #1, issuer #2) -> (subject #2, issuer #3) -> (subject #3, issuer #3)

A "CA is unknown" error indicates that your system doesn't have a certificate in
the trusted store belonging to any of the node of the chain.

TLS issues
----------

When having unknown issues with TLS, if your protocol is HTTP based it's useful to use tls-simpleclient from the
tls-debug package.

    tls-simpleclient -d -v <www.myserver.com> <port>

This provides useful information for debugging issues related to TLS.
move README into README.md and update content 2011-08-14 07:17:21 +00:00			`haskell TLS`
			`===========`

spelling and grammar 2014-04-09 02:10:34 +00:00			`This library provides native Haskell TLS and SSL protocol implementation for server and client.`
move README into README.md and update content 2011-08-14 07:17:21 +00:00
			`Description`
			`-----------`

			`This provides a high-level implementation of a sensitive security protocol,`
			`eliminating a common set of security issues through the use of the advanced`
			`type system, high level constructions and common Haskell features.`

			`Features`
			`--------`

spelling and grammar 2014-04-09 02:10:34 +00:00			`* tiny codebase (more than 20 times smaller than OpenSSL, and 10 times smaller than gnuTLS)`
			`* client certificates`
			`* permissive license: BSD3`
			`* supported versions: SSL3, TLS1.0, TLS1.1, TLS1.2`
			`* key exchange supported: RSA, DHE-RSA, DHE-DSS`
			`* bulk algorithm supported: any stream or block ciphers`
			`* supported extensions: secure renegociation, next protocol negotiation (draft 2), server name indication`
move README into README.md and update content 2011-08-14 07:17:21 +00:00
add some debug info 2012-04-16 19:43:01 +00:00			`Common Issues`
add simpleclient information 2012-12-04 14:15:51 +00:00			`=============`
add some debug info 2012-04-16 19:43:01 +00:00
			`The tools mentioned below are all available from the tls-debug package.`

add simpleclient information 2012-12-04 14:15:51 +00:00			`Certificate issues`
			`------------------`
add some debug info 2012-04-16 19:43:01 +00:00
			`It's useful to run the following command, which will connect to the destination and`
			`retrieve the certificate chained used.`

			`tls-retrievecertificate -d <destination> -p <port> -v -c`

spelling and grammar 2014-04-09 02:10:34 +00:00			`As an output it will print every certificate in the chain and will give the issuer and subjects of each.`
add some debug info 2012-04-16 19:43:01 +00:00			`It creates a chain where issuer of certificate is the subject of the next certificate part of the chain:`

			`(subject #1, issuer #2) -> (subject #2, issuer #3) -> (subject #3, issuer #3)`

			`A "CA is unknown" error indicates that your system doesn't have a certificate in`
			`the trusted store belonging to any of the node of the chain.`

add simpleclient information 2012-12-04 14:15:51 +00:00			`TLS issues`
			`----------`

			`When having unknown issues with TLS, if your protocol is HTTP based it's useful to use tls-simpleclient from the`
			`tls-debug package.`

			`tls-simpleclient -d -v <www.myserver.com> <port>`

			`This provides useful information for debugging issues related to TLS.`