2011-08-14 07:17:21 +00:00
|
|
|
haskell TLS
|
|
|
|
===========
|
|
|
|
|
|
|
|
This library provide native Haskell TLS and SSL protocol implementation for server and client.
|
|
|
|
|
|
|
|
Description
|
|
|
|
-----------
|
|
|
|
|
|
|
|
This provides a high-level implementation of a sensitive security protocol,
|
|
|
|
eliminating a common set of security issues through the use of the advanced
|
|
|
|
type system, high level constructions and common Haskell features.
|
|
|
|
|
|
|
|
Features
|
|
|
|
--------
|
|
|
|
|
|
|
|
* tiny code base (more than 20 times smaller than openSSL, and 10 times smaller than gnuTLS)
|
2012-11-04 10:36:41 +00:00
|
|
|
* client certificates.
|
2011-08-17 19:50:57 +00:00
|
|
|
* permissive license: BSD3.
|
|
|
|
* supported versions: SSL3, TLS1.0, TLS1.1, TLS1.2.
|
2013-12-14 07:12:49 +00:00
|
|
|
* key exchange supported: RSA, DHE-RSA.
|
2011-08-14 07:17:21 +00:00
|
|
|
* bulk algorithm supported: any stream or block ciphers.
|
2012-11-04 10:36:41 +00:00
|
|
|
* supported extensions: secure renegociation, next protocol negotiation (draft 2), server name indication.
|
2011-08-14 07:17:21 +00:00
|
|
|
|
2012-04-16 19:43:01 +00:00
|
|
|
Common Issues
|
2012-12-04 14:15:51 +00:00
|
|
|
=============
|
2012-04-16 19:43:01 +00:00
|
|
|
|
|
|
|
The tools mentioned below are all available from the tls-debug package.
|
|
|
|
|
2012-12-04 14:15:51 +00:00
|
|
|
Certificate issues
|
|
|
|
------------------
|
2012-04-16 19:43:01 +00:00
|
|
|
|
|
|
|
It's useful to run the following command, which will connect to the destination and
|
|
|
|
retrieve the certificate chained used.
|
|
|
|
|
|
|
|
tls-retrievecertificate -d <destination> -p <port> -v -c
|
|
|
|
|
|
|
|
As an output it will print every certificates in the chain and will gives the issuer and subjects of each.
|
|
|
|
It creates a chain where issuer of certificate is the subject of the next certificate part of the chain:
|
|
|
|
|
|
|
|
(subject #1, issuer #2) -> (subject #2, issuer #3) -> (subject #3, issuer #3)
|
|
|
|
|
|
|
|
A "CA is unknown" error indicates that your system doesn't have a certificate in
|
|
|
|
the trusted store belonging to any of the node of the chain.
|
|
|
|
|
2012-12-04 14:15:51 +00:00
|
|
|
TLS issues
|
|
|
|
----------
|
|
|
|
|
|
|
|
When having unknown issues with TLS, if your protocol is HTTP based it's useful to use tls-simpleclient from the
|
|
|
|
tls-debug package.
|
|
|
|
|
|
|
|
tls-simpleclient -d -v <www.myserver.com> <port>
|
|
|
|
|
|
|
|
This provides useful information for debugging issues related to TLS.
|