module TLS where-- |---- This is something like what I want from a TLS API.

1. module TLS where
2.  
3. -- |
4. --
5. -- This is something like what I want from a TLS API. The TLS
6. -- library should provide a single call: "give me a secure
7. -- connection to $HOST". All possibilities for authenticating the
8. -- peer, including CRL, OCSP, DANE, etc, should be accounted for in
9. -- a configuration type, and the library should take care of all the
10. -- details.
11. --
12. -- The library should provide some sensible default configurations,
13. -- and it should be prepared to remove/reject unsafe configurations
14. -- in future versions of the library.
15. --
16. -- The following is an example of what I expect. It is not complete
17. -- (for example, there is no CRL policy or configuration of
18. -- acceptable key strengths, cipher suites or key exchange
19. -- protocols).
20.  
21. import Data.Set
22.  
23. data Hostname
24. data Port
25. data TrustStore
26. data Socket
27. data TLSError
28.  
29. data HostVerifyPolicy
30. = HostMismatchReject
31. -- ^ If hostname is not present in CN or subjectAltName extension
32. -- reject the certificate.
33. | HostMismatchIgnore
34. -- ^ Continue connecting even if hostname is not present in CN or
35. -- subjectAltName extension. Certificate may still be rejected
36. -- for other reasons.
37.  
38. data OcspResponderFailurePolicy
39. = OcspResponderFailureReject
40. -- ^ Failure to get a response from the appointed OCSP responder
41. -- results in validation failure.
42. | OcspResponderFailureIgnore
43. -- ^ Failure to get a response from the appointed OCSP responder
44. -- is treated like the cert had no OCSP authorityInfoAccess.
45.  
46. data OcspLookupPolicy
47. = OcspStapledOrResponder
48. -- ^ Prefer stapled response otherwise attempt to contact OCSP responder.
49. | OcspStapledOnly
50. -- ^ Only use stapled responses.
51. | OcspResponderOnly
52. -- ^ Ignore stapled response; always attempt to use responses
53. -- directly from OCSP responder.
54.  
55. data OcspPolicy
56. = OcspRequire
57. -- ^ OCSP validity is required
58. | OcspIfAvailable
59. -- ^ OCSP is checked if a response is available according to the
60. -- active 'OcspLookupPolicy'
61. | OcspNone
62. -- ^ No OCSP validity checking is performed at all
63.  
64. data DaneCertificateUsage
65. = CaConstraint
66. | ServiceCertificateConstraint
67. | TrustAnchorAssertion
68. | DomainIssuedCertificate
69. deriving (Eq, Ord)
70.  
71. type DanePolicy = Set DaneCertificateUsage
72.  
73. data TrustPolicy
74. = TrustAndDaneIfPresent
75. | TrustAndDane
76. | TrustSufficient
77. | DaneSufficient
78.  
79. data TLSParams = TLSParams
80. { trustPolicy :: TrustPolicy
81. , hostVerifyPolicy :: HostVerifyPolicy
82. , ocspPolicy :: OcspPolicy
83. , ocspLookupPolicy :: OcspLookupPolicy
84. , ocspResponderFailurePolicy :: OcspResponderFailurePolicy
85. , danePolicy :: DanePolicy
86. }
87.  
88. defaultTLSParams :: TLSParams
89. defaultTLSParams = TLSParams
90. TrustAndDaneIfPresent
91. HostMismatchReject
92. OcspIfAvailable
93. OcspStapledOrResponder
94. OcspResponderFailureIgnore
95. (fromList
96. [ CaConstraint, ServiceCertificateConstraint
97. , TrustAnchorAssertion, DomainIssuedCertificate ])
98.  
99. connect
100. :: TLSParams
101. -> TrustStore
102. -> Hostname
103. -> Port
104. -> IO (Either TLSError Socket)
105. connect = undefined