package tls

  1. Overview
  2. Docs

Configuration of the TLS stack

Config type

type certchain = X509.t list * Nocrypto.Rsa.priv

certificate chain and private key of the first certificate

type own_cert = [
  1. | `None
  2. | `Single of certchain
  3. | `Multiple of certchain list
  4. | `Multiple_default of certchain * certchain list
]

polymorphic variant of own certificates

type session_cache = Core.SessionID.t -> Core.epoch_data option
type config = private {
  1. ciphers : Ciphersuite.ciphersuite list;
    (*

    ordered list (regarding preference) of supported cipher suites

    *)
  2. protocol_versions : Core.tls_version * Core.tls_version;
    (*

    supported protocol versions (min, max)

    *)
  3. hashes : Nocrypto.Hash.hash list;
    (*

    ordered list of supported hash algorithms (regarding preference)

    *)
  4. use_reneg : bool;
    (*

    endpoint should accept renegotiation requests

    *)
  5. authenticator : X509.Authenticator.a option;
    (*

    optional X509 authenticator

    *)
  6. peer_name : string option;
    (*

    optional name of other endpoint (used for SNI RFC4366)

    *)
  7. own_certificates : own_cert;
    (*

    optional default certificate chain and other certificate chains

    *)
  8. session_cache : session_cache;
  9. cached_session : Core.epoch_data option;
}

configuration parameters

val config_of_sexp : Sexplib.Sexp.t -> config
val sexp_of_config : config -> Sexplib.Sexp.t
type client

opaque type of a client configuration

val client_of_sexp : Sexplib.Sexp.t -> client
val sexp_of_client : client -> Sexplib.Sexp.t
type server

opaque type of a server configuration

val server_of_sexp : Sexplib.Sexp.t -> server
val sexp_of_server : server -> Sexplib.Sexp.t

Constructors

val client : authenticator:X509.Authenticator.a -> ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?hashes:Nocrypto.Hash.hash list -> ?reneg:bool -> ?certificates:own_cert -> ?cached_session:Core.epoch_data -> unit -> client
  • raises Invalid_argument

    if the configuration is invalid

val server : ?ciphers:Ciphersuite.ciphersuite list -> ?version:(Core.tls_version * Core.tls_version) -> ?hashes:Nocrypto.Hash.hash list -> ?reneg:bool -> ?certificates:own_cert -> ?authenticator:X509.Authenticator.a -> ?session_cache:session_cache -> unit -> server
  • raises Invalid_argument

    if the configuration is invalid

val peer : client -> string -> client

peer client name is client with name as peer_name

Utility functions

val default_hashes : Nocrypto.Hash.hash list

default_hashes is a list of hash algorithms used by default

val supported_hashes : Nocrypto.Hash.hash list

supported_hashes is a list of supported hash algorithms by this library

val min_dh_size : int

min_dh_size is minimal diffie hellman group size in bits (currently 1024)

val dh_group : Nocrypto.Dh.group

dh_group is the default Diffie-Hellman group (currently the ffdhe2048 group from Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS)

val min_rsa_key_size : int

min_rsa_key_size is minimal RSA modulus key size in bits (currently 1024)

module Ciphers : sig ... end

Cipher selection

Internal use only

val of_client : client -> config

of_client client is a client configuration for client

val of_server : server -> config

of_server server is a server configuration for server

OCaml

Innovation. Community. Security.