Plasma GitLab Archive
Projects Blog Knowledge

Ocamlnet4


What's new in OCamlnet 4

Security

The main focus of this major version is the addition of strong authentication and security. In particular, TLS is now available for all protocols. In order to achieve this, and to provide better service functions, we switched from OpenSSL to GnuTLS. However, as it is uncertain which TLS library will be the best in the future, the core TLS interface has been factored out, and is now defined as module type. So, if e.g. LibreSSL will make it in the future, it is relatively easy to switch. The TLS provider is now a first-class module, and plugging in an alternate provider just means to pass a different provider module to the protocol interpreter. Read more about TLS: Tls.

There are also a lot of utility functions for TLS. In particular, there is a parser for X.509 certificates, and there are helpers for dealing with distinguished names. Netx509, Netdn.

From GnuTLS (and in particular from its crypto toolkit Nettle) we also get access to basic cryptographic functions, including hash functions and symmetric ciphers. The latter are sometimes even accelerated on modern hardware (in particular AES). Netsys_digests, Netsys_ciphers.

While TLS is good for establishing private channels, TLS client authentication is not that popular. Many protocols prefer SASL, which is now also defined as pluggable module: Netsys_sasl_types, Netsys_sasl. There are a number of mechanisms: PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1, GSSAPI, GS2-KRB5,

Many organizations use Kerberos as network login method. Access to Kerberos authentication is possible via the GSSAPI, a system interface for authentication and security modules. The GSSAPI is available directly or via SASL. Support for GSSAPI has been added to all protocols for which it is defined (HTTP clients, FTP clients, RPC clients and servers, and other protocols via SASL). Read more: Gssapi.

Completed IPv6 support

IPv6 functionality is now automatically enabled for a number of popular OS when it is obvious that IPv6 is configured (i.e. that there is an network interface with a global IPv6 address). Read more: Ipv6

For most protocols IPv6 was already available in OCamlnet-3. There was one exception, though: The RPC Portmapper protocol isn't capable of IPv6. There is the newer RPCBIND protocol, though, and we support it now.

Reorganization

There are a couple of renamings. The most important ones:

This means almost all OCamlnet modules use now the prefixes Net, Uq_, Rpc_ or Shell_ (the only exceptions are Unixqueue and Equeue).

The Unicode tables have been factored out of netstring and are now provided as netunidata library. Note that this means that the table are inaccessible unless netunidata is linked in. Get more information here: Netunidata.

A few other notable updates:

  • The pop and smtp libraries have been added to netclient
  • equeue-ssl does not exist anymore. See Tls about how to get TLS support nevertheless.
  • netcgi1 has been deleted. Use netcgi2 instead.
  • rpc-auth-dh has been deleted. Use the GSSAPI-based authentication for RPC instead.

Bytes (in 4.1)

Since OCamlnet-4.1, the new Bytes module is fully supported. All interfaces have been checked whether the typing needed to be changed from string to bytes. Also, OCamlnet-4.1 is now built with the -safe-string option if the OCaml version is new enough.

The are two new concepts making life easier in the presence of two string types (actually three types if you also count bigarrays of characters):

  • A tagged string or tstring wraps any of the three types into a single variant type:
     type tstring = [`String of string | `Bytes of bytes | `Memory of memory] 
    (note that memory is a bigarray of characters). There is a new support module, Netstring_tstring. We use tagged strings only when the string is an input to a function and not mutated.
  • A tagged buffer or tbuffer wraps a bytes or memory buffer into a variant type:
     type tbuffer = [`Bytes of bytes | `Memory of memory] 
    As we had a similar type already in previous OCamlnet versions, tbuffer got also a third variant for backward compatibility:
     type tbuffer = [`Bytes of bytes | `Memory of memory | `String of bytes] 
    This third variant looks a little bit strange, but is certainly useful for helping users to transition to bytes buffers. This variant will be removed in a later version of OCamlnet again.

More authentication (in 4.1)

The IETF recently did some work on authentication, and some results could already be incorporated into OCamlnet. The update of the HTTP Digest authentication method to the SHA-256 hash function (instead of MD5) went in and is automatically available for HTTP clients. Note that there is no update on the same-named SASL mechanism, which is now considered as "historic" in favor of the SCRAM family of mechanisms.

Regarding SCRAM for HTTP, there is an RFC draft, and the RFC is expected soon. I've added an experimental (but somewhat incomplete) implementation according to the draft (Netmech_scram_http).

In order to support public key mechanisms in later OCamlnet versions, there is now pluggable public key cryptography. For users the module Netx509_pubkey_crypto makes this feature available. However, at present there is no mechanism using this already.

Another new feature is the Netldap client, wrapping the most common LDAP client operations. This is most useful for servers wanting to authenticate against an LDAP server. Of course, it is also useful for other purposes, as LDAP can be used for storing any kind of information.

Not yet

A few things would have been good to have in OCamlnet-4, but they were not available in time:

  • HTTP authentication on the server side
  • Advanced HTTP authentication frameworks such as OAUTH
  • Support for reading passwords from files
  • Non-blocking name lookups

This web site is published by Informatikbüro Gerd Stolpmann
Powered by Caml