Plasma GitLab Archive
Projects Blog Knowledge

Previous  Up  Next

Module Nettls_support

module Nettls_support: sig .. end

Support types and functions for TLS

type credentials = [ `Anonymous | `X509 of Netx509.x509_certificate ]

The types of credentials

type raw_credentials = [ `Anonymous | `X509 of string ]

The encoded credentials:

  • `X509 s: The X509 certificate in DER encoding
  • `Anonymous: no certificate or other key is available
type cred_type = [ `Anonymous | `X509 ]

The type of credential types

class type tls_session_props = object .. end

Direct access to TLS properties of a session

val get_tls_session_props : Netsys_crypto_types.tls_endpoint -> tls_session_props

Get the session properties for an endpoint for which the handshake is already done

val get_tls_user_name : tls_session_props -> string

Get the "user name" of client certificates. It is determined as follows:

  • if there is a subjectAltName with an email address (i.e. rfc822 type), this address is returned
  • if there is a subjectAltName using the directory name format, it is checked whether there is a "uid", "email", or "cn" name component
  • otherwise, it is checked whether there is a "uid", "email", or "cn" name component in the subject

Raises Not_found if nothing approriate is found.

val squash_file_tls_endpoint : (module Netsys_crypto_types.FILE_TLS_ENDPOINT) ->
       (module Netsys_crypto_types.TLS_ENDPOINT)

Coerce a file endpoint to a normal endpoint

val is_endpoint_host : string -> tls_session_props -> bool

is_endpoint_host name props: checks whether name matches the certificate of the endpoint in props.

In particular, this function checks the DNS alternate name, and the common name of the subject. The certificate name can use wildcards.

Returns true if name could be verified this way.

NB. This doesn't check SNI (addressed_server), because this is the peer's task.

This web site is published by Informatikbüro Gerd Stolpmann
Powered by Caml