The main focus of this major version is the addition of strong
authentication and security. In particular, TLS is now available
for all protocols. In order to achieve this, and to provide better
service functions, we switched from OpenSSL to GnuTLS. However, as it
is uncertain which TLS library will be the best in the future, the
core TLS interface has been factored out, and is now defined as module
type. So, if e.g. LibreSSL will make it in the future, it is relatively
easy to switch. The TLS provider is now a first-class module, and
plugging in an alternate provider just means to pass a different
provider module to the protocol interpreter. Read more about TLS:
Tls
.
There are also a lot of utility functions for TLS. In particular,
there is a parser for X.509 certificates, and there are helpers for
dealing with distinguished names. Netx509
, Netdn
.
From GnuTLS (and in particular from its crypto toolkit Nettle) we also
get access to basic cryptographic functions, including hash functions
and symmetric ciphers. The latter are sometimes even accelerated on
modern hardware (in particular AES). Netsys_digests
,
Netsys_ciphers
.
While TLS is good for establishing private channels, TLS client
authentication is not that popular. Many protocols prefer SASL, which
is now also defined as pluggable module: Netsys_sasl_types
,
Netsys_sasl
. There are a number of mechanisms: PLAIN, CRAM-MD5,
DIGEST-MD5, SCRAM-SHA1, GSSAPI, GS2-KRB5,
Many organizations use Kerberos as network login method. Access to
Kerberos authentication is possible via the GSSAPI, a system
interface for authentication and security modules. The GSSAPI is
available directly or via SASL. Support for GSSAPI has been added to
all protocols for which it is defined (HTTP clients, FTP clients, RPC
clients and servers, and other protocols via SASL). Read more:
Gssapi
.
IPv6 functionality is now automatically enabled for a number of popular
OS when it is obvious that IPv6 is configured (i.e. that there is an
network interface with a global IPv6 address). Read more: Ipv6
For most protocols IPv6 was already available in OCamlnet-3. There was one exception, though: The RPC Portmapper protocol isn't capable of IPv6. There is the newer RPCBIND protocol, though, and we support it now.
There are a couple of renamings. The most important ones:
Http_client
: now Nethttp_client
Ftp_client
: now Netftp_client
Xdr
: now Netxdr
This means almost all OCamlnet modules use now the prefixes Net
,
Uq_
, Rpc_
or Shell_
(the only exceptions are Unixqueue
and Equeue
).
The Unicode tables have been factored out of netstring
and are now
provided as netunidata
library. Note that this means that the table
are inaccessible unless netunidata
is linked in. Get more information
here: Netunidata
.
A few other notable updates:
pop
and smtp
libraries have been added to netclient
equeue-ssl
does not exist anymore. See Tls
about how to get
TLS support nevertheless.netcgi1
has been deleted. Use netcgi2
instead.rpc-auth-dh
has been deleted. Use the GSSAPI-based authentication
for RPC instead.Since OCamlnet-4.1, the new Bytes
module is fully supported. All
interfaces have been checked whether the typing needed to be changed from
string
to bytes
. Also, OCamlnet-4.1 is now built with the
-safe-string
option if the OCaml version is new enough.
The are two new concepts making life easier in the presence of two string types (actually three types if you also count bigarrays of characters):
tstring
wraps any of the three types into
a single variant type:
type tstring = [`String of string | `Bytes of bytes | `Memory of memory]
(note that memory
is a bigarray of characters). There is a new support
module, Netstring_tstring
. We use tagged strings only when the
string is an input to a function and not mutated.tbuffer
wraps a bytes
or memory
buffer
into a variant type:
type tbuffer = [`Bytes of bytes | `Memory of memory]
As we had a similar type already in previous OCamlnet versions, tbuffer
got also a third variant for backward compatibility:
type tbuffer = [`Bytes of bytes | `Memory of memory | `String of bytes]
This third variant looks a little bit strange, but is certainly useful
for helping users to transition to bytes
buffers. This variant will be
removed in a later version of OCamlnet again.The IETF recently did some work on authentication, and some results could already be incorporated into OCamlnet. The update of the HTTP Digest authentication method to the SHA-256 hash function (instead of MD5) went in and is automatically available for HTTP clients. Note that there is no update on the same-named SASL mechanism, which is now considered as "historic" in favor of the SCRAM family of mechanisms.
Regarding SCRAM for HTTP, there is an RFC draft, and the RFC is
expected soon. I've added an experimental (but somewhat incomplete)
implementation according to the draft (Netmech_scram_http
).
In order to support public key mechanisms in later OCamlnet versions,
there is now pluggable public key cryptography. For users the module
Netx509_pubkey_crypto
makes this feature available. However, at
present there is no mechanism using this already.
Another new feature is the Netldap
client, wrapping the most common
LDAP client operations. This is most useful for servers wanting to
authenticate against an LDAP server. Of course, it is also useful for
other purposes, as LDAP can be used for storing any kind of information.
A few things would have been good to have in OCamlnet-4, but they were not available in time: