The main focus of this major version is the addition of strong
authentication and security. In particular, TLS is now available
for all protocols. In order to achieve this, and to provide better
service functions, we switched from OpenSSL to GnuTLS. However, as it
is uncertain which TLS library will be the best in the future, the
core TLS interface has been factored out, and is now defined as module
type. So, if e.g. LibreSSL will make it in the future, it is relatively
easy to switch. The TLS provider is now a first-class module, and
plugging in an alternate provider just means to pass a different
provider module to the protocol interpreter. Read more about TLS:
From GnuTLS (and in particular from its crypto toolkit Nettle) we also
get access to basic cryptographic functions, including hash functions
and symmetric ciphers. The latter are sometimes even accelerated on
modern hardware (in particular AES).
While TLS is good for establishing private channels, TLS client
authentication is not that popular. Many protocols prefer SASL, which
is now also defined as pluggable module:
Netsys_sasl. There are a number of mechanisms: PLAIN, CRAM-MD5,
DIGEST-MD5, SCRAM-SHA1, GSSAPI, GS2-KRB5,
Many organizations use Kerberos as network login method. Access to
Kerberos authentication is possible via the GSSAPI, a system
interface for authentication and security modules. The GSSAPI is
available directly or via SASL. Support for GSSAPI has been added to
all protocols for which it is defined (HTTP clients, FTP clients, RPC
clients and servers, and other protocols via SASL). Read more:
IPv6 functionality is now automatically enabled for a number of popular
OS when it is obvious that IPv6 is configured (i.e. that there is an
network interface with a global IPv6 address). Read more:
For most protocols IPv6 was already available in OCamlnet-3. There was one exception, though: The RPC Portmapper protocol isn't capable of IPv6. There is the newer RPCBIND protocol, though, and we support it now.
There are a couple of renamings. The most important ones:
This means almost all OCamlnet modules use now the prefixes
Shell_ (the only exceptions are
The Unicode tables have been factored out of
netstring and are now
netunidata library. Note that this means that the table
are inaccessible unless
netunidata is linked in. Get more information
A few other notable updates:
smtplibraries have been added to
equeue-ssldoes not exist anymore. See
Tlsabout how to get TLS support nevertheless.
netcgi1has been deleted. Use
rpc-auth-dhhas been deleted. Use the GSSAPI-based authentication for RPC instead.
Since OCamlnet-4.1, the new
Bytes module is fully supported. All
interfaces have been checked whether the typing needed to be changed from
bytes. Also, OCamlnet-4.1 is now built with the
-safe-string option if the OCaml version is new enough.
The are two new concepts making life easier in the presence of two string types (actually three types if you also count bigarrays of characters):
tstringwraps any of the three types into a single variant type:
type tstring = [`String of string | `Bytes of bytes | `Memory of memory]
memoryis a bigarray of characters). There is a new support module,
Netstring_tstring. We use tagged strings only when the string is an input to a function and not mutated.
memorybuffer into a variant type:
As we had a similar type already in previous OCamlnet versions,
type tbuffer = [`Bytes of bytes | `Memory of memory]
tbuffergot also a third variant for backward compatibility:
This third variant looks a little bit strange, but is certainly useful for helping users to transition to
type tbuffer = [`Bytes of bytes | `Memory of memory | `String of bytes]
bytesbuffers. This variant will be removed in a later version of OCamlnet again.
The IETF recently did some work on authentication, and some results could already be incorporated into OCamlnet. The update of the HTTP Digest authentication method to the SHA-256 hash function (instead of MD5) went in and is automatically available for HTTP clients. Note that there is no update on the same-named SASL mechanism, which is now considered as "historic" in favor of the SCRAM family of mechanisms.
Regarding SCRAM for HTTP, there is an RFC draft, and the RFC is
expected soon. I've added an experimental (but somewhat incomplete)
implementation according to the draft (
In order to support public key mechanisms in later OCamlnet versions,
there is now pluggable public key cryptography. For users the module
Netx509_pubkey_crypto makes this feature available. However, at
present there is no mechanism using this already.
Another new feature is the
Netldap client, wrapping the most common
LDAP client operations. This is most useful for servers wanting to
authenticate against an LDAP server. Of course, it is also useful for
other purposes, as LDAP can be used for storing any kind of information.
A few things would have been good to have in OCamlnet-4, but they were not available in time: