how to override things like clientSupported member of TLS ClientParams #2
Comments
|
If you kindly send a PR, I will merge it and release a new version. BTW, TLS 1.2 without EMS is insecure. I understand the server does not support it but I think you should ask to support EMS in the server side. |
…ngsSimple This is so we can manipulate these TLS settings even when using a connection manager like the http-client package does. See kazu-yamamoto#2 for details.
|
I agree that it would be better to upgrade the server, but there are situations where this is difficult or even impossible to achieve: there are legacy servers, particularly proprietary devices which may not even be available any more much less supported with (firmware) upgrades. In my line of work this happens quite frequently. |
|
The intention of this breaking change is to tell users that they are using insecure channels. |
|
Yes, I agree that this is the right approach. Ideally, a program where the server URL is specified by user input (or configuration) should issue a (single) warning for each server that doesn't support EMS. Doing this in our case would require a separate probing pass with |
|
I think that the warning-fallback approach works for clients well. |
|
I'd say leave it to users (of client programs I mean) to complain to server operators about annoying warnings ;-) |
From 1.9.x to 2.0.x the tls package made a change to require EMS (extended main secret) by default. I must admit that I have no idea what this is about and I don't really care much. However, it turns out that for compatibility reasons I need to change it to the old behavior (which allowed but did not require it).
I am not using tls directly but via http-client-tls which is in turn based on crypton-connection. I need to install a new connection manager, using code like
manager <- newManager $ mkManagerSettings tlsSettings Nothing
setGlobalManager manager
where tlsSettings is of type TLSSettings which is provided by crypton-connection.
The problem is that this data type is either TLSSettingsSimple with no way to override things like the clientSupported member of Network.TLS.ClientParams; or else it is TLSSettings with an argument of type ClientParams, but ClientParams contains server specific data, so it is unsuitable as configuration for a generic connection manager, or at least that is how it appears to me.
The magic that fills in the host specific parameters in the case of TLSSettingsSimple is in makeTLSParams, which gets the host specific data passed as arguments. One possible solution would be to add a member
settingClientSupported :: Maybe ClientSupported
to TLSSettingsSimple and use that in makeTLSParams to override the default.
The text was updated successfully, but these errors were encountered: