Update to latest X509, TCP and TLS APIs #228
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hannesm
added a commit
to hannesm/ocaml-tls
that referenced
this pull request
Apr 22, 2021
pass signature algorithms from certificaterequest to the location where the certificate is sent. reported by @talex5 in mirage/capnp-rpc#228
hannesm
added a commit
to hannesm/ocaml-tls
that referenced
this pull request
Apr 22, 2021
pass signature algorithms from certificaterequest to the location where the certificate is sent. reported by @talex5 in mirage/capnp-rpc#228
|
Thanks for your work on this @talex5. Indeed, tls 0.13.0 suffered from an issue "authentication with client certificates and TLS 1.3" that you ran into. I've a patch ready, and once x509 0.13.0 lands into opam repository, I'll cut a tls 0.13.1 release with this fixed. The background story is that the TLS 1.3 handshake is different from earlier, especially with client authentication. If the server sends a CertificateRequet, this now must contain a list of accepted SignatureAlgorithms -- our ocaml-tls client implementation did not respect this list, and did not preserve it until the client certificate was to be sent. Now, with the new logic in tls 0.13.0 about SignatureAlgorithms (ECDSA & ED25519 support), this lead to an error. The fix is in hannesm/ocaml-tls@fa780d6. |
|
Ah, OK. Will this cause any problems mixing old and new versions? e.g. if a tls.0.8.0 client connects to a tls.0.13.1 server, or vice versa? |
|
@talex5 no, this should be fine interoperability-wise (unless your 0.13.1 server has tightly configured signaturealgorithms not supported by the 0.8 client - such as "only accept ECDSA/ED25519 certificates"). |
hannesm
added a commit
to hannesm/ocaml-tls
that referenced
this pull request
Apr 22, 2021
pass signature algorithms from certificaterequest to the location where the certificate is sent. reported by @talex5 in mirage/capnp-rpc#228
hannesm
added a commit
to hannesm/opam-repository
that referenced
this pull request
Apr 22, 2021
CHANGES: * Breaking: use deriving sexp_of instead of sexp. Constructing a state from a sexp has not been supported (lead to exception), and is now removed (mirleft/ocaml-tls#430 by @torinnd, continued in mirleft/ocaml-tls#431 by @hannesm) * Bugfix: TLS 1.3 client authentication with certificate, client side. This used to work accidentally before 0.13.0 changed the signature algorithms handling, now the right signature algorithm (as requested by server) is used. (mirleft/ocaml-tls#431 @hannesm, @talex5 reported mirage/capnp-rpc#228) * adapt to x509 0.13.0 and mirage-crypto-ec 0.10.0 changes (mirleft/ocaml-tls#431 @hannesm)
hannesm
added a commit
to hannesm/opam-repository
that referenced
this pull request
Apr 22, 2021
CHANGES: * Breaking: use deriving sexp_of instead of sexp. Constructing a state from a sexp has not been supported (lead to exception), and is now removed (mirleft/ocaml-tls#430 by @torinnd, continued in mirleft/ocaml-tls#431 by @hannesm) * Bugfix: TLS 1.3 client authentication with certificate, client side. This used to work accidentally before 0.13.0 changed the signature algorithms handling, now the right signature algorithm (as requested by server) is used. (mirleft/ocaml-tls#431 @hannesm, @talex5 reported mirage/capnp-rpc#228) * adapt to x509 0.13.0 and mirage-crypto-ec 0.10.0 changes (mirleft/ocaml-tls#431 @hannesm)
|
I opened talex5#1 on top of this PR which solves the issue you mention (as bonus it let's the test-mirage run successfully as well). |
Co-authored-by: Hannes Mehnert <[email protected]>
talex5
changed the title
talex5
added a commit
to talex5/opam-repository
that referenced
this pull request
Apr 27, 2021
…nix and capnp-rpc-lwt (1.1) CHANGES: - Update to latest X509, TCP and TLS APIs (@talex5 @hannesm mirage/capnp-rpc#228). - Add `Service.fail_lwt` convenience function (@talex5 mirage/capnp-rpc#229). - Remove confusing debug details from `call_for_value_exn` errors (@talex5 mirage/capnp-rpc#230). The hidden information is now logged (at debug level) instead. - Configure TCP keep-alives for incoming connections, not just outgoing ones (@talex5 mirage/capnp-rpc#227). This is needed when the client machine crashes without resetting the connection. - Include version number in opam license field (@talex5 mirage/capnp-rpc#226).
talex5
added a commit
to talex5/opam-repository
that referenced
this pull request
Apr 27, 2021
…nix and capnp-rpc-lwt (1.1) CHANGES: - Update to latest X509, TCP and TLS APIs (@talex5 @hannesm mirage/capnp-rpc#228). - Add `Service.fail_lwt` convenience function (@talex5 mirage/capnp-rpc#229). - Remove confusing debug details from `call_for_value_exn` errors (@talex5 mirage/capnp-rpc#230). The hidden information is now logged (at debug level) instead. - Configure TCP keep-alives for incoming connections, not just outgoing ones (@talex5 mirage/capnp-rpc#227). This is needed when the client machine crashes without resetting the connection. - Include version number in opam license field (@talex5 mirage/capnp-rpc#226).
talex5
added a commit
to talex5/opam-repository
that referenced
this pull request
Apr 27, 2021
…nix and capnp-rpc-lwt (1.1) CHANGES: - Update to latest X509, TCP and TLS APIs (@talex5 @hannesm mirage/capnp-rpc#228). - Add `Service.fail_lwt` convenience function (@talex5 mirage/capnp-rpc#229). - Remove confusing debug details from `call_for_value_exn` errors (@talex5 mirage/capnp-rpc#230). The hidden information is now logged (at debug level) instead. - Configure TCP keep-alives for incoming connections, not just outgoing ones (@talex5 mirage/capnp-rpc#227). This is needed when the client machine crashes without resetting the connection. - Include version number in opam license field (@talex5 mirage/capnp-rpc#226).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@hannesm : I tried updating to the latest APIs, but now the tests are failing with:
What do I need to do to fix that?