Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Importing Extra.Cipher is not necessary anymore #471

Merged
merged 3 commits into from
May 22, 2024
Merged

Importing Extra.Cipher is not necessary anymore #471

merged 3 commits into from
May 22, 2024

Conversation

kazu-yamamoto
Copy link
Collaborator

  • setting supportedCiphers to ciphersuite_default
  • ciphersuite_default is now the same as ciphersuite_strong

See kazu-yamamoto/crypton-connection#3

@bfrk
Copy link

bfrk commented May 21, 2024

Much appreciated change, thanks. But surely incompatible, so next release will be 2.1 or 2.1.0, correct?

@kazu-yamamoto
Copy link
Collaborator Author

I'm not sure that this is an incompatible change.
Currently, everyone overrides the value.
So, no body notice this change.

@bfrk
Copy link

bfrk commented May 21, 2024

Hm. Technically it is a change in semantics. You are arguing that since the old default is not only trivial but actually useless, nobody is relying on it. That may well be true, but it is not a certainty, so I'd rather err on the side of caution. Anyway, it's your decision to make.

@kazu-yamamoto kazu-yamamoto merged commit fd28046 into haskell-tls:main May 22, 2024
9 checks passed
@kazu-yamamoto kazu-yamamoto deleted the better-default branch May 22, 2024 04:11
@kazu-yamamoto
Copy link
Collaborator Author

Merged.
I will release v2.0.6 very soon.

@bfrk
Copy link

bfrk commented May 22, 2024

ありがとうございます

@kazu-yamamoto
Copy link
Collaborator Author

どういたしまして。

bmillwood added a commit to bmillwood/req that referenced this pull request Sep 21, 2024
@bmillwood
Use better default TLS settings
013dbec 
On versions of tls pre-2.0.6, the default `Supported` had an empty list
of `supportedCiphers`. Per discussion on [their issue][1], it seems like
everyone was overriding it to `ciphersuite_default` anyway, hence the
change at version 2.0.6 to make that default. But we're not doing that
here!  Luckily, the [default for `TLSSettings`][2] does do that
override, so we can use that to get the right behaviour regardless of
tls version.

[1]: haskell-tls/hs-tls#471
[2]: https://hackage.haskell.org/package/crypton-connection-0.4.0/docs/src/Network.Connection.Types.html#line-86
@bmillwood bmillwood mentioned this pull request Sep 21, 2024
Merged
mrkkrp pushed a commit to mrkkrp/req that referenced this pull request Sep 29, 2024
@bmillwood @mrkkrp
Use better default TLS settings
835683c 
On versions of tls pre-2.0.6, the default `Supported` had an empty list
of `supportedCiphers`. Per discussion on [their issue][1], it seems like
everyone was overriding it to `ciphersuite_default` anyway, hence the
change at version 2.0.6 to make that default. But we're not doing that
here!  Luckily, the [default for `TLSSettings`][2] does do that
override, so we can use that to get the right behaviour regardless of
tls version.

[1]: haskell-tls/hs-tls#471
[2]: https://hackage.haskell.org/package/crypton-connection-0.4.0/docs/src/Network.Connection.Types.html#line-86
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jan 30, 2025
@depressed-pho
security/hs-tls: update to tls-2.1.7
8b25bcc 
# Change log for "tls"

## Version 2.1.7

* Introducing `Limit` parameter.
* Implementing "Record Size Limit Extension for TLS" (RFC8449).
  Set `limitRecordSize` use it.
* Implementing "TLS Certificate Compression" (RFC 8879).
  This feature is automatically used if the peer supports it.
* More tests with `tlsfuzzer` especially for client authentication
  and 0-RTT.
* Implementing a utility funcation, `validateClientCertificate`, for
  client authentication.
* Bug fix for echo back logic of Cookie extension.
* More pretty show for the internal `Handshake` structure for debugging.

## Version 2.1.6

* Testing with "tlsfuzzer" again. Now don't send an alert agaist to
  peer's alert. Double locking (aka self dead-lock) is fixed. Sending
  an alert for known-but-cannot-parse extensions. Other corner cases
  are also fixed.
* `tls-client -d` and `tls-server -d` pretty-prints `Handshake`.

## Version 2.1.5

* Removing the dependency on the async package.
* Restore a few DHE_RSA ciphers.
  [#493](haskell-tls/hs-tls#493)

## Version 2.1.4

* Exporting defaultValidationCache.

## Version 2.1.3

* Remove `data-default` version constraint.
  [#492](haskell-tls/hs-tls#492)
* Exporting default variables.
  [#448](haskell-tls/hs-tls#488)

## Version 2.1.2

* Using data-default instead of data-default-class.

## Version 2.1.1

* `bye` directly calls `timeout recvHS13`, not spawning a thread for
  `timeout recvHS13`. So, `bye` can receive an exception if thrown.

## Version 2.1.0

* Breaking change: stop exporting constructors to maintain future
  compatibilities. Field names are still exported, and values can be updated
  with them using record syntax. Use `def` and `noSessionManager` as initial
  values.
* `onServerFinished` is added to `ClientHooks`.
* `clientWantSessionResumeList` is added to `ClientParams` to support
  multiple tickets for TLS 1.3.

## Version 2.0.6

* Setting `supportedCiphers` in `defaultSupported` to `ciphersuite_default`.
  So, users don't have to override this value anymore by exporting
  `Network.TLS.Extra.Cipher`.
  [#471](haskell-tls/hs-tls#471)
* `ciphersuite_default` is the same as `ciphersuite_strong`.
  So, the duplicated definition is removed.
* Add missing modules for util/tls-client and util/tls-server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kazu-yamamoto @bfrk