Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for overriding the TLS clientSupported member in TLSSettingsSimple #3

Merged
merged 2 commits into from
May 17, 2024
Merged

add support for overriding the TLS clientSupported member in TLSSettingsSimple #3

merged 2 commits into from
May 17, 2024

Conversation

bfrk
Copy link

@bfrk bfrk commented May 15, 2024

This is so we can manipulate these TLS settings even when using a connection manager like the http-client package does. See
#2 for details.

@bfrk
add support for overriding the TLS clientSupported member in TLSSetti…
38d838e 
…ngsSimple

This is so we can manipulate these TLS settings even when using a connection
manager like the http-client package does. See
kazu-yamamoto#2 for details.
@bfrk
Copy link
Author

bfrk commented May 15, 2024

I tested this and it seems to work fine with http-client when I set a suitably configure global connection manager.

kazu-yamamoto
kazu-yamamoto reviewed May 16, 2024
View reviewed changes
Network/Connection/Types.hs Outdated
@@ -75,12 +75,15 @@ data TLSSettings
-- will always re-established their context.
-- Not Implemented Yet.
, settingUseServerName :: Bool -- ^ Use server name extension. Not Implemented Yet.
, settingClientSupported :: Maybe TLS.Supported
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why Maybe is used. I think that Supported is simply good enough.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, now that you say it, I think you are right.

@bfrk
simplify TLSSettingsSimple.settingClientSupported
95b7d2d 
The Maybe wasn't actually necessary.
@bfrk
Copy link
Author

bfrk commented May 16, 2024

(I can squash the commits when you are done with reviewing)

@kazu-yamamoto
Copy link
Owner

LGTM.
Squash is not necessary.
Since the constructor is historically exported, this is a breaking change.
So, we need to bump the version to v0.4.0.
Is this OK for you?

@bfrk
Copy link
Author

bfrk commented May 16, 2024

Yes, perfectly fine. Thanks!

@kazu-yamamoto kazu-yamamoto merged commit 64c4775 into kazu-yamamoto:main May 17, 2024
@kazu-yamamoto
Copy link
Owner

Merged. Thanks!
A new version has been released.

@mrkkrp
Copy link

mrkkrp commented May 20, 2024

I am trying to update req to use the new version of the library with this change (I pass def as the new fourth argument of the TLSSettingsSimple data constructor), and I observe this:

  1) Network.HTTP.Req.redirects follows redirects
       uncaught exception: HttpException
       VanillaHttpException (HttpExceptionRequest Request {
         host                 = "localhost"
         port                 = 1234
         secure               = False
         requestHeaders       = []
         path                 = "/redirect-to"
         queryString          = "?url=https%3A%2F%2Fhttpbin.org"
         method               = "GET"
         proxy                = Nothing
         rawBody              = False
         redirectCount        = 10
         responseTimeout      = ResponseTimeoutDefault
         requestVersion       = HTTP/1.1
         proxySecureMode      = ProxySecureWithConnect
       }
        (InternalException (HandshakeFailed Error_EOF)))

https://github.com/mrkkrp/req/actions/runs/9155853746/job/25169229880?pr=169#step:9:217

This is a test that used to pass. Do you think it is related? If so, am I doing something wrong? Here is the change I'm testing:

https://github.com/mrkkrp/req/pull/169/files

@bfrk
Copy link
Author

bfrk commented May 20, 2024

I think this is indeed related. Passing def to TLSSettingsSimple does not work as you intend it to, since this will be the value that the tls package provides as default and that has an empty list of supported ciphers. You can either use the def that crypton-connection suplies for TLSSettings and modify that, which is a bit of a pain because of the nested record update needed. Or you can manually override supportedCiphers with Network.TLS.Extra.ciphersuite_default.

@bfrk
Copy link
Author

bfrk commented May 20, 2024

See e.g. https://hub.darcs.net/darcs/darcs-screened/browse/src/Darcs/Util/HTTP.hs#168 for the painful way.

@kazu-yamamoto
Copy link
Owner

def of Supported in tls is defaultSupported:

defaultSupported :: Supported
defaultSupported =
    Supported
        { supportedVersions = [TLS13, TLS12]
        , supportedCiphers = []
        , supportedCompressions = [nullCompression]
        , supportedHashSignatures = Struct.supportedSignatureSchemes
        , supportedSecureRenegotiation = True
        , supportedClientInitiatedRenegotiation = False
        , supportedExtendedMainSecret = RequireEMS
        , supportedSession = True
        , supportedFallbackScsv = True
        , supportedEmptyPacket = True
        , supportedGroups = supportedNamedGroups
        }

Unfortunately, supportedCiphers is [].
So, you need to set it by yourself.

You might ask why supportedCiphers is not ciphersuite_default.
The answer is that the original author of tls designed that Cipher is extensible.
No Cipher is available when defaultSupported is defined.

But I guess this design can be changed.
That is, we probably implement that ciphersuite_default is available when defaultSupported is defined while Cipher is extensible.

If users want this, I will take time to try to implement it.

@kazu-yamamoto kazu-yamamoto mentioned this pull request May 21, 2024
Merged
@kazu-yamamoto
Copy link
Owner

It appeared that this change is quite easy.
See the PR above.
@mrkkrp If you agree, I will release a new version of tls which automatically fixes your issue.

@mrkkrp
Copy link

mrkkrp commented May 21, 2024

Hi @kazu-yamamoto I have no option on the design of the library since I am not familiar with it. That said, of course it would be nice if the problem went away "automatically" :-)

@rmullin7286 rmullin7286 mentioned this pull request Jun 6, 2024
Closed
@csasarak csasarak mentioned this pull request Sep 13, 2024
Merged
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jan 30, 2025
@depressed-pho
net/hs-crypton-connection: update to crypton-connection-0.4.3
a3138d7 
# CHANGELOG

## Version 0.4.3

* Creating the `Internal` module and export the `ConnectionContext` constructor.
  [#7](kazu-yamamoto/crypton-connection#7)

## Version 0.4.2

* Using data-default.

## Version 0.4.1

* Preparing for tls v2.1

## Version 0.4.0

* Add support for overriding the TLS clientSupported member in TLSSettingsSimple
  [#3](kazu-yamamoto/crypton-connection#3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kazu-yamamoto kazu-yamamoto kazu-yamamoto left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bfrk @kazu-yamamoto @mrkkrp