Menu
▾
▴
Re: [Ocamlnet-devel] Missing TLS features in OCamlnet 4.x
|
From: Gerd S. <in...@ge...> - 2015-05-10 13:01:21
|
Am Donnerstag, den 07.05.2015, 10:47 +0200 schrieb Thomas Calderon: > > Hi Gerd, > > > On Wed, May 6, 2015 at 10:51 PM, Gerd Stolpmann > <in...@ge...> wrote: > Hi Thomas, > > Am Mittwoch, den 06.05.2015, 16:31 +0200 schrieb Thomas > Calderon: > > Hi, > > > > > > I have started working towards supporting OCamlnet 4.x in > our project. > > > > > > I had to completely rewrite the TLS code, this was expected > due to > > OCamlnet switching to GnuTLS. > > > > > > I have noticed the following issues with the current TLS > code: > > * dh_params is not used in the code therefore DHE-* suites > are not > > enabled > > - Using the *gnutls_certificate_set_dh_params* solves > the issue > > (see attachment for example) > > Well spotted. I have some concerns about the side effect, > though. There > is no function to copy a certificate. > > > I am not following you on this. Why would you want to copy the > certificate? Because it is surprising for the caller when create_config modifies its arguments by setting the dh params for the certificates. And the only way to avoid is to make a local copy of the certificate and modify that instead of the argument. It is possible to work around by saving the function that creates the certificate. I'll probably do that. Gerd > > > > > * support for elliptic curve key exchange seems disabled > (ECDHE-* > > suites), I have not tried an ECC certificate. > > * support for GCM algorithms is not enabled > > I'm quite sure that I saw ECDHE and GCM in tests. I'll retest > tomorrow. > It might be related to the GnuTLS version mess on my machine (Ubuntu > has two versions installed). > > Let me know the results of your test. > > > > > It is possible to de-configure these features in GnuTLS. > > > * sample TLS netplex configuration is missing some ";" for > each > > sections > > > > > > Do you have the same behavior? It might be linked to my > GnuTLS > > version. > > Did you manage to enable higher-end ciphersuites and PFS > suites? > > Gerd > > > > > Thanks for the feedback. > > > > > > Thomas. > > > > > > > > > > > ------------------------------------------------------------------------------ > > One dashboard for servers and applications across > Physical-Virtual-Cloud > > Widest out-of-the-box monitoring support with 50+ > applications > > Performance metrics, stats and reports that give you > Actionable Insights > > Deep dive visibility with transaction tracing using APM > Insight. > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > _______________________________________________ > > Ocamlnet-devel mailing list > > Oca...@li... > > https://lists.sourceforge.net/lists/listinfo/ocamlnet-devel > > -- > ------------------------------------------------------------ > Gerd Stolpmann, Darmstadt, Germany ge...@ge... > My OCaml site: http://www.camlcity.org > Contact details: http://www.camlcity.org/contact.html > Company homepage: http://www.gerd-stolpmann.de > ------------------------------------------------------------ > > > -- ------------------------------------------------------------ Gerd Stolpmann, Darmstadt, Germany ge...@ge... My OCaml site: http://www.camlcity.org Contact details: http://www.camlcity.org/contact.html Company homepage: http://www.gerd-stolpmann.de ------------------------------------------------------------ |
