Re: [Ocamlnet-devel] TLS feature when migrating from OCamlnet 3.x to 4.x

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Am Mittwoch, den 25.11.2015, 10:50 +0000 schrieb Thomas Calderon:
> Hi,
> 
> 
> Our project, Caml Crush, a PKCS#11 proxy in OCaml uses OCamlnet
> Netplex and RPC layer.
> 
> 
> We have been migrating from OCamlnet 3.x to OCamlnet 4.x during the
> last months and we had some questions regarding the newly released TLS
> bindings.
> 
> 
> In our code compatible with Ocamlnet 3.x SSL bindings (through
> OCaml-ssl), we are using the Ssl.get_certificate OCaml-ssl call in the
> 'get_peer_user_name' server hook to get and dump the peer client
> certificate (this allows us to check this certificate against a white
> list on the server side).
> 
> 
> We would like to have the same degree of control with the 4.x release
> of OCamlnet.
> 
> 
> After some digging in OCamlnet 4.x TLS code, we have not found an API
> providing the Ssl.get_certificate service. Did we miss something? Is
> it possible to emulate such a feature?

From the RPC server you get the certificate this way:

let props = Rpc_server.get_tls_session_props session

then, there are a couple of methods for props, in particular
peer_credentials_raw for getting the DER encoding of the certificate,
and peer_credentials for a structured view of the certificate (see the
Netx509 module for accessing the components). There is also a utility
function Nettls_support.get_tls_user_name.

For a fingerprint of a certificate, the common method is to use a digest
(usually SHA-1) of the DER encoding.

If you want to check the peer certificate earlier (before receiving
data), there is also the verify callback in the TLS configuration (arg
of Netsys_tls.create_x509_config; get the certificate with the
get_peer_creds function of the provider module; I guess this is what you
are missing: remember that the TLS provider is a first-class module, and
you can call functions of this module:

let provider = Netsys_crypto.current_tls()

let verify endpoint p_trust p_hostmatch =
  let module P = (val provider : Netsys_crypto_types.TLS_PROVIDER) in
  let cert = P.get_peer_creds endpoint in
  p_trust && p_hostmatch && my_check cert

let tls_config = 
  Netsys_tls.create_x509_config
    ...
    ~verify
    provider

).

> Also, the current implementation does not allow to have a separate
> trust chain (one for the server and one for the clients when peer_auth
> is enabled). This would be a welcome addition.

Hmm, why do you need the trust chain for the server? The trust chain
always refers to the peer, AFAIK.

Gerd

> 
> 
> Thanks in advance for your help,
> 
> 
> Thomas
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
> _______________________________________________
> Ocamlnet-devel mailing list
> Oca...@li...
> https://lists.sourceforge.net/lists/listinfo/ocamlnet-devel

-- 
------------------------------------------------------------
Gerd Stolpmann, Darmstadt, Germany    ge...@ge...
My OCaml site:          http://www.camlcity.org
Contact details:        http://www.camlcity.org/contact.html
Company homepage:       http://www.gerd-stolpmann.de
------------------------------------------------------------