configuration-tools-0.2.11: Tools for specifying and parsing configurations

CopyrightCopyright © 2015 PivotCloud, Inc.
LicenseMIT
MaintainerLars Kuhtz <lkuhtz@pivotmail.com>
Stabilityexperimental
Safe HaskellNone
LanguageHaskell2010

Configuration.Utils.Internal.HttpsCertPolicy

Contents

Description

This module provides means for defining and using HTTPS certificate validation polices for HTTPS requests.

Synopsis

HTTPS Certificate Validation Policy

data HttpsCertPolicy Source

Constructors

HttpsCertPolicy 

Fields

_certPolicyInsecure :: !Bool

disable certificate validation

_certPolicyHostFingerprints :: !(HashMap ServiceID Fingerprint)

a whitelist for services with trusted certificates

pHttpsCertPolicy Source

Arguments

:: Text

prefix for the command line options

-> MParser HttpsCertPolicy 

HTTP Requests With Certificate Validation Policy

simpleHttpWithValidationPolicy Source

Arguments

:: Text

HTTP or HTTPS URL

-> HttpsCertPolicy 
-> IO (Response ByteString) 

Make an HTTP request with a given certificate validation policy.

NOTE that the HTTP request is strictly loaded into memory.

NOTE that this implementation opens a new TCP connection for each single request. HTTPS certificates validation results are not cached between different requests.

newtype VerboseTlsException Source

The Haskell tls library provides only limited means for providing user friendly error messages. In particular we'd like to provide the user with fingerprints of the reject certificate for self-signed certificates. Also we want to provide the user with some guidance what a particular failure may indicate with respect to security of the connection.

Here we employ a hack for better error handling: Based on the assumption that we initialize a new connection Manager and also a new certificate cache for each request, we write the certificate that is received from the server in the TLS handshake to an IORef. If the handshakes fails later on because the certificate is rejected we can recover the rejected certificate from the IORef.

What we really want are exceptions that can be consumed programatically. In particular exceptions should include rejected certificates.