Copyright | Copyright © 2015 PivotCloud, Inc. |
---|---|
License | MIT |
Maintainer | Lars Kuhtz <lkuhtz@pivotmail.com> |
Stability | experimental |
Safe Haskell | None |
Language | Haskell2010 |
This module provides means for defining and using HTTPS certificate validation polices for HTTPS requests.
- data HttpsCertPolicy = HttpsCertPolicy {}
- certPolicyInsecure :: Lens' HttpsCertPolicy Bool
- certPolicyHostFingerprints :: Lens' HttpsCertPolicy (HashMap ServiceID Fingerprint)
- defaultHttpsCertPolicy :: HttpsCertPolicy
- pHttpsCertPolicy :: Text -> MParser HttpsCertPolicy
- httpWithValidationPolicy :: Text -> HttpsCertPolicy -> IO (Response ByteString)
- newtype VerboseTlsException = VerboseTlsException Text
HTTPS Certificate Validation Policy
data HttpsCertPolicy Source
HttpsCertPolicy | |
|
:: Text | prefix for the command line options |
-> MParser HttpsCertPolicy |
HTTP Requests With Certificate Validation Policy
httpWithValidationPolicy Source
:: Text | HTTP or HTTPS URL |
-> HttpsCertPolicy | |
-> IO (Response ByteString) |
Make an HTTP request with a given certificate validation policy.
NOTE that the HTTP request is strictly loaded into memory.
NOTE that this implementation opens a new TCP connection for each single request. HTTPS certificates validation results are not cached between different requests.
newtype VerboseTlsException Source
The Haskell tls
library provides only limited means for providing
user friendly error messages. In particular we'd like to provide the
user with fingerprints of the reject certificate for self-signed
certificates. Also we want to provide the user with some guidance what
a particular failure may indicate with respect to security of the
connection.
Here we employ a hack for better error handling: Based on the assumption
that we initialize a new connection Manager
and also a new certificate
cache for each request, we write the certificate that is received
from the server in the TLS handshake to an IORef
. If the handshakes
fails later on because the certificate is rejected we can recover the
rejected certificate from the IORef
.
What we really want are exceptions that can be consumed programatically. In particular exceptions should include rejected certificates.