Xen project Mailing List

Re: [MirageOS-devel] TLS on Xen

To: "mirageos-devel@xxxxxxxxxxxxxxxxxxxx" <mirageos-devel@xxxxxxxxxxxxxxxxxxxx>

From: Thomas Leonard <talex5@xxxxxxxxx>

Date: Thu, 15 Jan 2015 15:09:01 +0000

Delivery-date: Thu, 15 Jan 2015 15:09:12 +0000

List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

On 13 January 2015 at 17:03, Thomas Leonard <talex5@xxxxxxxxx> wrote: > I've sent PRs for various patches to make TLS work on Xen. The changes > needed are: > > 1. Add generic error handling for FLOWs, so we can propagate errors reliably. > 2. Fix the page alignment requirements for Netif. > 3. Add TLS support to conduit. > > PRs: > > Add `error_message` support for FLOW (can be merged now): > > https://github.com/mirage/mirage-console/pull/33 > https://github.com/mirage/ocaml-vchan/pull/60 > https://github.com/mirage/mirage-tcpip/pull/98 > > (any other places implementing FLOW?) > > Update the FLOW signature: > > https://github.com/mirage/mirage/pull/346 > > Update TLS and Conduit (they both require and provide FLOW, so they > will be broken briefly): > > https://github.com/mirleft/ocaml-tls/pull/225 > > We could add a dummy version of `error_message` here first to ease > upgrades, if desired. However, Conduit_mirage will break anyway due to > the extra TLS functor argument. > > Make Netif not require aligned single-page buffers: > > https://github.com/mirage/mirage-net-xen/pull/17 > > (optional: remove now-pointess copying in ocaml-tls) > > You can then configure conduit for TLS like this: > > let mode = `TLS (tls_config, `TCP (`Port 443)) in > > The mode contains the TLS arguments and a configuration for some > underlying channel. > > I'm fairly happy with it. One minor problem is creating the TLS server > from a TLS config. Is there a function for this? In conduit, I > currently have: > > let server = Tls.Config.(server > ~ciphers:config.ciphers > ~version:config.protocol_versions > ~hashes:config.hashes > ~reneg:config.use_reneg > ?certificate:config.own_certificate > ~secure_reneg:config.secure_reneg) > () in > > However, this will silently fail to pass any new config attributes > that get adding later. As suggested in the call yesterday, I've made a branch of the mirage-dev repository that contains updated versions of the packages with Xen/TLS support and tests them all together: https://github.com/mirage/mirage-dev/pull/52 I don't think it should hold anything up, but there are some improvements we might want to make in future: - It would be good to make the config type abstract, so that conduit doesn't bring in dependencies on the TLS libraries. - It might be nice if mirage would let you configure an HTTP server without using conduit. Resolving URLs needs to be dynamic, but when providing a service you usually know statically which transport you want (http, https or vchan). - It would be good if you could configure an https server directly in config.ml. Currently, the need to configure it with a certificate and private key means this step has to go in the unikernel. -- Dr Thomas Leonard http://0install.net/ GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

References:

[MirageOS-devel] TLS on Xen
- From: Thomas Leonard

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.