[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] TLS on Xen

On 13 January 2015 at 17:03, Thomas Leonard <talex5@xxxxxxxxx> wrote:
> I've sent PRs for various patches to make TLS work on Xen. The changes
> needed are:
> 1. Add generic error handling for FLOWs, so we can propagate errors reliably.
> 2. Fix the page alignment requirements for Netif.
> 3. Add TLS support to conduit.
> PRs:
> Add `error_message` support for FLOW (can be merged now):
> https://github.com/mirage/mirage-console/pull/33
> https://github.com/mirage/ocaml-vchan/pull/60
> https://github.com/mirage/mirage-tcpip/pull/98
> (any other places implementing FLOW?)
> Update the FLOW signature:
> https://github.com/mirage/mirage/pull/346
> Update TLS and Conduit (they both require and provide FLOW, so they
> will be broken briefly):
> https://github.com/mirleft/ocaml-tls/pull/225
> We could add a dummy version of `error_message` here first to ease
> upgrades, if desired. However, Conduit_mirage will break anyway due to
> the extra TLS functor argument.
> Make Netif not require aligned single-page buffers:
> https://github.com/mirage/mirage-net-xen/pull/17
> (optional: remove now-pointess copying in ocaml-tls)
> You can then configure conduit for TLS like this:
>         let mode = `TLS (tls_config, `TCP (`Port 443)) in
> The mode contains the TLS arguments and a configuration for some
> underlying channel.
> I'm fairly happy with it. One minor problem is creating the TLS server
> from a TLS config. Is there a function for this? In conduit, I
> currently have:
>           let server = Tls.Config.(server
>             ~ciphers:config.ciphers
>             ~version:config.protocol_versions
>             ~hashes:config.hashes
>             ~reneg:config.use_reneg
>             ?certificate:config.own_certificate
>             ~secure_reneg:config.secure_reneg)
>             () in
> However, this will silently fail to pass any new config attributes
> that get adding later.

As suggested in the call yesterday, I've made a branch of the
mirage-dev repository that contains updated versions of the packages
with Xen/TLS support and tests them all together:


I don't think it should hold anything up, but there are some
improvements we might want to make in future:

- It would be good to make the config type abstract, so that conduit
doesn't bring in dependencies on the TLS libraries.

- It might be nice if mirage would let you configure an HTTP server
without using conduit. Resolving URLs needs to be dynamic, but when
providing a service you usually know statically which transport you
want (http, https or vchan).

- It would be good if you could configure an https server directly in
config.ml. Currently, the need to configure it with a certificate and
private key means this step has to go in the unikernel.

Dr Thomas Leonard        http://0install.net/
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
GPG: DA98 25AE CAD0 8975 7CDA  BD8E 0713 3F96 CA74 D8BA

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.