[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] TLS on Xen

On 15 Jan 2015, at 15:09, Thomas Leonard <talex5@xxxxxxxxx> wrote:
> On 13 January 2015 at 17:03, Thomas Leonard <talex5@xxxxxxxxx> wrote:
>> I've sent PRs for various patches to make TLS work on Xen. The changes
>> needed are:
>> 1. Add generic error handling for FLOWs, so we can propagate errors reliably.
>> 2. Fix the page alignment requirements for Netif.
>> 3. Add TLS support to conduit.
>> PRs:
>> Add `error_message` support for FLOW (can be merged now):
>> https://github.com/mirage/mirage-console/pull/33
>> https://github.com/mirage/ocaml-vchan/pull/60
>> https://github.com/mirage/mirage-tcpip/pull/98
>> (any other places implementing FLOW?)
>> Update the FLOW signature:
>> https://github.com/mirage/mirage/pull/346
>> Update TLS and Conduit (they both require and provide FLOW, so they
>> will be broken briefly):
>> https://github.com/mirleft/ocaml-tls/pull/225
>> We could add a dummy version of `error_message` here first to ease
>> upgrades, if desired. However, Conduit_mirage will break anyway due to
>> the extra TLS functor argument.
>> Make Netif not require aligned single-page buffers:
>> https://github.com/mirage/mirage-net-xen/pull/17
>> (optional: remove now-pointess copying in ocaml-tls)
>> You can then configure conduit for TLS like this:
>>        let mode = `TLS (tls_config, `TCP (`Port 443)) in
>> The mode contains the TLS arguments and a configuration for some
>> underlying channel.
>> I'm fairly happy with it. One minor problem is creating the TLS server
>> from a TLS config. Is there a function for this? In conduit, I
>> currently have:
>>          let server = Tls.Config.(server
>>            ~ciphers:config.ciphers
>>            ~version:config.protocol_versions
>>            ~hashes:config.hashes
>>            ~reneg:config.use_reneg
>>            ?certificate:config.own_certificate
>>            ~secure_reneg:config.secure_reneg)
>>            () in
>> However, this will silently fail to pass any new config attributes
>> that get adding later.
> As suggested in the call yesterday, I've made a branch of the
> mirage-dev repository that contains updated versions of the packages
> with Xen/TLS support and tests them all together:
>  https://github.com/mirage/mirage-dev/pull/52
> I don't think it should hold anything up, but there are some
> improvements we might want to make in future:
> - It would be good to make the config type abstract, so that conduit
> doesn't bring in dependencies on the TLS libraries.

Agreed; https://github.com/mirage/ocaml-conduit/issues/39

> - It might be nice if mirage would let you configure an HTTP server
> without using conduit. Resolving URLs needs to be dynamic, but when
> providing a service you usually know statically which transport you
> want (http, https or vchan).

And agreed again: https://github.com/mirage/ocaml-conduit/issues/40

It should be easy enough to have a CoHTTP Request/Response functor
based on the V1_LWT.CHANNEL (which itself only needs a V1_LWT.FLOW).

That wouldn't have any URL resolution functions exposed, but only
the Client interface needs that anyway.

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.