[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] new nocrypto/x509/tls releases

  • To: mirageos-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Hannes Mehnert <hannes@xxxxxxxxxxx>
  • Date: Mon, 7 Dec 2015 16:34:48 +0000
  • Delivery-date: Mon, 07 Dec 2015 16:35:50 +0000
  • List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>
  • Openpgp: id=11B5464249B5BD858FFF6328BC896588DF7C28EE

On 12/07/2015 16:25, Anil Madhavapeddy wrote:
>> On 5 Dec 2015, at 00:29, Hannes Mehnert <hannes@xxxxxxxxxxx> wrote:
> Awesome!  I'll get on with an OpenBSD port of tlstunnel now then.
> I'm hoping to switch my SMPTD setup on Recoil.org to fronting 
> via this rather than OpenSSL soon...

Great!  Be aware that tlstunnel doesn't do STARTTLS (which I think is
used a lot for SMTPD).

>> X.509
> Just checking -- do we need any upper bound constraints on old users
> of ocaml-tls for this?

You mean sth like
? (TL;DR: yes. The largest X.509 user is TLS, where I adjusted the
constraints).  Tlstunnel doesn't need constraints here (it doesn't do
authentication), for jackline I adjusted the constraints in its opam
file and my custom xmpp opam repository).

>> TLS 0.7.0
>> =========
>> Server
>> ------
>> For a server it would be great to have a standalone LRU cache package,
>> but there is none in opam (although ocaml-git, containers, ... all
>> implement LRU caches).
>> The cache:
>> module HT = Hashtbl.Make (Tls.Core.SessionID)
>> let add_session_to_cache, session_cache =
>>  let cache = HT.create 7 in
>>  ((fun ed -> HT.add cache ed.Tls.Core.session_id ed),
>>   (fun id -> if HT.mem cache id then Some (HT.find cache id) else None))
>> and once a session is established, insert it:
>> Tls_lwt.Unix.accept config s  >>= fun (t, addr) ->
>> (match Tls_lwt.Unix.epoch t with
>> | `Ok e -> add_session_to_cache ed
>> | `Error -> ()) ;
>> handle (Tls_lwt.of_t t) addr
>> And pass the session_cache function to Tls.Config.server.
> An Irmin-based LRU so that we have persistence here?  Not sure how
> the above implementation does GC of sessions...

It doesn't do any GC (it is just a simple sketch of how someone would
use the session_cache API).  Some independent LRU implementation would
be nice.


Attachment: signature.asc
Description: OpenPGP digital signature

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.