Copyright | Copyright © 2015 PivotCloud, Inc. |
---|---|
License | MIT |
Maintainer | Lars Kuhtz <lkuhtz@pivotmail.com> |
Stability | experimental |
Safe Haskell | None |
Language | Haskell2010 |
This module provides means for defining and using HTTPS certificate validation polices for HTTPS requests.
- data HttpsCertPolicy = HttpsCertPolicy {}
- certPolicyInsecure :: Lens' HttpsCertPolicy Bool
- certPolicyHostFingerprints :: Lens' HttpsCertPolicy (HashMap ServiceID Fingerprint)
- defaultHttpsCertPolicy :: HttpsCertPolicy
- pHttpsCertPolicy :: Text -> MParser HttpsCertPolicy
- simpleHttpWithValidationPolicy :: Text -> HttpsCertPolicy -> IO (Response ByteString)
- httpWithValidationPolicy :: Request -> HttpsCertPolicy -> IO (Response ByteString)
- newtype VerboseTlsException = VerboseTlsException Text
HTTPS Certificate Validation Policy
data HttpsCertPolicy Source #
HttpsCertPolicy | |
|
:: Text | prefix for the command line options |
-> MParser HttpsCertPolicy |
HTTP Requests With Certificate Validation Policy
simpleHttpWithValidationPolicy Source #
:: Text | HTTP or HTTPS URL |
-> HttpsCertPolicy | |
-> IO (Response ByteString) |
Make an HTTP request with a given certificate validation policy.
NOTE that the HTTP request is strictly loaded into memory.
NOTE that this implementation opens a new TCP connection for each single request. HTTPS certificates validation results are not cached between different requests.
newtype VerboseTlsException Source #
The Haskell tls
library provides only limited means for providing
user friendly error messages. In particular we'd like to provide the
user with fingerprints of the reject certificate for self-signed
certificates. Also we want to provide the user with some guidance what
a particular failure may indicate with respect to security of the
connection.
Here we employ a hack for better error handling: Based on the assumption
that we initialize a new connection Manager
and also a new certificate
cache for each request, we write the certificate that is received
from the server in the TLS handshake to an IORef
. If the handshakes
fails later on because the certificate is rejected we can recover the
rejected certificate from the IORef
.
What we really want are exceptions that can be consumed programatically. In particular exceptions should include rejected certificates.