-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[new release] tls (6 packages) (1.0.0) #26387
Conversation
please note that the tls-miou-unix fuzz test may fail on your CI systems with |
failing CI tests:
it is not clear to me how to proceed, I can see multiple options about the arm32 failures:
I don't have a clear preference. please let me know what you think is appropriate. |
I decided to make this unavailable on arm32. If there's someone in need for arm32 support, please open an issue and we can discuss. |
About |
CHANGES: * API breaking change: remove usage of Cstruct.t inside of TLS, use bytes and string instead (mirleft/ocaml-tls#497 by @art-w, @hannesm, @dinosaure, @reynir) Performance is up to 3x improved (bandwidth), 2x improvement for handshake/s on an Intel Core(TM) i7-5600U CPU @ 2.60GHz * FEATURE: add tls-miou-unix package, which adds miou support for TLS (mirleft/ocaml-tls#494 mirleft/ocaml-tls#503 @dinosaure) * FEATURE: tls-lwt and tls-async: allow TLS over an existing connection `Tls_lwt.client_of_channels : Tls.Config.client -> ?host:[`host] Domain_name.t -> Lwt_io.input_channel * Lwt_io.output_channel -> t Lwt.t` and `Tls_lwt.server_of_channels : Tls.Config.server -> Lwt_io.input_channel * Lwt_io.output_channel -> t Lwt.t` (mirleft/ocaml-tls#499 @art-w @MisterDA) * API breaking changes: revise errors - reduce the polymorphic variant in size, align it with RFC specified errors, be in parts more precise about errors, in other parts skip data (mirleft/ocaml-tls#505, @hannesm - fixes mirleft/ocaml-tls#491) NB: if you relied on a specific error constructor, please open an issue * Remove unused constructors from Packet.{alert_type, compression_methods, client_certificate_type, extension_type} (mirleft/ocaml-tls#505, @hannesm) NB: if you relied on specific constructors, please open an issue * API breaking change: Tls.Config.{server,client} now return a result type instead of raising an exception (mirleft/ocaml-tls#502, @hannesm, fixes mirleft/ocaml-tls#411) * FEATURE: add bench/speed.exe, a benchmark for bandwidth (for different ciphersuites) and handshakes (different key exchanges and private keys) (mirleft/ocaml-tls#500 @hannesm @dinosaure @reynir) * BUGFIX: tests/feedback.exe update with TLS 1.3 semantics, run as test (mirleft/ocaml-tls#501, @hannesm - reported by @dinosaure)
8f14617
to
34f3a30
Compare
An error appears about
Which can be ignored at the moment. This test works on other machine and it's about a fake certificate generated in the fly just for the test. |
@dinosaure it is a strange error only happening on 32bit x86. Maybe worth to investigate, maybe somewhere (in x509 / asn1) we're not 32bit clean anymore? Would be nice to get a smaller test case out of it and debug that properly (but I fail to have time and energy for a 32bit setup). |
fine to merge, only CI issue is the 32bit fuzz test of miou, which may be looked into some day. eventually if there's demand (tls on 32 bit systems) and a bug report. |
Thanks! |
Transport Layer Security purely in OCaml
CHANGES:
and string instead (TLS without
cstruct
mirleft/ocaml-tls#497 by @art-w, @hannesm, @dinosaure, @reynir)Performance is up to 3x improved (bandwidth), 2x improvement for handshake/s
on an Intel Core(TM) i7-5600U CPU @ 2.60GHz
(Add the Miou implementation of TLS mirleft/ocaml-tls#494 Add the miou implementation mirleft/ocaml-tls#503 @dinosaure)
Tls_lwt.client_of_channels : Tls.Config.client -> ?host:[
host] Domain_name.t -> Lwt_io.input_channel * Lwt_io.output_channel -> t Lwt.tand
Tls_lwt.server_of_channels : Tls.Config.server -> Lwt_io.input_channel * Lwt_io.output_channel -> t Lwt.t`(TLS over an existing connection mirleft/ocaml-tls#499 @art-w @MisterDA)
in size, align it with RFC specified errors, be in parts more precise
about errors, in other parts skip data (reduce the errors mirleft/ocaml-tls#505, @hannesm - fixes Unhandled alert mirleft/ocaml-tls#491)
NB: if you relied on a specific error constructor, please open an issue
client_certificate_type, extension_type} (reduce the errors mirleft/ocaml-tls#505, @hannesm)
NB: if you relied on specific constructors, please open an issue
type instead of raising an exception (Tls: in Config.{client,server} avoid raising an exception mirleft/ocaml-tls#502, @hannesm, fixes Config.client and Config.server raise Invalid_argument mirleft/ocaml-tls#411)
ciphersuites) and handshakes (different key exchanges and private keys)
(Add a benchmark for throughput and handshakes using bechamel mirleft/ocaml-tls#500 @hannesm @dinosaure @reynir)
(tests/feedback: fix for TLS 1.3, run as test mirleft/ocaml-tls#501, @hannesm - reported by @dinosaure)