如何向http-client-tls提供客户端证书?

时间:2016-10-17 08:17:17

标签: haskell ssl https

我使用http-client-tls连接到需要客户端证书的启用TLS的服务器。我怀疑我需要使用加载的证书和正确的cypher-suites参数来调整TLSSettings,但是如何做到这一点肯定不清楚。

是否有人使用客户端证书的示例代码?

1 个答案:

答案 0 :(得分:5)

感谢Moritz Agerman分享他的代码。这是一个完整的Haskell模块,可以使用crt.pemkey.pem文件来提供服务器请求的客户端证书:

 {-# LANGUAGE OverloadedStrings #-}
 module TLS where

 import           Data.Default
 import           Network.Connection
 import           Network.HTTP.Client
 import           Network.HTTP.Client.TLS
 import           Network.TLS
 import           Network.TLS.Extra.Cipher
 import           Servant.Client

 makeClientManager :: String -> Scheme -> IO Manager
 makeClientManager hostname Https = mkMngr hostname "crt.pem" "key.pem"
 makeClientManager _        Http  = newManager defaultManagerSettings

 mkMngr :: String -> FilePath -> FilePath -> IO Manager
 mkMngr hostName crtFile keyFile = do
   creds <- either error Just `fmap` credentialLoadX509 crtFile keyFile
   let hooks = def
               { onCertificateRequest = \_ -> return creds
               , onServerCertificate = \_ _ _ _ -> return []
               }
       clientParams = (defaultParamsClient hostName  "")
                      { clientHooks = hooks
                      , clientSupported = def { supportedCiphers = ciphersuite_all }
                      }
       tlsSettings = TLSSettings clientParams

   newManager $ mkManagerSettings tlsSettings Nothing

不确定这是否绕过服务器证书验证,因为onServerCertificate挂钩是常量[]