Hello community, here is the log from the commit of package ghc-warp-tls for openSUSE:Factory checked in at 2016-07-01 09:58:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-warp-tls (Old) and /work/SRC/openSUSE:Factory/.ghc-warp-tls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-warp-tls" Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-warp-tls/ghc-warp-tls.changes 2016-05-03 09:36:11.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ghc-warp-tls.new/ghc-warp-tls.changes 2016-07-01 09:58:52.000000000 +0200 @@ -1,0 +2,7 @@ +Mon Jun 27 10:59:54 UTC 2016 - mimi...@gmail.com + +- update to 3.2.2 +* New settting parameter: tlsServerDHEParams +* Preventing socket leakage + +------------------------------------------------------------------- Old: ---- warp-tls-3.2.1.tar.gz New: ---- warp-tls-3.2.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-warp-tls.spec ++++++ --- /var/tmp/diff_new_pack.ae6F32/_old 2016-07-01 09:58:53.000000000 +0200 +++ /var/tmp/diff_new_pack.ae6F32/_new 2016-07-01 09:58:53.000000000 +0200 @@ -18,7 +18,7 @@ %global pkg_name warp-tls Name: ghc-%{pkg_name} -Version: 3.2.1 +Version: 3.2.2 Release: 0 Summary: HTTP over TLS support for Warp via the TLS package License: MIT @@ -28,6 +28,7 @@ BuildRequires: ghc-Cabal-devel # Begin cabal-rpm deps: BuildRequires: ghc-bytestring-devel +BuildRequires: ghc-cryptonite-devel BuildRequires: ghc-data-default-class-devel BuildRequires: ghc-network-devel BuildRequires: ghc-rpm-macros ++++++ warp-tls-3.2.1.tar.gz -> warp-tls-3.2.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/warp-tls-3.2.1/ChangeLog.md new/warp-tls-3.2.2/ChangeLog.md --- old/warp-tls-3.2.1/ChangeLog.md 2016-02-27 00:24:38.000000000 +0100 +++ new/warp-tls-3.2.2/ChangeLog.md 2016-06-22 07:54:17.000000000 +0200 @@ -1,3 +1,8 @@ +## 3.2.2 + +* New settting parameter: tlsServerDHEParams [#556](https://github.com/yesodweb/wai/pull/556) +* Preventing socket leakage [#559](https://github.com/yesodweb/wai/pull/559) + ## 3.2.1 * Removing dependency to cprng-aes. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/warp-tls-3.2.1/Network/Wai/Handler/WarpTLS.hs new/warp-tls-3.2.2/Network/Wai/Handler/WarpTLS.hs --- old/warp-tls-3.2.1/Network/Wai/Handler/WarpTLS.hs 2016-02-27 00:24:38.000000000 +0100 +++ new/warp-tls-3.2.2/Network/Wai/Handler/WarpTLS.hs 2016-06-22 07:54:17.000000000 +0200 @@ -30,6 +30,7 @@ , tlsCiphers , tlsWantClientCert , tlsServerHooks + , tlsServerDHEParams , onInsecure , OnInsecure (..) -- * Runner @@ -37,6 +38,8 @@ , runTLSSocket -- * Exception , WarpTLSException (..) + , DH.Params + , DH.generateParams ) where #if __GLASGOW_HASKELL__ < 709 @@ -55,6 +58,7 @@ import Network.Socket (Socket, sClose, withSocketsDo, SockAddr, accept) import Network.Socket.ByteString (sendAll) import qualified Network.TLS as TLS +import qualified Crypto.PubKey.DH as DH import qualified Network.TLS.Extra as TLSExtra import Network.Wai (Application) import Network.Wai.Handler.Warp @@ -118,6 +122,13 @@ -- Default: def -- -- Since 3.0.2 + , tlsServerDHEParams :: Maybe DH.Params + -- ^ Configuration for ServerDHEParams + -- more function lives in `cryptonite` package + -- + -- Default: Nothing + -- + -- Since 3.2.2 } -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors). @@ -135,6 +146,7 @@ , tlsCiphers = ciphers , tlsWantClientCert = False , tlsServerHooks = def + , tlsServerDHEParams = Nothing } -- taken from stunnel example in tls-extra @@ -250,7 +262,7 @@ params = def { -- TLS.ServerParams TLS.serverWantClientCert = tlsWantClientCert , TLS.serverCACertificates = [] - , TLS.serverDHEParams = Nothing + , TLS.serverDHEParams = tlsServerDHEParams , TLS.serverHooks = hooks , TLS.serverShared = shared , TLS.serverSupported = supported @@ -297,12 +309,14 @@ return (mkConn tlsset s params, sa) mkConn :: TLS.TLSParams params => TLSSettings -> Socket -> params -> IO (Connection, Transport) -mkConn tlsset s params = do - firstBS <- safeRecv s 4096 - (if not (S.null firstBS) && S.head firstBS == 0x16 then - httpOverTls tlsset s firstBS params - else - plainHTTP tlsset s firstBS) `onException` sClose s +mkConn tlsset s params = switch `onException` sClose s + where + switch = do + firstBS <- safeRecv s 4096 + if not (S.null firstBS) && S.head firstBS == 0x16 then + httpOverTls tlsset s firstBS params + else + plainHTTP tlsset s firstBS ---------------------------------------------------------------- @@ -434,8 +448,16 @@ } return (conn'', TCP) DenyInsecure lbs -> do - -- FIXME: what about HTTP/2? - -- http://tools.ietf.org/html/rfc2817#section-4.2 + -- Listening port 443 but TLS records do not arrive. + -- We want to let the browser know that TLS is required. + -- So, we use 426. + -- http://tools.ietf.org/html/rfc2817#section-4.2 + -- https://tools.ietf.org/html/rfc7231#section-6.5.15 + -- FIXME: should we distinguish HTTP/1.1 and HTTP/2? + -- In the case of HTTP/2, should we send + -- GOAWAY + INADEQUATE_SECURITY? + -- FIXME: Content-Length: + -- FIXME: TLS/<version> sendAll s "HTTP/1.1 426 Upgrade Required\ \r\nUpgrade: TLS/1.0, HTTP/1.1\ \r\nConnection: Upgrade\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/warp-tls-3.2.1/warp-tls.cabal new/warp-tls-3.2.2/warp-tls.cabal --- old/warp-tls-3.2.1/warp-tls.cabal 2016-02-27 00:24:38.000000000 +0100 +++ new/warp-tls-3.2.2/warp-tls.cabal 2016-06-22 07:54:17.000000000 +0200 @@ -1,5 +1,5 @@ Name: warp-tls -Version: 3.2.1 +Version: 3.2.2 Synopsis: HTTP over TLS support for Warp via the TLS package License: MIT License-file: LICENSE @@ -22,7 +22,8 @@ , wai >= 3.2 && < 3.3 , warp >= 3.2 && < 3.3 , data-default-class >= 0.0.1 - , tls >= 1.3.2 + , tls >= 1.3.5 + , cryptonite >= 0.12 , network >= 2.2.1 , streaming-commons Exposed-modules: Network.Wai.Handler.WarpTLS