如何向http-client-tls提供客户端证书？ [英] How to provide a client certificate to http-client-tls?

问题描述

我使用 http-client-tls 连接到需要客户端证书的启用TLS的服务器。我怀疑我需要调整 TLSSettings 带有加载的证书和正确的密码套件参数，但绝对不清楚如何执行此操作。

有人有一些使用客户端证书的示例代码吗？

感谢Moritz Agerman分享他的代码。这是一个完整的Haskell模块，可以使用 crt.pem 和 key.pem 文件将客户端证书作为由服务器请求：

  { - ＃LANGUAGE OverloadedStrings＃ - } 
模块TLS其中
 
导入Data.Default 
导入Network.Connection 
导入Network.HTTP.Client 
导入Network.HTTP.Client.TLS 
导入Network.TLS 
导入网络。 TLS.Extra.Cipher 
 import Servant.Client 
 
 makeClientManager :: String  - >方案 - > IO管理器
 makeClientManager主机名Https = mkMngr主机名crt.pemkey.pem
 makeClientManager _ Http = newManager defaultManagerSettings 
 
 mkMngr :: String  - > FilePath  - > FilePath  - > IO管理器
 mkMngr主机名crtFile KEYFILE =做
 creds<  - 或者错误只是`fmap` credentialLoadX509 crtFile KEYFILE 
让钩= DEF 
 {onCertificateRequest = \_  - >返回信用
，onServerCertificate = \ _ _ _ _  - >返回[] 
} 
 clientParams =（defaultParamsClient hostName）
 {clientHooks = hooks 
，clientSupported = def {supportedCiphers = ciphersuite_all} 
} 
 tlsSettings = TLSSettings clientParams 
 
 newManager $ mkManagerSettings tlsSettings Nothing 
  

不知道是否这样不会绕过服务器证书验证或不是 onServerCertificate hook是一个常量 [] 。

I am using http-client-tls to connect to a TLS-enabled server that requires a client certificate. I suspect I need to tweak TLSSettings with a loaded certificate and correct cypher-suites parameters but it is definitely not clear how to do this.

Does anybody have some example code that uses client-side certificates?

解决方案

Thanks to Moritz Agerman for sharing his code. Here is a full Haskell module that can use crt.pem and key.pem files to provide client-side certificate as requested by server:

 {-# LANGUAGE OverloadedStrings #-}
 module TLS where

 import           Data.Default
 import           Network.Connection
 import           Network.HTTP.Client
 import           Network.HTTP.Client.TLS
 import           Network.TLS
 import           Network.TLS.Extra.Cipher
 import           Servant.Client

 makeClientManager :: String -> Scheme -> IO Manager
 makeClientManager hostname Https = mkMngr hostname "crt.pem" "key.pem"
 makeClientManager _        Http  = newManager defaultManagerSettings

 mkMngr :: String -> FilePath -> FilePath -> IO Manager
 mkMngr hostName crtFile keyFile = do
   creds <- either error Just `fmap` credentialLoadX509 crtFile keyFile
   let hooks = def
               { onCertificateRequest = \_ -> return creds
               , onServerCertificate = \_ _ _ _ -> return []
               }
       clientParams = (defaultParamsClient hostName  "")
                      { clientHooks = hooks
                      , clientSupported = def { supportedCiphers = ciphersuite_all }
                      }
       tlsSettings = TLSSettings clientParams

   newManager $ mkManagerSettings tlsSettings Nothing

Not sure if this does bypass server certificate validation or not as onServerCertificate hook is a constant [].

这篇关于如何向http-client-tls提供客户端证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！