I am using http-client-tls to connect to a TLS-enabled server that requires a client certificate. I suspect I need to tweak TLSSettings with a loaded certificate and correct cypher-suites parameters but it is definitely not clear how to do this.
Does anybody have some example code that uses client-side certificates?
Thanks to Moritz Agerman for sharing his code. Here is a full Haskell module that can use crt.pem and key.pem files to provide client-side certificate as requested by server:
{-# LANGUAGE OverloadedStrings #-}
module TLS where
import Data.Default
import Network.Connection
import Network.HTTP.Client
import Network.HTTP.Client.TLS
import Network.TLS
import Network.TLS.Extra.Cipher
import Servant.Client
makeClientManager :: String -> Scheme -> IO Manager
makeClientManager hostname Https = mkMngr hostname "crt.pem" "key.pem"
makeClientManager _ Http = newManager defaultManagerSettings
mkMngr :: String -> FilePath -> FilePath -> IO Manager
mkMngr hostName crtFile keyFile = do
creds <- either error Just `fmap` credentialLoadX509 crtFile keyFile
let hooks = def
{ onCertificateRequest = \_ -> return creds
, onServerCertificate = \_ _ _ _ -> return []
}
clientParams = (defaultParamsClient hostName "")
{ clientHooks = hooks
, clientSupported = def { supportedCiphers = ciphersuite_all }
}
tlsSettings = TLSSettings clientParams
newManager $ mkManagerSettings tlsSettings Nothing
Not sure if this does bypass server certificate validation or not as onServerCertificate hook is a constant [].