Add an unix implementation of TLS

[kit-ty-kate]

This is an updated version of #443 rebased on top of master.
I then took the current tls-miou implementation and replaced Miou_unix by Unix

[kit-ty-kate]

I have a PoC PR using this in ocamldap: kit-ty-kate/ocamldap#10
If anyone knows how to use the connect function correctly i'd be happy to take a hint

[hannesm]

Thanks for this PR. Sorry for the delayed reply. There are some mentions of "miou" in the tls_unix.ml which should be renamed. I wonder whether @dinosaure (with #443) has an opinion whether to go that way or this way here to move forward!?

If anyone knows how to use the connect function correctly i'd be happy to take a hint

I'm a bit puzzled what you mean. From my session (dune utop --only-packages=tls,tls-lwt):

let null ?ip:_ ~host:_ _certs = Ok None;;

let fd = Tls_unix.connect null ("robur.coop", 443);;
Tls_unix.write fd "GET / HTTP/1.0\r\nHost: robur.coop\r\n\r\n";;
Tls_unix.read fd buf;;

Somehow, the really_read returns always end of file for me... not sure what the issue is there

But does the connect work for you as well? Or what is the issue?

[dinosaure]

About the PR, seems fine but I need to take a deep look and test it to see if we did miss anything. tls-miou is highly related to how miou behaves and miou behaves differently than a system like Linux. We also need to ensure that tls-unix works on any platforms (specially BSD). I don't have the time to do that this month but I put it on my TODO list.

Somehow, the really_read returns always end of file for me... not sure what the issue is there

Depending on the size of the buffer you give. Do you have a reproducible example?

[kit-ty-kate]

I'm a bit puzzled what you mean.

I meant that Tls_unix.connect differs from Ssl.open_connection by having to pass around an "authenticator" and i couldn't find how users were meant to create this type, but you answered my question in your example (null). Thanks!

[hannesm]

@kit-ty-kate for common operations (i.e. public web, let's encrypt certificates, ...), https://ocaml.org/p/ca-certs/latest/doc/ca-certs/Ca_certs/index.html#val-authenticator should be a sensible thing to use.

[hannesm]

Somehow, the really_read returns always end of file for me... not sure what the issue is there

Depending on the size of the buffer you give. Do you have a reproducible example?

same as above, my buf is a Bytes.create 4094. read returns around 2700 bytes if i recall correctly.

[hannesm]

ok, so I tested this PR on FreeBSD. I'm eager to merge and cut a release. If we find issues, we can fix them and cut new releases. A diff -u miou/tls_miou_unix.ml unix/tls_unix.ml shows only changes replacing Miou_unix calls to Unix, so I'm confident this works as nicely as the Miou_unix implementation :)

[dinosaure]

Don't have strong opinion about that, I just need to keep into my mind that if we find a bug on tls-unix, it's probably the same on tls-miou-unix.

[hannesm]

Don't have strong opinion about that, I just need to keep into my mind that if we find a bug on tls-unix, it's probably the same on tls-miou-unix.

Indeed, I put a comment in both ml files.