I’m pleased to announce the release two opam packages, ca-certs and ca-certs-nss, which use the trust anchors from the system / embed trust anchors from Netscape Security Services (these days used by the Mozilla Firefox browser).
For some context: when establishing a TLS connection you likely want to verify that the server provides a valid certificate – on the open world wide web this boils down to “is valid at the current time” and “is signed by a trustworthy entity” (such as https://letsencrypt.org/ - which validates that you have access to the domain before signing a certificate). If you do not verify the server certificate, a person may be in the middle of the connection and read and modify arbitrary communication content. Read more about this topic on Wikipedia. NB in private setups you can use your own CA setup and won’t need ca-certs / ca-certs-nss.
Now, different operating systems store this information in different places and formats – for Unix (and Linux) there is unfortunately no common API or file location. To abstract over this, the package ca-certs provides the API val authenticator : [...] -> unit -> (X509.Authenticator.t, [> `Msg of string ]) result
– which composes well with OCaml-TLS API for TLS clients (that receive such an authenticator).
The ca-certs package has initially been implemented by @emillon in 2019, and only recently been pushed to opam-repository. If you’re using a not-so-mainstream Linux distribution (or other Unix), we’re interested in your feedback: does a dune runtest
work on your system? – it has been tested apart from debian, ubuntu, SuSE, CentOS, also on FreeBSD, OpenBSD, and macOS. The macOS support uses the security
command, and could be improved by using appropriate API calls – there is no support for Windows at the moment (if you’re interested in contributing support for windows, it should be pretty straightfoward).
The ca-certs-nss package uses the same versioning scheme as NSS, and embeds the trust anchors that your Firefox browser has as well. This is meant as alternative to ca-certs (e.g. if you’re on a system which is not (yet) supported by ca-certs), or in a MirageOS unikernel (where there’s no access to the host trust anchors).
We’re interested in your feedback, and hope by releasing those libraries to improve the security of network clients across the OCaml ecosystem by providing a simple API to authenticate server certificates. If you’re running into issues, please don’t hesitate to reach out.
To install, opam install ca-certs
/ opam install ca-certs-nss
is all you need.