[ANN] ca-certs and ca-certs-nss

I’m pleased to announce the release two opam packages, ca-certs and ca-certs-nss, which use the trust anchors from the system / embed trust anchors from Netscape Security Services (these days used by the Mozilla Firefox browser).

For some context: when establishing a TLS connection you likely want to verify that the server provides a valid certificate – on the open world wide web this boils down to “is valid at the current time” and “is signed by a trustworthy entity” (such as https://letsencrypt.org/ - which validates that you have access to the domain before signing a certificate). If you do not verify the server certificate, a person may be in the middle of the connection and read and modify arbitrary communication content. Read more about this topic on Wikipedia. NB in private setups you can use your own CA setup and won’t need ca-certs / ca-certs-nss.

Now, different operating systems store this information in different places and formats – for Unix (and Linux) there is unfortunately no common API or file location. To abstract over this, the package ca-certs provides the API val authenticator : [...] -> unit -> (X509.Authenticator.t, [> `Msg of string ]) result – which composes well with OCaml-TLS API for TLS clients (that receive such an authenticator).

The ca-certs package has initially been implemented by @emillon in 2019, and only recently been pushed to opam-repository. If you’re using a not-so-mainstream Linux distribution (or other Unix), we’re interested in your feedback: does a dune runtest work on your system? – it has been tested apart from debian, ubuntu, SuSE, CentOS, also on FreeBSD, OpenBSD, and macOS. The macOS support uses the security command, and could be improved by using appropriate API calls – there is no support for Windows at the moment (if you’re interested in contributing support for windows, it should be pretty straightfoward).

The ca-certs-nss package uses the same versioning scheme as NSS, and embeds the trust anchors that your Firefox browser has as well. This is meant as alternative to ca-certs (e.g. if you’re on a system which is not (yet) supported by ca-certs), or in a MirageOS unikernel (where there’s no access to the host trust anchors).

We’re interested in your feedback, and hope by releasing those libraries to improve the security of network clients across the OCaml ecosystem by providing a simple API to authenticate server certificates. If you’re running into issues, please don’t hesitate to reach out.

To install, opam install ca-certs / opam install ca-certs-nss is all you need.


Thank you for the release, this is very useful! I can confirm that dune runtest works on my system, running Archlinux.

1 Like

Thanks for improving tls, what info do you need?

$ uname -a
Linux raspberrypi 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l GNU/Linux

$ opam switch
#  switch                      compiler                                   description
→  4.10.0+musl+static+flambda  ocaml-variants.4.10.0+musl+static+flambda  4.10.0+musl+static+flambda
   default                     ocaml-system.4.05.0                        default

$ opam install ca-certs
<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
∗ installed conf-gmp.2
[ERROR] The compilation of zarith failed at "/home/pi/.opam/opam-init/hooks/sandbox.sh build make".
∗ installed conf-gmp-powm-sec.2

#=== ERROR while compiling zarith.1.11 ========================================#
# context     2.0.6 | linux/arm32 | ocaml-variants.4.10.0+musl+static+flambda | https://opam.ocaml.org#91605213
# path        ~/.opam/4.10.0+musl+static+flambda/.opam-switch/build/zarith.1.11
# command     ~/.opam/opam-init/hooks/sandbox.sh build make
# exit-code   2
# env-file    ~/.opam/log/zarith-21600-0f1b61.env
# output-file ~/.opam/log/zarith-21600-0f1b61.out
### output ###
# [...]
# ocamlc -I +compiler-libs -bin-annot  -c q.mli
# ocamlc -I +compiler-libs -bin-annot  -c q.ml
# ocamlc -I +compiler-libs -bin-annot  -c big_int_Z.mli
# ocamlc -I +compiler-libs -bin-annot  -c big_int_Z.ml
# ocamlmklib -failsafe -o zarith z.cmo q.cmo big_int_Z.cmo -lgmp
# gcc -DZ_OCAML_HASH -DZ_OCAML_COMPARE_EXT -DHAS_GMP     -c -o caml_z_arm.o caml_z_arm.S
# ocamlc -ccopt "-I/home/pi/.opam/4.10.0+musl+static+flambda/lib/ocaml  -DZ_OCAML_HASH -DZ_OCAML_COMPARE_EXT -DHAS_GMP  -O3 -Wall -Wextra " -c caml_z.c
# caml_z.c:32:10: fatal error: gmp.h: No such file or directory
#  #include <gmp.h>
#           ^~~~~~~
# compilation terminated.
# make: *** [project.mak:142: caml_z.o] Error 2

<><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
┌─ The following actions failed
│ λ build zarith 1.11
┌─ The following changes have been performed (the rest was aborted)
│ ∗ install conf-gmp          2
│ ∗ install conf-gmp-powm-sec 2

The former state can be restored with:
    opam switch import "/home/pi/.opam/4.10.0+musl+static+flambda/.opam-switch/backup/state-20201120085427.export"

it looks like you don’t have libgmp installed. could you run opam depext ca-certs to get it installed?

$ sudo apt-get install libgmp-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libgmp-dev is already the newest version (2:6.1.2+dfsg-4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

came across a musl include path issue this summer, reported on github and both, Anil and me, forgot about it since :frowning:

Will dig it up later today.

here we go, easier found than imagined: https://github.com/ocaml/opam-repository/issues/16330#issuecomment-674132975

Good news: windows support in ca-certs has been released :slight_smile: :tada:

@emillon added the code (in Windows support by emillon · Pull Request #14 · mirage/ca-certs · GitHub), and released (on March 5th) version 0.2.0.