[ANN] ca-certs and ca-certs-nss

I鈥檓 pleased to announce the release two opam packages, ca-certs and ca-certs-nss, which use the trust anchors from the system / embed trust anchors from Netscape Security Services (these days used by the Mozilla Firefox browser).

For some context: when establishing a TLS connection you likely want to verify that the server provides a valid certificate 鈥 on the open world wide web this boils down to 鈥渋s valid at the current time鈥 and 鈥渋s signed by a trustworthy entity鈥 (such as https://letsencrypt.org/ - which validates that you have access to the domain before signing a certificate). If you do not verify the server certificate, a person may be in the middle of the connection and read and modify arbitrary communication content. Read more about this topic on Wikipedia. NB in private setups you can use your own CA setup and won鈥檛 need ca-certs / ca-certs-nss.

Now, different operating systems store this information in different places and formats 鈥 for Unix (and Linux) there is unfortunately no common API or file location. To abstract over this, the package ca-certs provides the API val authenticator : [...] -> unit -> (X509.Authenticator.t, [> `Msg of string ]) result 鈥 which composes well with OCaml-TLS API for TLS clients (that receive such an authenticator).

The ca-certs package has initially been implemented by @emillon in 2019, and only recently been pushed to opam-repository. If you鈥檙e using a not-so-mainstream Linux distribution (or other Unix), we鈥檙e interested in your feedback: does a dune runtest work on your system? 鈥 it has been tested apart from debian, ubuntu, SuSE, CentOS, also on FreeBSD, OpenBSD, and macOS. The macOS support uses the security command, and could be improved by using appropriate API calls 鈥 there is no support for Windows at the moment (if you鈥檙e interested in contributing support for windows, it should be pretty straightfoward).

The ca-certs-nss package uses the same versioning scheme as NSS, and embeds the trust anchors that your Firefox browser has as well. This is meant as alternative to ca-certs (e.g. if you鈥檙e on a system which is not (yet) supported by ca-certs), or in a MirageOS unikernel (where there鈥檚 no access to the host trust anchors).

We鈥檙e interested in your feedback, and hope by releasing those libraries to improve the security of network clients across the OCaml ecosystem by providing a simple API to authenticate server certificates. If you鈥檙e running into issues, please don鈥檛 hesitate to reach out.

To install, opam install ca-certs / opam install ca-certs-nss is all you need.


Thank you for the release, this is very useful! I can confirm that dune runtest works on my system, running Archlinux.

1 Like

Thanks for improving tls, what info do you need?

$ uname -a
Linux raspberrypi 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l GNU/Linux

$ opam switch
#  switch                      compiler                                   description
鈫  4.10.0+musl+static+flambda  ocaml-variants.4.10.0+musl+static+flambda  4.10.0+musl+static+flambda
   default                     ocaml-system.4.05.0                        default

$ opam install ca-certs
<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
鈭 installed conf-gmp.2
[ERROR] The compilation of zarith failed at "/home/pi/.opam/opam-init/hooks/sandbox.sh build make".
鈭 installed conf-gmp-powm-sec.2

#=== ERROR while compiling zarith.1.11 ========================================#
# context     2.0.6 | linux/arm32 | ocaml-variants.4.10.0+musl+static+flambda | https://opam.ocaml.org#91605213
# path        ~/.opam/4.10.0+musl+static+flambda/.opam-switch/build/zarith.1.11
# command     ~/.opam/opam-init/hooks/sandbox.sh build make
# exit-code   2
# env-file    ~/.opam/log/zarith-21600-0f1b61.env
# output-file ~/.opam/log/zarith-21600-0f1b61.out
### output ###
# [...]
# ocamlc -I +compiler-libs -bin-annot  -c q.mli
# ocamlc -I +compiler-libs -bin-annot  -c q.ml
# ocamlc -I +compiler-libs -bin-annot  -c big_int_Z.mli
# ocamlc -I +compiler-libs -bin-annot  -c big_int_Z.ml
# ocamlmklib -failsafe -o zarith z.cmo q.cmo big_int_Z.cmo -lgmp
# gcc -DZ_OCAML_HASH -DZ_OCAML_COMPARE_EXT -DHAS_GMP     -c -o caml_z_arm.o caml_z_arm.S
# ocamlc -ccopt "-I/home/pi/.opam/4.10.0+musl+static+flambda/lib/ocaml  -DZ_OCAML_HASH -DZ_OCAML_COMPARE_EXT -DHAS_GMP  -O3 -Wall -Wextra " -c caml_z.c
# caml_z.c:32:10: fatal error: gmp.h: No such file or directory
#  #include <gmp.h>
#           ^~~~~~~
# compilation terminated.
# make: *** [project.mak:142: caml_z.o] Error 2

<><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
鈹屸攢 The following actions failed
鈹 位 build zarith 1.11
鈹屸攢 The following changes have been performed (the rest was aborted)
鈹 鈭 install conf-gmp          2
鈹 鈭 install conf-gmp-powm-sec 2

The former state can be restored with:
    opam switch import "/home/pi/.opam/4.10.0+musl+static+flambda/.opam-switch/backup/state-20201120085427.export"

it looks like you don鈥檛 have libgmp installed. could you run opam depext ca-certs to get it installed?

$ sudo apt-get install libgmp-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libgmp-dev is already the newest version (2:6.1.2+dfsg-4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

came across a musl include path issue this summer, reported on github and both, Anil and me, forgot about it since :frowning:

Will dig it up later today.

here we go, easier found than imagined: https://github.com/ocaml/opam-repository/issues/16330#issuecomment-674132975

Good news: windows support in ca-certs has been released :slight_smile: :tada:

@emillon added the code (in Windows support by emillon 路 Pull Request #14 路 mirage/ca-certs 路 GitHub), and released (on March 5th) version 0.2.0.