[new release] tls-mirage and tls (0.13.0)

[hannesm]

Transport Layer Security purely in OCaml, MirageOS layer

• Project page: https://github.com/mirleft/ocaml-tls
• Documentation: https://mirleft.github.io/ocaml-tls/doc

CHANGES:

• Remove static RSA and CBC ciphersuites from default configuration. The
  default configuration now includes FFDHE and ECDHE key exchanges with RSA or
  ECDSA/EdDSA certificates, and AEAD ciphers
  (AES-GCM, AES-CCM, ChaCha20-Poly1305) (minor code cleanups mirleft/ocaml-tls#429 by @hannesm)
• Remove SHA1 from signature_algorithms in the default configuration
  (minor code cleanups mirleft/ocaml-tls#429 by @hannesm)
• Support ECDSA and EdDSA certificates and private keys via x509 0.12.0 and
  mirage-crypto-ec (Use mirage-crypto-ec for elliptic curves, support ECDSA certificates mirleft/ocaml-tls#428 by @hannesm)
  Breaking changes:
  • the second part of type Tls.Config.certchain is now a X509.Private_key.t
    (previously Mirage_crypto_pk.Rsa.priv)
  • the type aliases X509_lwt.priv and X509_lwt.authenticator have been removed
• Use mirage-crypto-ec instead of fiat-p256 and hacl_x25519 for elliptic curve
  support - this adds P384 and P521 ECDH support (Use mirage-crypto-ec for elliptic curves, support ECDSA certificates mirleft/ocaml-tls#428 by @hannesm)
• Remove custom Monad implementation, use Result and Rresult instead
  (minor code cleanups mirleft/ocaml-tls#429 by @hannesm)
• Remove Utils.Cs submodule, use Cstruct API instead (minor code cleanups mirleft/ocaml-tls#429 by @hannesm)
• Breaking: Tls.Engine.ret type is now a result instead of a custom variant type
  (minor code cleanups mirleft/ocaml-tls#429 by @hannesm)
• Breaking: Tls_lwt.Unix.epoch results in (Tls.Core.epoch_data, unit) result -
  it was a custom error type previously (minor code cleanups mirleft/ocaml-tls#429 by @hannesm)

[hannesm]

I can't seem to find a revdep build run on opam-ci, is this intentional? since the release entails some breaking changes, it'd be great to see which packages fail to build.

[mseri]

It is a few days that they seem surprisingly empty. Ping @kit-ty-kate
The list of packages to test is rather long here: https://opam.ci.ocaml.org/github/ocaml/opam-repository/commit/95ade695d01206b8e9434f7af702b87ead639aaa/variant/compilers,4.12,tls.0.13.0,revdeps
But it seems they are then not tested

[camelus]

Commit: 5ac44de

A pull request by opam-seasoned @hannesm.

☀️ All lint checks passed 5ac44de

• These packages passed lint tests: colombe.0.1.0, conduit-lwt-unix.2.3.0, conduit-tls.3.0.0, dns-certify.4.4.0, dns-certify.4.4.1, dns-certify.4.5.0, dns-certify.4.6.0, dns-certify.4.6.1, dns-certify.4.6.2, dns-certify.4.6.3, gluten-lwt-unix.0.1.0, paf.0.0.1, sendmail.0.2.0, sendmail.0.3.0, sendmail.0.4.0, tls-mirage.0.13.0, tls.0.13.0

---

☀️ Installability check (+2)

• new installable packages (2): tls.0.13.0 tls-mirage.0.13.0

[mseri]

@hannesm they are running properly now

[hannesm]

I added a commit that restricts the reverse dependencies:

• conduit-lwt-unix (see more cleanups: reorg files and compile tests mirage/ocaml-conduit#374 (comment) for discussion, fix and release is upcoming (@hannesm @dinosaure @samoht))
• colombe & sendmail (@dinosaure)
• dns-certify (@hannesm - a release is upcoming)
• gluten-lwt-unix (@anmonteiro)

[hannesm]

the conduit-tls 3.0.0 revdep failures are addressed by #18502 (marking conduit*3 as unavailable). all other failures are out of scope (dns 4.x before 4.6.1 does not work on 32 bit, ...). from my point of view, this is ready to be merged.

[hannesm]

The CI results look good: some jobs are cancelled (but report "Job succeeded" as last line). The major failure is reverse dependencies of conduit-tls 3.0.0 -- which I attempted to address in #18502 that was closed.

In any case, this is a release of tls and tls-mirage, and revdep failures of "conduit-tls" can be addressed in another PR (it is broken in opam-repository#master already anyways).

[talex5]

Yes, some jobs end like this:

---> saved as "b345afb71d39540acfe66f368ebac02ad0d86fecae34b05e7de3418ff3dfaced"
2021-04-15 12:23.06: Cancelling: Timeout (60.0 minutes)
Job succeeded

It's a bit confusing, but the Job succeeded text here is from the cluster worker. So:

1. OCurrent asked the worker to cancel the job and logged the "Cancelling" message.
2. At the same time, the job finished, and the worker reported success.
3. OCurrent logged the success message from the worker.
4. OCurrent reported the job as "Cancelled", since it knew it had cancelled it.

That the cancellation didn't get through in time probably indicates some other problem (e.g. the network was down for a few minutes).

An actually successful job looks like this (with two "Job succeeded" messages):

---> saved as "234b6cb08d373a3fb68a4ccbd1ed9ba8245d25f6e88efceb6e67c77f6adfdb80"
Job succeeded
2021-04-15 11:13.39: Job succeeded

[mseri]

This kind of success with "Cancelled' label is not uncommon. I have seen it a number of times in the past, mostly on runs with large amounts of revdeps (I think Tezos and alcotests are/were common cases)

[hannesm]

Thanks for explanation. What do I need to do to get this PR merged?

[mseri]

I went through the build logs of the last two builds. The only one that needs still to be notified is colombe, which I will report directly on the repo. For the rest it lookgs good

[mseri]

Thanks for the extra fixes and bounds

[hannesm]

thanks a lot! :)