How to provide a client certificate to http-client-tls?

Question

I am using http-client-tls to connect to a TLS-enabled server that requires a client certificate. I suspect I need to tweak TLSSettings with a loaded certificate and correct cypher-suites parameters but it is definitely not clear how to do this.

Does anybody have some example code that uses client-side certificates?

Answer 1

Thanks to Moritz Agerman for sharing his code. Here is a full Haskell module that can use crt.pem and key.pem files to provide client-side certificate as requested by server:

 {-# LANGUAGE OverloadedStrings #-}
 module TLS where

 import           Data.Default
 import           Network.Connection
 import           Network.HTTP.Client
 import           Network.HTTP.Client.TLS
 import           Network.TLS
 import           Network.TLS.Extra.Cipher
 import           Servant.Client

 makeClientManager :: String -> Scheme -> IO Manager
 makeClientManager hostname Https = mkMngr hostname "crt.pem" "key.pem"
 makeClientManager _        Http  = newManager defaultManagerSettings

 mkMngr :: String -> FilePath -> FilePath -> IO Manager
 mkMngr hostName crtFile keyFile = do
   creds <- either error Just `fmap` credentialLoadX509 crtFile keyFile
   let hooks = def
               { onCertificateRequest = \_ -> return creds
               , onServerCertificate = \_ _ _ _ -> return []
               }
       clientParams = (defaultParamsClient hostName  "")
                      { clientHooks = hooks
                      , clientSupported = def { supportedCiphers = ciphersuite_all }
                      }
       tlsSettings = TLSSettings clientParams

   newManager $ mkManagerSettings tlsSettings Nothing

Not sure if this does bypass server certificate validation or not as onServerCertificate hook is a constant [].