Re: [Caml-list] Ocamlnet Netclient SSl

caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed

From: Gerd Stolpmann <info@gerd-stolpmann.de>
To: pierrchp@free.fr
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Ocamlnet Netclient SSl
Date: Fri, 29 Jul 2011 14:33:05 +0200	[thread overview]
Message-ID: <1311942785.6236.162.camel@thinkpad> (raw)
In-Reply-To: <1311868239.4e31854f15812@imp.free.fr>

Am Donnerstag, den 28.07.2011, 17:50 +0200 schrieb pierrchp@free.fr:
> Hello,
> 
> I am trying to use SSl with the Ocamlnet Http_client. When I use the run method
> on the pipeline,the call executes well, and when it is empty, the program stalls
> for 30 sec before encountering an ssl error an continuing.

It turns out that the server is misbehaving here. It does not implement
the SSL connection closure correctly. In particular, Http_client sends a
close-notify message to the server, but the server does not respond to
this.

Well, there are probably many buggy SSL servers out there. Many
programmers have no clue how to close an SSL connection correctly, and
SSL libraries leave room for such implementation errors. Interesting to
see that even a large organization cannot do it, even one that
(probably) cares about security standards.

I've quickly tested a "forced" closure method, where the SSL
close-notify message is immediately followed by a TCP FIN message. At
least wellsfargo.com gets impressed by that, and they close then the TCP
channel. This is still a protocol violation, but we can live with that.

I'll test it a bit more, and will (hopefully) release a new ocamlnet
version soon.

Gerd


> 
> The same thing happens when using convenience.
> 
> I'm using ocaml 3.12.1 and ocamlnet 3.3.5
> 
> Code :
> 
> 
> 
> Debug.enable:=true;
> 
> Ssl.init();
>   Http_client.Convenience.configure_pipeline
>       (fun p ->
>          let ctx = Ssl.create_context Ssl.TLSv1 Ssl.Client_context in
>          let tct = Https_client.https_transport_channel_type ctx in
>          p # configure_transport Http_client.https_cb_id tct
>       );
> http_get "https://www.wellsfargo.com/"
> 
> Debug information:
> 
> 
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection:
> creating direct connection to www.wellsfargo.com:443
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP direct
> connection to www.wellsfargo.com:443: Connected!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP Connection: adding
> call 32
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32: initialize
> transmitter
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - Call 32 - HTTP
> request: GET / HTTP/1.1
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> Got Call 32!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> pipelining=true persistency=false close_connection=false->false
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32 -
> postprocessing
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> Shutdown!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> Closing socket!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection:
> checking remaining pipeline requests
> [Thu Jul 28 15:17:55 2011] [debug] [6261:0] Http_client: FD 3 - Shutdown error:
> Uq_ssl.Ssl_error(Ssl.Error_syscall)
> 
> 
> Cheers
> 
>  -Pierre
> 

-- 
------------------------------------------------------------
Gerd Stolpmann, Bad Nauheimer Str.3, 64289 Darmstadt,Germany 
gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
Phone: +49-6151-153855                  Fax: +49-6151-997714
------------------------------------------------------------

     prev parent reply	other threads:[~2011-07-29 12:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-28 15:50 pierrchp
2011-07-29 12:33 ` Gerd Stolpmann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1311942785.6236.162.camel@thinkpad \
    --to=info@gerd-stolpmann.de \
    --cc=caml-list@inria.fr \
    --cc=pierrchp@free.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).