[Caml-list] Ocamlnet Netclient SSl

[Caml-list] Ocamlnet Netclient SSl

[pierrchp]

Hello,

I am trying to use SSl with the Ocamlnet Http_client. When I use the run method
on the pipeline,the call executes well, and when it is empty, the program stalls
for 30 sec before encountering an ssl error an continuing.

The same thing happens when using convenience.

I'm using ocaml 3.12.1 and ocamlnet 3.3.5

Code :



Debug.enable:=true;

Ssl.init();
  Http_client.Convenience.configure_pipeline
      (fun p ->
         let ctx = Ssl.create_context Ssl.TLSv1 Ssl.Client_context in
         let tct = Https_client.https_transport_channel_type ctx in
         p # configure_transport Http_client.https_cb_id tct
      );
http_get "https://www.wellsfargo.com/"

Debug information:


[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection:
creating direct connection to www.wellsfargo.com:443
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP direct
connection to www.wellsfargo.com:443: Connected!
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP Connection: adding
call 32
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32: initialize
transmitter
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - Call 32 - HTTP
request: GET / HTTP/1.1
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
Got Call 32!
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
pipelining=true persistency=false close_connection=false->false
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32 -
postprocessing
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
Shutdown!
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
Closing socket!
[Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection:
checking remaining pipeline requests
[Thu Jul 28 15:17:55 2011] [debug] [6261:0] Http_client: FD 3 - Shutdown error:
Uq_ssl.Ssl_error(Ssl.Error_syscall)


Cheers

 -Pierre

Re: [Caml-list] Ocamlnet Netclient SSl

[Gerd Stolpmann]

Am Donnerstag, den 28.07.2011, 17:50 +0200 schrieb pierrchp@free.fr:
> Hello,
> 
> I am trying to use SSl with the Ocamlnet Http_client. When I use the run method
> on the pipeline,the call executes well, and when it is empty, the program stalls
> for 30 sec before encountering an ssl error an continuing.

It turns out that the server is misbehaving here. It does not implement
the SSL connection closure correctly. In particular, Http_client sends a
close-notify message to the server, but the server does not respond to
this.

Well, there are probably many buggy SSL servers out there. Many
programmers have no clue how to close an SSL connection correctly, and
SSL libraries leave room for such implementation errors. Interesting to
see that even a large organization cannot do it, even one that
(probably) cares about security standards.

I've quickly tested a "forced" closure method, where the SSL
close-notify message is immediately followed by a TCP FIN message. At
least wellsfargo.com gets impressed by that, and they close then the TCP
channel. This is still a protocol violation, but we can live with that.

I'll test it a bit more, and will (hopefully) release a new ocamlnet
version soon.

Gerd


> 
> The same thing happens when using convenience.
> 
> I'm using ocaml 3.12.1 and ocamlnet 3.3.5
> 
> Code :
> 
> 
> 
> Debug.enable:=true;
> 
> Ssl.init();
>   Http_client.Convenience.configure_pipeline
>       (fun p ->
>          let ctx = Ssl.create_context Ssl.TLSv1 Ssl.Client_context in
>          let tct = Https_client.https_transport_channel_type ctx in
>          p # configure_transport Http_client.https_cb_id tct
>       );
> http_get "https://www.wellsfargo.com/"
> 
> Debug information:
> 
> 
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection:
> creating direct connection to www.wellsfargo.com:443
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP direct
> connection to www.wellsfargo.com:443: Connected!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP Connection: adding
> call 32
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32: initialize
> transmitter
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - Call 32 - HTTP
> request: GET / HTTP/1.1
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> Got Call 32!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> pipelining=true persistency=false close_connection=false->false
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32 -
> postprocessing
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> Shutdown!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection:
> Closing socket!
> [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection:
> checking remaining pipeline requests
> [Thu Jul 28 15:17:55 2011] [debug] [6261:0] Http_client: FD 3 - Shutdown error:
> Uq_ssl.Ssl_error(Ssl.Error_syscall)
> 
> 
> Cheers
> 
>  -Pierre
> 

-- 
------------------------------------------------------------
Gerd Stolpmann, Bad Nauheimer Str.3, 64289 Darmstadt,Germany 
gerd@gerd-stolpmann.de          http://www.gerd-stolpmann.de
Phone: +49-6151-153855                  Fax: +49-6151-997714
------------------------------------------------------------