From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail4-relais-sop.national.inria.fr (mail4-relais-sop.national.inria.fr [192.134.164.105]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id p6TCXCEK019614 for ; Fri, 29 Jul 2011 14:33:12 +0200 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApgEAEOnMk7U4367kWdsb2JhbAA0AQEEASkEJjIPAgwaAjICAhQMRR6EV6MVFAEBAQEJCwsHFAMiDwEBiGsCqWmFEZEgAoEphAaBEASLdIwMi18 X-IronPort-AV: E=Sophos;i="4.67,287,1309730400"; d="scan'208";a="104211686" Received: from moutng.kundenserver.de ([212.227.126.187]) by mail4-smtp-sop.national.inria.fr with ESMTP; 29 Jul 2011 14:33:07 +0200 Received: from office1.lan.sumadev.de (dslb-094-219-217-229.pools.arcor-ip.net [94.219.217.229]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0MKKU2-1QnKkO2Ztu-001JLw; Fri, 29 Jul 2011 14:33:07 +0200 Received: from [192.168.1.111] (546BF154.cm-12-4d.dynamic.ziggo.nl [84.107.241.84]) by office1.lan.sumadev.de (Postfix) with ESMTPSA id 3D3075F702; Fri, 29 Jul 2011 14:33:06 +0200 (CEST) From: Gerd Stolpmann To: pierrchp@free.fr Cc: caml-list@inria.fr In-Reply-To: <1311868239.4e31854f15812@imp.free.fr> References: <1311868239.4e31854f15812@imp.free.fr> Content-Type: text/plain; charset="UTF-8" Date: Fri, 29 Jul 2011 14:33:05 +0200 Message-ID: <1311942785.6236.162.camel@thinkpad> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:miKVHXZBVqOB6knxZ5TBLkAEC93OkXROV6KBMTubeog dSpLezEb1Mk9z0d/VChUCa9JwfQ0W4rW/NfktcnMkD+lBhUYqw QlAIPET/9sC3HPFVpfR5xaFE648RmgxPv/cmMmbP849+05FoEM 7Bc3kYSzwoo9+mU31j2IMAdE2/Jl896yd1jGwDt49p2AYG29Wf inRta0+k8JZX3iZQufsUg== Subject: Re: [Caml-list] Ocamlnet Netclient SSl Am Donnerstag, den 28.07.2011, 17:50 +0200 schrieb pierrchp@free.fr: > Hello, > > I am trying to use SSl with the Ocamlnet Http_client. When I use the run method > on the pipeline,the call executes well, and when it is empty, the program stalls > for 30 sec before encountering an ssl error an continuing. It turns out that the server is misbehaving here. It does not implement the SSL connection closure correctly. In particular, Http_client sends a close-notify message to the server, but the server does not respond to this. Well, there are probably many buggy SSL servers out there. Many programmers have no clue how to close an SSL connection correctly, and SSL libraries leave room for such implementation errors. Interesting to see that even a large organization cannot do it, even one that (probably) cares about security standards. I've quickly tested a "forced" closure method, where the SSL close-notify message is immediately followed by a TCP FIN message. At least wellsfargo.com gets impressed by that, and they close then the TCP channel. This is still a protocol violation, but we can live with that. I'll test it a bit more, and will (hopefully) release a new ocamlnet version soon. Gerd > > The same thing happens when using convenience. > > I'm using ocaml 3.12.1 and ocamlnet 3.3.5 > > Code : > > > > Debug.enable:=true; > > Ssl.init(); > Http_client.Convenience.configure_pipeline > (fun p -> > let ctx = Ssl.create_context Ssl.TLSv1 Ssl.Client_context in > let tct = Https_client.https_transport_channel_type ctx in > p # configure_transport Http_client.https_cb_id tct > ); > http_get "https://www.wellsfargo.com/" > > Debug information: > > > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection: > creating direct connection to www.wellsfargo.com:443 > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP direct > connection to www.wellsfargo.com:443: Connected! > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP Connection: adding > call 32 > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32: initialize > transmitter > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - Call 32 - HTTP > request: GET / HTTP/1.1 > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection: > Got Call 32! > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection: > pipelining=true persistency=false close_connection=false->false > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: Call 32 - > postprocessing > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection: > Shutdown! > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: FD 3 - HTTP connection: > Closing socket! > [Thu Jul 28 15:17:25 2011] [debug] [6261:0] Http_client: HTTP connection: > checking remaining pipeline requests > [Thu Jul 28 15:17:55 2011] [debug] [6261:0] Http_client: FD 3 - Shutdown error: > Uq_ssl.Ssl_error(Ssl.Error_syscall) > > > Cheers > > -Pierre > -- ------------------------------------------------------------ Gerd Stolpmann, Bad Nauheimer Str.3, 64289 Darmstadt,Germany gerd@gerd-stolpmann.de http://www.gerd-stolpmann.de Phone: +49-6151-153855 Fax: +49-6151-997714 ------------------------------------------------------------