Cohttp client tls exception

Hello.
I was trying out Cohttp client with utop as shown below:

Cohttp_lwt_unix.Client.get (Uri.of_string "https://www.ocaml.org/");;

And I received an error below:

Exception: Tls_lwt.Tls_alert Tls.Packet.HANDSHAKE_FAILURE.
Raised at file "src/core/lwt.ml", line 3027, characters 28-29
Called from file "src/unix/lwt_main.ml", line 27, characters 10-20
Called from file "src/unix/lwt_main.ml", line 114, characters 8-13
Re-raised at file "src/unix/lwt_main.ml", line 120, characters 10-13
Called from file "toplevel/toploop.ml", line 208, characters 17-27

I am not sure if it’s related to my machine or something else.

I am using MacOS Catalina
LibreSSL 2.8.3
Cohttp, Cohttp-lwt and Cohttp-lwt-unix all version 2.5.1

It is likely related to this: https://github.com/mirleft/ocaml-tls/issues/362

According to one of the comments in https://github.com/mirage/ocaml-cohttp/issues/598, it could be fixable using ocaml-ssl instead of ocaml-tls. Can you check if it does the trick for you?

@mseri thanks for the reply. I have tried this OpenSSL solution from 0install code base. But still have no luck. Maybe I am doing something wrong…

utop # Net.connect_uri ~ctx:default_ctx (Uri.of_string "https://www.ocaml.org");;
Exception:
SSL connection() error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Raised by primitive operation at unknown location
Called from file "src/lwt_ssl.ml", line 47, characters 4-8
Re-raised at file "src/lwt_ssl.ml", line 57, characters 13-14
Called from file "src/unix/lwt_unix.cppo.ml", line 498, characters 13-24
Re-raised at file "src/core/lwt.ml", line 3027, characters 28-29
Called from file "src/unix/lwt_main.ml", line 27, characters 10-20
Called from file "src/unix/lwt_main.ml", line 114, characters 8-13
Re-raised at file "src/unix/lwt_main.ml", line 120, characters 10-13
Called from file "toplevel/toploop.ml", line 208, characters 17-27

This is a different error. Maybe you need to install the ca-certificates package?

If you’re trying to make a cross-platform binary, you’ll also need to tell openssl all the places the certificates might be on different platforms. See e.g.