Cohttp client tls exception

erhan · March 6, 2020, 7:15pm

Hello.
I was trying out Cohttp client with utop as shown below:

Cohttp_lwt_unix.Client.get (Uri.of_string "https://www.ocaml.org/");;

And I received an error below:

Exception: Tls_lwt.Tls_alert Tls.Packet.HANDSHAKE_FAILURE.
Raised at file "src/core/lwt.ml", line 3027, characters 28-29
Called from file "src/unix/lwt_main.ml", line 27, characters 10-20
Called from file "src/unix/lwt_main.ml", line 114, characters 8-13
Re-raised at file "src/unix/lwt_main.ml", line 120, characters 10-13
Called from file "toplevel/toploop.ml", line 208, characters 17-27

I am not sure if it’s related to my machine or something else.

I am using MacOS Catalina
LibreSSL 2.8.3
Cohttp, Cohttp-lwt and Cohttp-lwt-unix all version 2.5.1

mseri · March 6, 2020, 8:05pm

It is likely related to this: https://github.com/mirleft/ocaml-tls/issues/362

According to one of the comments in https://github.com/mirage/ocaml-cohttp/issues/598, it could be fixable using ocaml-ssl instead of ocaml-tls. Can you check if it does the trick for you?

erhan · March 7, 2020, 3:43pm

@mseri thanks for the reply. I have tried this OpenSSL solution from 0install code base. But still have no luck. Maybe I am doing something wrong…

utop # Net.connect_uri ~ctx:default_ctx (Uri.of_string "https://www.ocaml.org");;
Exception:
SSL connection() error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Raised by primitive operation at unknown location
Called from file "src/lwt_ssl.ml", line 47, characters 4-8
Re-raised at file "src/lwt_ssl.ml", line 57, characters 13-14
Called from file "src/unix/lwt_unix.cppo.ml", line 498, characters 13-24
Re-raised at file "src/core/lwt.ml", line 3027, characters 28-29
Called from file "src/unix/lwt_main.ml", line 27, characters 10-20
Called from file "src/unix/lwt_main.ml", line 114, characters 8-13
Re-raised at file "src/unix/lwt_main.ml", line 120, characters 10-13
Called from file "toplevel/toploop.ml", line 208, characters 17-27

talex5 · March 7, 2020, 4:31pm

This is a different error. Maybe you need to install the ca-certificates package?

If you’re trying to make a cross-platform binary, you’ll also need to tell openssl all the places the certificates might be on different platforms. See e.g.

github.com

0install/0install/blob/539d6d0e80de96f18f92b400b72d651b6d471595/src/zeroinstall/http.cohttp.ml#L4


      
          open Support
          open Support.Common
          
          module Certificates = struct
            (* Possible certificate files; stop after finding one.
               Based on https://golang.org/src/crypto/x509 *)
            let cert_files = [
              "/etc/ssl/certs/ca-certificates.crt";                (* Debian/Ubuntu/Gentoo etc. *)
              "/etc/pki/tls/certs/ca-bundle.crt";                  (* Fedora/RHEL 6 *)
              "/etc/ssl/ca-bundle.pem";                            (* OpenSUSE *)
              "/etc/pki/tls/cacert.pem";                           (* OpenELEC *)
              "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"; (* CentOS/RHEL 7 *)
              "/etc/ssl/cert.pem";                                 (* Alpine Linux / OpenBSD *)

Topic		Replies	Views
Exception: Failure "No SSL or TLS support compiled into Conduit" Learning	2	925	April 13, 2023
Cohttp error cases Learning cohttp	0	691	February 21, 2019
Trying to install cohttp-lwt-unix-ssl with opam Learning opam , cohttp , ssl	1	989	December 6, 2020
Tutorial for Cohttp-lwt as API client Learning	13	4588	September 22, 2020
`No SSL or TLS support compiled into Conduit` with cohttp 5.3.1, conduit 6.2.1, tls 0.17.4 Ecosystem opam , cohttp , tls , conduit	4	236	April 3, 2024

Cohttp client tls exception

Related topics