SSL error using Cohttp_async


I’m getting the an error when trying to make an https GET request to the following URL using Cohttp_async. I’ve tried with both the ssl and tls packages.



(((pid 11196) (thread_id 0)) "2018-08-10 19:43:02.209899198Z"
 "unhandled exception in Async scheduler"
 ("unhandled exception"
     ("error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error")
    ("Raised at file \"src/\" (inlined), line 237, characters 22-32"
     "Called from file \"src/\" (inlined), line 9, characters 14-30"
     "Called from file \"src/\" (inlined), line 5, characters 2-50"
     "Called from file \"src/\", line 151, characters 4-74"
     "Called from file \"src/\", line 61, characters 64-69"
     "Called from file \"src/\", line 159, characters 6-47"
     "Caught by monitor ssl_pipe"))
   ((pid 11196) (thread_id 0)))))

Making the same request using curl or from Go works without issues.

The issue appears be isolated to async, I’ve switched to lwt and it is now working.

Hi Ryan,

I was able to replicate this error. I figured out that this particular server fails to negotiate TLS if the client doesn’t supply a server name using SNI. openssl s_client will produce the same error if you don’t use the -servername parameter.

Here’s a small function go that enables SNI and works on my system. It just prints out the returned response body:

let go () =
  let uri =
  let ssl_config = Conduit_async.Ssl.configure ~hostname:"" () in
  let%bind _response, body = Client.get ~ssl_config uri in
  let%bind body = Body.to_string body in
  printf "%s" body;
  return ()

My guess is that the Lwt variant sets the server name by default, but I’m not sure.

I hope this helps!

1 Like

Great, thanks for the help.

@dinosaure is currently adding direct ocaml-tls support to Async, so this should hopefully percolate to Conduit_async soon after along with corresponding SNI support…

1 Like

For anyone Googling, this is being addressed by