Ticket Change Details
Overview

Artifact ID: ea605ef8362e583f59fac2bc665e75aaceb0578841e54f99133dc29b4216b71e
Ticket: 799aae4e72a7c137979ba791698b79d610ad5119
http::geturl hangs if certificate verify failed
User & Date: anonymous on 2019-12-13 10:13:19
Changes

  1. foundin changed to: ">1.7.3"
  2. icomment:
    The problem is more severe the older the http package is, but in its less critical form, it hangs when performing a post:
    
    ```
    package require tls
    
    package require http
    http::register https 443 tls::socket
    
    proc ::tls::log {level msg} {
        puts ">>>> $msg"
    }
    
    #set ::tls::debug 1
    
    tls::init -cafile /tmp/kk.ca -tls1 true -require 1 -request 1
    
    
    http::geturl https://self-signed.badssl.com -query a=b
    
    puts OK
    ```
    
    It shows:
    
    ```
    VerifyCallback 1
    VerifyCallback checking
    VerifyCallback null callback
    VerifyCallback returnning ok=0
    SSL channel "sock5": error: certificate verify failed
    
    <----- here it hangs
    ```
    
    If instead of performing a POST, we use GET, it does not hang:
    
    
    ```
    VerifyCallback 1
    VerifyCallback checking
    VerifyCallback null callback
    VerifyCallback returnning ok=0
    error flushing "sock5": connection reset by peer
        while executing
    "http::geturl https://self-signed.badssl.com"
        (file "check.tcl" line 18)
    ```
    
    But is just because in http module, the socket is flushed, and it fails:
    
    ```
      if {$isQuery || $isQueryChannel} {
          ...
          puts $sock ""
          fconfigure $sock -translation {auto binary}
          fileevent $sock writable [list http::Write $token]
      } else {
          puts $sock ""
          flush $sock
          fileevent $sock readable [list http::Event $sock $token]
      }
    ```
    
    On isQuery mode (POST), there is no flush to trigger an error so it hangs.
    
    I tracked the error to this commit: 
    
    https://core.tcl-lang.org/tcltls/info/7df7a8696e009447
    
    From that commit onwards, it always hangs.
    
  3. login: "anonymous"
  4. mimetype: "text/x-fossil-plain"
  5. private_contact changed to: "fb5d142cbd03f75616e36710b2a166433622c00f"
  6. severity changed to: "Severe"
  7. status changed to: "Open"
  8. title changed to: "http::geturl hangs if certificate verify failed"
  9. type changed to: "Code Defect"