Artifacts Associated With Ticket 799aae4e72a7c137979ba791698b79d610ad5119
Ticket change [ea605ef836] (rid 1490) by anonymous on 2019-12-13 10:13:19:
- foundin initialized to: ">1.7.3"
- icomment:
The problem is more severe the older the http package is, but in its less critical form, it hangs when performing a post: ``` package require tls package require http http::register https 443 tls::socket proc ::tls::log {level msg} { puts ">>>> $msg" } #set ::tls::debug 1 tls::init -cafile /tmp/kk.ca -tls1 true -require 1 -request 1 http::geturl https://self-signed.badssl.com -query a=b puts OK ``` It shows: ``` VerifyCallback 1 VerifyCallback checking VerifyCallback null callback VerifyCallback returnning ok=0 SSL channel "sock5": error: certificate verify failed <----- here it hangs ``` If instead of performing a POST, we use GET, it does not hang: ``` VerifyCallback 1 VerifyCallback checking VerifyCallback null callback VerifyCallback returnning ok=0 error flushing "sock5": connection reset by peer while executing "http::geturl https://self-signed.badssl.com" (file "check.tcl" line 18) ``` But is just because in http module, the socket is flushed, and it fails: ``` if {$isQuery || $isQueryChannel} { ... puts $sock "" fconfigure $sock -translation {auto binary} fileevent $sock writable [list http::Write $token] } else { puts $sock "" flush $sock fileevent $sock readable [list http::Event $sock $token] } ``` On isQuery mode (POST), there is no flush to trigger an error so it hangs. I tracked the error to this commit: https://core.tcl-lang.org/tcltls/info/7df7a8696e009447 From that commit onwards, it always hangs.
- login: "anonymous"
- mimetype: "text/x-fossil-plain"
- private_contact initialized to: "fb5d142cbd03f75616e36710b2a166433622c00f"
- severity initialized to: "Severe"
- status initialized to: "Open"
- title initialized to: "http::geturl hangs if certificate verify failed"
- type initialized to: "Code Defect"
Ticket change [543e5574bd] (rid 1583) by anonymous on 2022-08-28 21:56:25:
- icomment:
I'm getting the same issue but with the ldap module when verify certificate option is enabled. Is there a workaround ? Disabling verify permanently is a security issue.
- login: "anonymous"
- mimetype: "text/plain"
- priority changed to: "Immediate"
- resolution changed to: "Open"
- icomment: