RejectedSoftware Forums

Sign up

ssl tcp connection problem

avatar
Stephan Dilly
Posted Fri, 30 Oct 2015 12:40:00 GMT
Reply

hi i am back to a little vibe.d dev right now and already have a weird problem that I have the feeling I had already years ago :D

granted i am a noob when it comes to ssl but when I test my certificates like this: 

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert cert.pem -key key.pem

this works, I can connect.

now I want to do the same with vibe.d and get this: 

object.Exception@../../../.dub/packages/vibe-d-0.7.25/source/vibe/stream/openssl.d(281): Failed to connect SSL tunnel.:  (0)

this is a really helpful error ^^ (even with -vvvv)

my code looks like this: 

m_tcp = connectTCP(m_options.address, m_options.port);
m_tcp.tcpNoDelay = true;

auto sslctx = createTLSContext(TLSContextKind.client);
sslctx.peerValidationMode(TLSPeerValidationMode.none);
sslctx.useCertificateChainFile("cert.pem");
sslctx.usePrivateKeyFile("key.pem");

m_sslStream = createTLSStream(m_tcp, sslctx);

how can I at least diagnose this ?
I am on 0.7.25 btw.

--Stephan

Re: ssl tcp connection problem

avatar
Stephan Dilly
Posted Fri, 30 Oct 2015 15:30:58 GMT in reply to Stephan Dilly
Reply

On Fri, 30 Oct 2015 12:40:00 GMT, Stephan Dilly wrote:

hi i am back to a little vibe.d dev right now and already have a weird problem that I have the feeling I had already years ago :D

granted i am a noob when it comes to ssl but when I test my certificates like this: 

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert cert.pem -key key.pem

this works, I can connect.

now I want to do the same with vibe.d and get this: 

object.Exception@../../../.dub/packages/vibe-d-0.7.25/source/vibe/stream/openssl.d(281): Failed to connect SSL tunnel.:  (0)

this is a really helpful error ^^ (even with -vvvv)

my code looks like this: 

m_tcp = connectTCP(m_options.address, m_options.port);
m_tcp.tcpNoDelay = true;

auto sslctx = createTLSContext(TLSContextKind.client);
sslctx.peerValidationMode(TLSPeerValidationMode.none);
sslctx.useCertificateChainFile("cert.pem");
sslctx.usePrivateKeyFile("key.pem");

m_sslStream = createTLSStream(m_tcp, sslctx);

how can I at least diagnose this ?
I am on 0.7.25 btw.

--Stephan

Ok if I change the stream creation to: 

m_sslStream = createTLSStream(m_tcp, sslctx, TLSStreamState.connected);

the stream cretion does not fail but the first time I write on the stream i get this error: 

Task terminated with uncaught exception: SSL_write returned an error: 5

what am I doing wrong ?

Re: ssl tcp connection problem

avatar
Sönke Ludwig
Posted Mon, 2 Nov 2015 16:08:05 +0100 in reply to Stephan Dilly
Reply

I was able to reproduce this with a simple self-signed certificate pair,
so it still fails for me now, but it gets past the earlier point of
failure. The issue seemed to be a regression where the local SSL host
name was set even if the peer_name argument to createTLSStream was
empty. I've also fixed the error message display and have tagged a new RC.

Re: ssl tcp connection problem

avatar
Stephan Dilly
Posted Tue, 03 Nov 2015 12:52:50 GMT in reply to Sönke Ludwig
Reply

On Mon, 2 Nov 2015 16:08:05 +0100, Sönke Ludwig wrote:

I was able to reproduce this with a simple self-signed certificate pair,
so it still fails for me now, but it gets past the earlier point of
failure. The issue seemed to be a regression where the local SSL host
name was set even if the peer_name argument to createTLSStream was
empty. I've also fixed the error message display and have tagged a new RC.

Seems to work great! Thank you so much!

Re: ssl tcp connection problem

avatar
Stephan Dilly
Posted Tue, 03 Nov 2015 12:53:13 GMT in reply to Stephan Dilly
Reply

On Tue, 03 Nov 2015 12:52:50 GMT, Stephan Dilly wrote:

On Mon, 2 Nov 2015 16:08:05 +0100, Sönke Ludwig wrote:

I was able to reproduce this with a simple self-signed certificate pair,
so it still fails for me now, but it gets past the earlier point of
failure. The issue seemed to be a regression where the local SSL host
name was set even if the peer_name argument to createTLSStream was
empty. I've also fixed the error message display and have tagged a new RC.

Seems to work great! Thank you so much!

Maybe add a auo test with self signed certificates to make it regression safe ?

Re: ssl tcp connection problem

avatar
Sönke Ludwig
Posted Wed, 04 Nov 2015 07:55:30 GMT in reply to Stephan Dilly
Reply

On Tue, 03 Nov 2015 12:53:13 GMT, Stephan Dilly wrote:

Maybe add a auo test with self signed certificates to make it regression safe ?

I had prepared a test that works, but unfortunately it doesn't fail for the particular issue fixed because apparently OpenSSL itself is more liberal here. I'll add that anyway, because it could catch a lot of other issues.