Giters

yglukhov / nimx

GUI library

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Collisions on SSL_connect (openssl.nim)

alexisad opened this issue · comments

commented

Simple code:

import httpclient
import nimx/window

var client = newHttpClient()
discard client.get("https://account.api.here.com/oauth2/token")

Getting error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure [SslError]
because ret == 0 after: ret = SSL_connect(socket.sslHandle) but should be ret == 1

But this error happens only in case (3 conditions together):

  1. on MacOS "Big Sur 11.0.1" (it cause the error on another MacOS too: https://forum.nim-lang.org/t/7018#44069)
  2. For URL "https://account.api.here.com/oauth2/token"
  3. if "import nimx" in the code (if you comment it like #import nimx/window then works SSL_connect )

Please, any suggestions/workaround...

commented

Changed code - nimx/image instead of nimx/window:

import httpclient
import nimx/image

var client = newHttpClient()
discard client.get("https://account.api.here.com/oauth2/token")

Getting the same error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure [SslError]

I used Wireshark to recognize what happens on hand shake: with nimx/image Client Hello sends only 3 cipher suites but on server (account.api.here.com) don't exist these suites therefore the server doesn't send Hello Client.

But
When I changed little bit code in image.nim file on line

nimx/nimx/image.nim

Line 633 in 4034e61

when asyncResourceLoad:

to:

when not asyncResourceLoad:

then after compiling Client Hello sends 9 (!) cipher suites and in this case the server sends Hello Client successful.
The bellow code nothing does in run time but why it causes issues to use count of ciphers?:

            var ctx: ImageLoadingCtx
            ctx.new()
            ctx.url = url
            ctx.completionCallback = handler
            when not loadAsyncTextureInMainThread:
                let curWnd = glGetCurrentWindow()
                if threadCtx.isNil:
                    let curCtx = glGetCurrentContext()
                    threadCtx = glCreateContext(curWnd)
                    discard glMakeCurrent(curWnd, curCtx)

                ctx.glCtx = threadCtx
                doAssert(not ctx.glCtx.isNil)
                ctx.wnd = curWnd
            GC_ref(ctx)

            if loadingQueue.isNil:
                loadingQueue = newWorkerQueue(1)

            loadingQueue.addTask(loadResourceThreaded, cast[pointer](ctx))
commented

That's a mysterious one, and thanks for looking into that. Unfortunately I can't reproduce it neither on Linux, nor Big Sur 11.1. Moreover I don't have any clue why that could happen. Nimx images use https://github.com/yglukhov/async_http_request to load images over https, but inspecting that module I see no reason for it to interfere with the default httpclient's one. So you might want to look that way.