Collisions on SSL_connect (openssl.nim)
alexisad opened this issue · comments
Simple code:
import httpclient
import nimx/window
var client = newHttpClient()
discard client.get("https://account.api.here.com/oauth2/token")
Getting error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure [SslError]
because ret == 0 after: ret = SSL_connect(socket.sslHandle)
but should be ret == 1
But this error happens only in case (3 conditions together):
- on MacOS "Big Sur 11.0.1" (it cause the error on another MacOS too: https://forum.nim-lang.org/t/7018#44069)
- For URL "https://account.api.here.com/oauth2/token"
- if "import nimx" in the code (if you comment it like #import nimx/window then works SSL_connect )
Please, any suggestions/workaround...
Changed code - nimx/image instead of nimx/window:
import httpclient
import nimx/image
var client = newHttpClient()
discard client.get("https://account.api.here.com/oauth2/token")
Getting the same error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure [SslError]
I used Wireshark to recognize what happens on hand shake: with nimx/image Client Hello sends only 3 cipher suites but on server (account.api.here.com) don't exist these suites therefore the server doesn't send Hello Client.
But
When I changed little bit code in image.nim file on line
Line 633 in 4034e61
to:
when not asyncResourceLoad:
then after compiling Client Hello sends 9 (!) cipher suites and in this case the server sends Hello Client successful.
The bellow code nothing does in run time but why it causes issues to use count of ciphers?:
var ctx: ImageLoadingCtx
ctx.new()
ctx.url = url
ctx.completionCallback = handler
when not loadAsyncTextureInMainThread:
let curWnd = glGetCurrentWindow()
if threadCtx.isNil:
let curCtx = glGetCurrentContext()
threadCtx = glCreateContext(curWnd)
discard glMakeCurrent(curWnd, curCtx)
ctx.glCtx = threadCtx
doAssert(not ctx.glCtx.isNil)
ctx.wnd = curWnd
GC_ref(ctx)
if loadingQueue.isNil:
loadingQueue = newWorkerQueue(1)
loadingQueue.addTask(loadResourceThreaded, cast[pointer](ctx))
That's a mysterious one, and thanks for looking into that. Unfortunately I can't reproduce it neither on Linux, nor Big Sur 11.1. Moreover I don't have any clue why that could happen. Nimx images use https://github.com/yglukhov/async_http_request to load images over https, but inspecting that module I see no reason for it to interfere with the default httpclient's one. So you might want to look that way.