Mirror of forum.nim-lang.org

7018 :: SSL error using httpClient

• drkameleon (orginal) [2020-10-31T09:25:00+01:00] view original

  I don't think it's httpClient-related, but I'm quite confused as to what this means.

  Basically, I'm using httpClient to download a file:

  let got = newHttpClient().getContent(url)
  Run

  and I get this:

  
  net.nim(506)             raiseSSLError
  httpclient.nim(891)      newConnection
  Error: unhandled exception: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure [SslError]
  Run

  What is going on?

  I think the issue might be with a specific url - I've tried with http: and https: but to no avail.

  Ideas?

---

• leorize (orginal) [2020-10-31T09:55:51+01:00] view original

  What OS are you running? And what is your OpenSSL/LibreSSL version?

---

• drkameleon (orginal) [2020-10-31T10:01:57+01:00] view original

  macOS 10.15.7 (Catalina) and LibreSSL 2.8.3

---

• mashingan (orginal) [2020-10-31T10:14:21+01:00] view original

  For Nim v1.4.0, the proc net.newContext has changed the interface with keys and certificates related files. You have to download the certificates pem files for example here: https://curl.haxx.se/docs/caextract.html and you can do

  import httpclient, net
  
  let ctx = newContext(cafile ="cacert.pem")
  let client = newHttpClient(sslContext = ctx)
  echo client.getContent("https://nim-lang.org")
  Run

  In case you don't have control with the certificates, you can resort to CVerifyNone , change the context initiation above with let ctx = newContext(verifyMode = CVerifyNone) (this is discouraged but it'll be helpful when in development and you can't be bothered with).

  For older Nim version, or any version with newContext hasn't supported selecting the cert, you can workaround like this:

  import net, httpclient, openssl
  
  proc setBundle(ctx: SSlCtx, cabundle: cstring) =
    discard ctx.SSL_CTX_load_verify_locations(cabundle, nil)
  
  var ctx = newContext()
  ctx.context.setBundle("cacert.pem")
  var sslClient = newHttpClient(sslContext = ctx)
  echo sslClient.getContent("https://nim-lang.org")
  Run

  The above should handle the value returned from openssl.SSL_CTX_LOAD but I didn't put it in the example. You can see the openssl manual for that. Note that this workaround is only for client, not for server.

---

• drkameleon (orginal) [2020-10-31T10:29:09+01:00] view original

  Thanks a lot for the input.

  Unfortunately, I just tried everything you said and it's still not working.

  P.S. I'm by no means an expert at SSL, so I'm a bit ... lost

---

• drkameleon (orginal) [2020-10-31T10:53:03+01:00] view original

  I tried upgrading via Homebrew too.

  Now, I have:

  
  OpenSSL 1.1.1h  22 Sep 2020
  Run

  However, it's still not working.

  Here's the stack trace:

  
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/httpclient.nim(1095) getContent
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/httpclient.nim(1090) get
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/httpclient.nim(1066) request
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/httpclient.nim(1050) request
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/httpclient.nim(992) requestAux
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/httpclient.nim(887) newConnection
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/net.nim(789) wrapConnectedSocket
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/net.nim(901) socketError
  /usr/local/Cellar/nim/1.4.0/nim/lib/pure/net.nim(506) raiseSSLError
  Run

---

• drkameleon (orginal) [2020-10-31T11:31:42+01:00] view original

  Well, I think I've finally "solved" it:

  The error had nothing to do, neither with Nim, nor my code, or my local openssl configuration. The problem was with a particular server (I guess).

  I was trying to directly download a file from raw.githubusercontent.com...

---

• ggibson (orginal) [2020-10-31T16:51:34+01:00] view original

  I had the same issue, maybe. Github was forcefully promoting the connection to https and a certain certificate I didn't know how to handle. I needed a small statically compiled in SSL library so cobbled together an ersatz one from someone else's minimal c library. It's here on github in one of my projects if you might find it useful.

---

• alexsad (orginal) [2021-02-01T13:28:00+01:00] view original

  Simple code:

  import httpclient
  import nimx/window
  
  var client = newHttpClient()
  discard client.get("https://account.api.here.com/oauth2/token")
  
  Run

  Getting error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure [SslError] because ret == 0 after: ret = SSL_connect(socket.sslHandle) but should be ret == 1

  But this error happens only in case (3 conditions together):

  1. on MacOS "Big Sur 11.0.1" (on MacOS Mojave 10.14.6 works without any issues)
  2. For URL "https://account.api.here.com/oauth2/token"
  3. if "import nimx" in the code (also posted on https://github.com/yglukhov/nimx/issues/464)

  Please, any suggestions/workaround...

---

• Chat_noir (orginal) [2021-08-20T14:13:33+02:00] view original

  Same issue on [Termux: Android trminal emu]

  https://forum.nim-lang.org/t/8345#53796

  error: SSL routines:tls_process_server_certificate:certificate verify failed [SslError]

  
  import httpclient
  var client = newHttpClient()
  echo client.getContent("https://google.com")
  Run

  
  c -r -d:ssl httpreq.nim
  Run

  I would like to know how to set CA on Nim environment.

---