status-im/nim-chronos
2
0
Fork 0
mirror of https://github.com/status-im/nim-chronos.git synced 2025-02-03 06:54:10 +00:00
Code Issues Projects Releases Wiki Activity

Fix NoVerifyServerName do not actually disables SNI extension. (#423)

Browse Source 
Fix HTTP client SSL/TLS error information is now part of connection error exception.
This commit is contained in:
Eugene Kabanov 2023-07-23 19:40:57 +03:00 committed by GitHub
parent 0277b65be2
commit f91ac169dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
chronos/apps/http/httpclient.nim
View File

@ -523,7 +523,7 @@ proc connect(session: HttpSessionRef,
ha: HttpAddress): Future[HttpClientConnectionRef] {.async.} = ha: HttpAddress): Future[HttpClientConnectionRef] {.async.} =
## Establish new connection with remote server using ``url`` and ``flags``. ## Establish new connection with remote server using ``url`` and ``flags``.
## On success returns ``HttpClientConnectionRef`` object. ## On success returns ``HttpClientConnectionRef`` object.
var lastError = ""
# Here we trying to connect to every possible remote host address we got after # Here we trying to connect to every possible remote host address we got after
# DNS resolution. # DNS resolution.
for address in ha.addresses: for address in ha.addresses:
@ -547,9 +547,14 @@ proc connect(session: HttpSessionRef,
except CancelledError as exc: except CancelledError as exc:
await res.closeWait() await res.closeWait()
raise exc raise exc
except AsyncStreamError: except TLSStreamProtocolError as exc:
await res.closeWait() await res.closeWait()
res.state = HttpClientConnectionState.Error res.state = HttpClientConnectionState.Error
lastError = $exc.msg
except AsyncStreamError as exc:
await res.closeWait()
res.state = HttpClientConnectionState.Error
lastError = $exc.msg
of HttpClientScheme.Nonsecure: of HttpClientScheme.Nonsecure:
res.state = HttpClientConnectionState.Ready res.state = HttpClientConnectionState.Ready
res res
@ -557,6 +562,10 @@ proc connect(session: HttpSessionRef,
return conn return conn
# If all attempts to connect to the remote host have failed. # If all attempts to connect to the remote host have failed.
if len(lastError) > 0:
raiseHttpConnectionError("Could not connect to remote host, reason: " &
lastError)
else:
raiseHttpConnectionError("Could not connect to remote host") raiseHttpConnectionError("Could not connect to remote host")
proc removeConnection(session: HttpSessionRef, proc removeConnection(session: HttpSessionRef,

19
chronos/streams/tlsstream.nim
View File

@ -95,6 +95,7 @@ type
trustAnchors: TrustAnchorStore trustAnchors: TrustAnchorStore
SomeTLSStreamType* = TLSStreamReader|TLSStreamWriter|TLSAsyncStream SomeTLSStreamType* = TLSStreamReader|TLSStreamWriter|TLSAsyncStream
SomeTrustAnchorType* = TrustAnchorStore | openArray[X509TrustAnchor]
TLSStreamError* = object of AsyncStreamError TLSStreamError* = object of AsyncStreamError
TLSStreamHandshakeError* = object of TLSStreamError TLSStreamHandshakeError* = object of TLSStreamError
@ -139,12 +140,14 @@ proc newTLSStreamProtocolError[T](message: T): ref TLSStreamProtocolError =
proc raiseTLSStreamProtocolError[T](message: T) {.noreturn, noinline.} = proc raiseTLSStreamProtocolError[T](message: T) {.noreturn, noinline.} =
raise newTLSStreamProtocolImpl(message) raise newTLSStreamProtocolImpl(message)
proc new*(T: typedesc[TrustAnchorStore], anchors: openArray[X509TrustAnchor]): TrustAnchorStore = proc new*(T: typedesc[TrustAnchorStore],
anchors: openArray[X509TrustAnchor]): TrustAnchorStore =
var res: seq[X509TrustAnchor] var res: seq[X509TrustAnchor]
for anchor in anchors: for anchor in anchors:
res.add(anchor) res.add(anchor)
doAssert(unsafeAddr(anchor) != unsafeAddr(res[^1]), "Anchors should be copied") doAssert(unsafeAddr(anchor) != unsafeAddr(res[^1]),
return TrustAnchorStore(anchors: res) "Anchors should be copied")
TrustAnchorStore(anchors: res)
proc tlsWriteRec(engine: ptr SslEngineContext, proc tlsWriteRec(engine: ptr SslEngineContext,
writer: TLSStreamWriter): Future[TLSResult] {.async.} = writer: TLSStreamWriter): Future[TLSResult] {.async.} =
@ -453,14 +456,15 @@ proc getSignerAlgo(xc: X509Certificate): int =
else: else:
int(x509DecoderGetSignerKeyType(dc)) int(x509DecoderGetSignerKeyType(dc))
proc newTLSClientAsyncStream*(rsource: AsyncStreamReader, proc newTLSClientAsyncStream*(
rsource: AsyncStreamReader,
wsource: AsyncStreamWriter, wsource: AsyncStreamWriter,
serverName: string, serverName: string,
bufferSize = SSL_BUFSIZE_BIDI, bufferSize = SSL_BUFSIZE_BIDI,
minVersion = TLSVersion.TLS12, minVersion = TLSVersion.TLS12,
maxVersion = TLSVersion.TLS12, maxVersion = TLSVersion.TLS12,
flags: set[TLSFlags] = {}, flags: set[TLSFlags] = {},
trustAnchors: TrustAnchorStore | openArray[X509TrustAnchor] = MozillaTrustAnchors trustAnchors: SomeTrustAnchorType = MozillaTrustAnchors
): TLSAsyncStream = ): TLSAsyncStream =
## Create new TLS asynchronous stream for outbound (client) connections ## Create new TLS asynchronous stream for outbound (client) connections
## using reading stream ``rsource`` and writing stream ``wsource``. ## using reading stream ``rsource`` and writing stream ``wsource``.
@ -484,7 +488,8 @@ proc newTLSClientAsyncStream*(rsource: AsyncStreamReader,
## a ``TrustAnchorStore`` you should reuse the same instance for ## a ``TrustAnchorStore`` you should reuse the same instance for
## every call to avoid making a copy of the trust anchors per call. ## every call to avoid making a copy of the trust anchors per call.
when trustAnchors is TrustAnchorStore: when trustAnchors is TrustAnchorStore:
doAssert(len(trustAnchors.anchors) > 0, "Empty trust anchor list is invalid") doAssert(len(trustAnchors.anchors) > 0,
"Empty trust anchor list is invalid")
else: else:
doAssert(len(trustAnchors) > 0, "Empty trust anchor list is invalid") doAssert(len(trustAnchors) > 0, "Empty trust anchor list is invalid")
var res = TLSAsyncStream() var res = TLSAsyncStream()
@ -524,7 +529,7 @@ proc newTLSClientAsyncStream*(rsource: AsyncStreamReader,
uint16(maxVersion)) uint16(maxVersion))
if TLSFlags.NoVerifyServerName in flags: if TLSFlags.NoVerifyServerName in flags:
let err = sslClientReset(res.ccontext, "", 0) let err = sslClientReset(res.ccontext, nil, 0)
if err == 0: if err == 0:
raise newException(TLSStreamInitError, "Could not initialize TLS layer") raise newException(TLSStreamInitError, "Could not initialize TLS layer")
else: else: