|
2025-10-11
| ||
| 22:26 | • Closed ticket [799aae4e72]: http::geturl hangs if certificate verify failed plus 4 other changes artifact: 53a46f39b8 user: bohagan | |
|
2022-08-28
| ||
| 21:56 | • Ticket [799aae4e72]: 5 changes artifact: 543e5574bd user: anonymous | |
|
2019-12-13
| ||
| 10:13 | • New ticket [799aae4e72]. artifact: ea605ef836 user: anonymous | |
| Ticket Hash: | 799aae4e72a7c137979ba791698b79d610ad5119 | ||
| Title: | http::geturl hangs if certificate verify failed | ||
| Status: | Closed | Type: | Code Defect |
| Severity: | Severe | Priority: | Immediate |
| Subsystem: | Resolution: | Fixed | |
| Last Modified: |
2025-10-11 22:26:44 19.4 days ago |
Created: |
2019-12-13 10:13:19 5.88 years ago |
| Version Found In: | >1.7.3 | ||
| User Comments: | ||||
anonymous added on 2019-12-13 10:13:19:
The problem is more severe the older the http package is, but in its less critical form, it hangs when performing a post:
```
package require tls
package require http
http::register https 443 tls::socket
proc ::tls::log {level msg} {
puts ">>>> $msg"
}
#set ::tls::debug 1
tls::init -cafile /tmp/kk.ca -tls1 true -require 1 -request 1
http::geturl https://self-signed.badssl.com -query a=b
puts OK
```
It shows:
```
VerifyCallback 1
VerifyCallback checking
VerifyCallback null callback
VerifyCallback returnning ok=0
SSL channel "sock5": error: certificate verify failed
<----- here it hangs
```
If instead of performing a POST, we use GET, it does not hang:
```
VerifyCallback 1
VerifyCallback checking
VerifyCallback null callback
VerifyCallback returnning ok=0
error flushing "sock5": connection reset by peer
while executing
"http::geturl https://self-signed.badssl.com"
(file "check.tcl" line 18)
```
But is just because in http module, the socket is flushed, and it fails:
```
if {$isQuery || $isQueryChannel} {
...
puts $sock ""
fconfigure $sock -translation {auto binary}
fileevent $sock writable [list http::Write $token]
} else {
puts $sock ""
flush $sock
fileevent $sock readable [list http::Event $sock $token]
}
```
On isQuery mode (POST), there is no flush to trigger an error so it hangs.
I tracked the error to this commit:
https://core.tcl-lang.org/tcltls/info/7df7a8696e009447
From that commit onwards, it always hangs.
anonymous added on 2022-08-28 21:56:25:
I'm getting the same issue but with the ldap module when verify certificate option is enabled. Is there a workaround ? Disabling verify permanently is a security issue. bohagan added on 2025-10-11 22:26:44:
This is fixed in the tcltls 2.0 release. See BadSSL test cases for examples of certificate verification errors and their return values. | ||||