Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl_peer_certificate/2 does not work for some streams #107

Closed
triska opened this issue Jun 25, 2017 · 3 comments
Closed

ssl_peer_certificate/2 does not work for some streams #107

triska opened this issue Jun 25, 2017 · 3 comments

Comments

@triska
Copy link
Member

triska commented Jun 25, 2017

We run into this problem as part of #102. Please consider the following code:

:- use_module(library(http/http_open)).

uri_location(Uri, Code-Location, In) :-
        http_open(Uri, In, [redirect(false),
                            header(location, Location),
                            status_code(Code)]).

The following works exactly as expected to obtain the certificate of www.aap.nl:

?- uri_location('https://www.aap.nl', Cs, In),
   ssl_peer_certificate(In, Cert).

However, the following slightly modified URL no longer works:

?- uri_location('https://www.aap.nl/nl', Cs, In),
   ssl_peer_certificate(In, Cert).

This yields:

ERROR: Domain error: `ssl_stream' expected, found `(0x7fba82657440)'
ERROR: In:
ERROR:    [9] ssl:ssl_peer_certificate((0x7fba82657440),_13520)
ERROR:    [7]

Since the host is exactly the same (www.aap.nl), we expect the exact same behaviour for ssl_peer_certificate/2.
@JanWielemaker
Copy link
Member

The problem is that the stream returned by http_open/3 is not always the SSL stream(-pair). Notably if Keep-alive is enabled it is a range_stream and if chunked encoding (this case) is used is a chunked stream. In the future we're more likely to see more than less of these filter streams.

Now there are some options. One is to make ssl_peer_certificate/2 follow the chain of upstream streams to find the SSL stream. The other is to add something to the HTTPS options of http_open/3 to get the peer certificate. It seems the latter could be done inside the HTTPS http_protocol_hook/5. I do not have a clear preference.

@triska
Copy link
Member Author

triska commented Jun 25, 2017

To me, at least from a first look, making ssl4pl.c automatically follow the streams upstream seems preferable. This is because only one stream is typically of interest to users (namely that which they actually use to communicate with the peer), and having to deal with two or even more separate streams for different purposes seems cumbersome and error-prone, especially if they arise implicitly and are naturally chained together, as in this case.

Please note that both ssl_peer_certificate/2 and ssl_peer_certificate_chain/2 are affected.

@JanWielemaker
Copy link
Member

Surely it does no harm. Pushed 96c80cd that fixes this example.

@triska triska mentioned this issue Jun 25, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JanWielemaker @triska