TCP/IP bounty beta release
Pages: 1 2 3 4 5 6 7 8 9 10 11
Chris Mahoney (1684) 2160 posts |
Is there some magic required with RMEnsure/RMLoad to get everything working correctly? I’ve been trying to figure out why my test app was intermittently failing to show the “unverified certificate” window (instead, it times out after 30 seconds). I’m calling the URL SWIs and am not touching AcornSSL or AcornHTTP directly. I’ve found that if I RMEnsure/RMLoad the modules then I don’t get the certificate window. However, if I manually open up !System and double-click on the three modules individually then everything works as expected. If I RMLoad RMEnsure AcornHTTP 0.98 RMLoad System:Modules.Network.URL.AcornHTTP RMEnsure URL_Fetcher 0.00 RMLoad System:Modules.Network.URL.URL RMEnsure AcornSSL 1.00 RMLoad System:Modules.Network.URL.AcornSSL *Help Modules confirms that the modules are running so I’m a bit lost! Any suggestions? Edit: Naturally I figured it out right after posting. It’s great how describing a problem can make you see it more clearly. The trick is to RMRun AcornSSL, not RMLoad it. Edit 2: It ate part of the text above, but the main points are still there :) |
Martin Avison (27) 1479 posts |
If it is the case that AcornSSL requires a RMrun rather than RMLoad, it shoul be included in the documentation. Certainly RMRun starts up the AcornSSL task that RMLoad does not – I had always assumed that it would be started only when required. Are there any suggested URLs to test with which result in the various different certificate errors? |
Martin Avison (27) 1479 posts |
I found a site https://badssl.com which seemed to have a collection of bad certificates. The ones I have tried work or fail as expected on Netsurf and other browsers. However, when I changed the example HTTP_Client host$ and path$ to use the site, I noticed that even the base badssl.com certificate was queried, and all certificate details given were identical regardless of the variation. Which confused me! Two example logs from HTTP_Client are:
The dialogue box displays the same data – albeit rather truncated. The View button just displays the encrypted certificate – which does not seem much use. According to Chrome the validity dates should be Please can anyone either verify my findings, or explain them? |
Rick Murray (539) 13750 posts |
I think the error may be telling you… badssl-fallback-unknown-subdomain-or-no-sni There’s a newish SWI to tell AcornSSL the name of the remote host. Has the client example program been updated to use it? Does it even send valid requests yet? ;-) |
Martin Avison (27) 1479 posts |
Thanks Rick – adding AcornSSL_SetSessionHost does seem to have fixed it. The dialog box only showed |
Martin Avison (27) 1479 posts |
In case others have not noticed, there is a subtle facility of the ‘Unverified certificate chain’ dialogue. When there are higher-level certificates in the chain, the ‘issued by’ icon at the top has a raised instead of sunken border, and when the raised icon is clicked another dislogue box opens with the next certificate up in the chain. Only the highest level displayed has Input Focus and the Accept button enabled. Can/should SetSessionHost be used for all connections in case SNI is used? |
Steve Revill (20) 1361 posts |
Beta4 is now available from the usual place.
|
Chris Mahoney (1684) 2160 posts |
Thanks! I can confirm that it’ll now “silently” talk to a Hue bridge in HTTPS mode and can therefore be called by a timer. Excellent. I see that the certificate exceptions go into Choices so they’ll survive !Boot updates. Also good news :) |
Martin Avison (27) 1479 posts |
Should AcornSSL_ConfigureSession,0 to SetSessionHost be used for all HTTPS sockets in case it is required? I ask because I have had cases where Error=&813F27 Handshake error (state 30,592) seems to be returned from non-SNI sites. Or is this an error to be ignored? Which leads to the next observation: the new Beta4 information about the range of AcornSSL specific errors is useful … but a list of the meanings of the errors would be even more useful! [edited 25/10/2018 to correct typo] |
Sprow (202) 1150 posts |
Assuming Wikipedia is truthful, SNI is an optional extension that happens right at the start of the secure handshake, so no, there wouldn’t be a way to find out because it’s the first thing that happens. Therefore, you might as well speculatively call SetSessionHost since the worst that could happen is it might not get used.
Open ResourceFS and look at the AcornSSL messages file if you want a list of errors. Even 3 classes is excessive; really there’s Unix errors or RISC OS errors, that’s yer lot. |
Matthew Phillips (473) 714 posts |
Hope that’s just Martin’s typo rather than something in the module. |
Martin Avison (27) 1479 posts |
Ooops – now corrected. |
Martin Avison (27) 1479 posts |
If we assume E00 to E09 message tokens map to &813F20 – &813F29 it may be a start. |
Alan Wrigley (6066) 1 post |
Well Beta4 is helping me make progress with Hermes at last. But a couple of questions: firstly, does anyone else use MSG_PEEK? It’s supposed to work in this version but I can’t get it to do so. It just behaves like a normal read – i.e. it reads the data and then removes it from the socket, whereas what it should do is leave it there for a subsequent read. Secondly, has anyone yet come up with a definitive list of which of the cryptic error messages can safely be ignored? (And if ROOL don’t think that “Socket error (code 76)” is cryptic then I must be on a different planet). I’m getting quite a few &813F26 (with the above error) which as far as I can see is an alternative to EWOULDBLOCK and there appear to be no side-effects from ignoring it. One little thing I’ve found: if you use Socket_Creat followed by AcornSSL_CreateSession (in order to use SocketWatch as detailed elsewhere by Martin), then to get the socket to be non-blocking you have to call Socket_Ioctl before CreateSession, rather than AcornSSL_Ioctl after it, otherwise it blocks horribly. |
Steve Revill (20) 1361 posts |
Beta5 is now available from the usual place.
|
Martin Avison (27) 1479 posts |
Thanks for beta5 – I notice the module version is now v1.01 which is useful.
If I just want to change the hostname, what value should SOL_SOCKET be? |
Rick Murray (539) 13750 posts |
That sounds like a good compromise. |
Martin Avison (27) 1479 posts |
I eventually found the value in AcornC/C++.Export.APCS-32.Lib.TCPIPLibs.sys.h.socket |
Chris Mahoney (1684) 2160 posts |
Fortunately it seems that mbed TLS upgrades are easy to drop in! |
Martin Avison (27) 1479 posts |
What is the best way to RMEnsure AcornSSL in an Obey file?
Which should be used? Or any other suggestions? |
Jon Abbott (1421) 2640 posts |
RMLoad it before the desktop starts? |
Frank de Bruijn (160) 228 posts |
Hmmmm… Hadn’t noticed that.
But it makes the desktop ‘flash’. I think I’ll use |
Rick Murray (539) 13750 posts |
…and ask the module’s author to please sort this out. If there’s a desktop component to the module, it should be the responsibility of the module to start that, not every application author. See here: https://www.riscosopen.org/forum/forums/11/topics/12341#posts-84315 |
Martin Avison (27) 1479 posts |
But it is normal for apps to do RMEnsures in their !Run files to determine if the correct version of a module for the app is available, and to load it if necessary, giving an error if not available. That is what I am trying to resolve. |
Steve Pampling (1551) 8125 posts |
I’m with Rick on this one. In essence the module is currently broken. |
Pages: 1 2 3 4 5 6 7 8 9 10 11