New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide lwt_ssl for encrypted connection #21
Conversation
First: I'd be really happy if irc-client had SSL support, so thanks! I did not read in detail, but it looks like there is no certificate checking (which might be fine) and that it relies on old versions of SSL ( |
Sorry for the late answer. Regarding the SSL version, I think I ran into problems with newer versions. I think we could make this module a functor taking the SSL version as an argument. |
Ok, I suppose it's fine for the certificates then! It would indeed be nice to be able to pass |
out of curiosity, where does the certificate checking happen? I cannot find it in the code of this PR, is there some magic in Lwt_ssl (or ocaml-ssl) which loads the trust store? (examples from ocaml-ssl call out to regarding versions: you have to decide whether you want to have proper crypto (AEAD ciphers and TLS-1.2) or not (all previous versions). |
Hum, you are right, I misunderstood the libssl library then. According to this page, https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html (and I suppose that the default behavior is SSL_VERIFY_NONE, but that's not clear), it seems that the default behavior is to check the certificate but continue even if it fails. Then I will change that to be a functor taking the TLS version and a boolean to indicate that the certificate should be checked as arguments. |
…ate and specify the ssl version
I just updated the PR with the discussed changes. |
I gave a try to the test bot (on commit c30bd04), as follows: ./example3.byte -host chat.freenode.net -chan '##testocamlirc' -port 6697 and get an error:
Any idea why this fails? Is there some check missing, or is some specific IRC message related to ssl connections missing? |
Humpf, I tried on my macbook at work and it seemed to work, although I have the same issue now on my laptop :( So, I investigated that, and I have no idea how to make it work, if you take a look at the example (the only one for ocaml ssl I am aware of?) https://github.com/savonet/ocaml-ssl/blob/master/examples/stelnet.ml, and launch it with chat.freenode.net and 6697, it does not work either. I do not know wether I did something wrong when I tried on the mac, or if it is a linux-specific problem. |
This is quite puzzling, maybe @smimram would have an idea? |
So, should we escalate this to ocaml-tls? Unless we missed something in the documentation... |
@xapantu for me the |
(jumping into this discussion again: using
thus, the certificate chain of |
Someone suggested, on #OCaml, that we use |
Well, when I looked for ssl libraries, it did not look very finished. In the readme of ocaml-tls:
However, it's unclear wether an irc-client can be considered as a critical application… |
@xapantu indeed, although ocaml-tls seems reasonably robust. Arguably, some TLS is better than no TLS in both cases, and since we cannot seem to make |
That's me (one of the authors of OCaml-TLS), maybe we should rephrase. In a similar project jackline, an XMPP client, I'm using OCaml-TLS already. It is also serving several websites, such as https://mirage.io https://nqsb.io - and works reliable there. Also, our Piñata is still up and holding the 10 BTC. But code reviews are appreciated, as well as usage experiences. |
Ok, I see. Then I guess that is probably the best option. I may or may not have the time update this branch, so everyone is free to jump on this ;) |
This should be closed, I think, since #29 was merged. |
Just some replace in the modules name to make the client work on ssl. The ssl context could be exposed, but I am not sure it is really worth it.