[racket] outgoing https requests with client certificate with plt 4.2.5

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Sun Sep 12 22:10:57 EDT 2010


I have not yet been able to get outgoing SSL client certificate 
authentication to work with the 4.2.5 "openssl" module.  It appears to 
hang in SSL handshaking sometime after authenticating the server by a 
CA.  I *have*, however, been able to do the HTTPS request using Firefox, 
"curl", and "openssl s_client" using the same test environment.

The PLT "collects/openssl/mzssl.ss" code appears thoughtful and of good 
quality.  I have not yet found any bugs by code inspection that should 
cause this problem.  However, I now suspect that this code has never 
been used to do outgoing client certificate authentication (i.e., when 
PLT is making the SSL connection as a client, providing a certificate to 
authenticate the client end to the server), not even in a test case.  
(The "handin" stuff does cert auth of the server, but not of the client.)

It's possible that the problem is in the data I am supplying (example I 
found: OpenSSL C library specifies some restrictions that are not 
documented for "ssl-load-certificate-chain!"), or that I have something 
like an I/O buffering/termination bug in the small tweaks I've made to  
hook SSL up to 4.2.5 "url.ss" and make the SSL context a Scheme 
parameter.  I've eliminated numerous other possible causes.

The test environment and the small tweaks are not something that can be 
pasted into an email, unfortunately.

I will be debugging on this a little more right now.  Because this is a 
slow thing to debug, probably I will have to write a new little HTTPS 
client library that serves my immediate need.


Posted on the users mailing list.