[racket-dev] possible bug in openssl/mzssl

From: Matthew Flatt (mflatt at cs.utah.edu)
Date: Wed Feb 29 11:20:54 EST 2012

Neil and Timur: Thanks for detailed information about the problem.

So far, I haven't managed to replicate the problem on my machine. Do
you have any hints on how to configure Apache to trigger the problem or
a server that I might try?

I've tried connecting to an Apache servers running on 64-bit Mac OS X
and 32-bit Linux. I tried connecting to "localhost", and I tried
bouncing the connection through `ssh -L ... -R ...' to distant hosts.
All of those configurations worked. Meanwhile, I'm pretty sure that I'm
setting up client verification correctly, since the connection fails if
I mangle the certificate configuration on the client side. I wonder
whether there's some other feature in Apache I could turn on that would
trigger problems.

At Tue, 28 Feb 2012 18:41:23 -0500, Neil Van Dyke wrote:
> Timur Sufiev wrote at 02/27/2012 08:58 AM:
> > [...] Raw ports were wrapped with SSL successfully, but then program 
> > has hung up between 2 last actions: sending the request to server and 
> > reading its reply. Further investigation showed that in the course of 
> > SSL processing the server had requested session renegotiation from the 
> > client and would provide it with requested data if the client sent 
> > negotiation info to server. [...]
> This sounds like a problem that I had over a year ago with having Racket 
> (PLT Scheme) send HTTPS client certificates:
> http://lists.racket-lang.org/users/archive/2010-September/041519.html
> I did not solve that exact problem.  A consulting client had an urgent 
> need, so I worked around the problem by making a Racket module that 
> provided an abstraction over external "curl" processes, and used that 
> module instead.  (Which also probably increased app performance, when 
> that client moved to Web SCGI with Racket and added some new behavior, 
> since large HTTPS and file I/O that happened in the background of Web 
> requests could bypass the Racket process and could also be scheduled by 
> the host OS on other processors.)  That particular Racket "curl" module 
> is not currently open source, but you might find a similar Racket 
> library, or implement your own simple library pretty easily.
> Also, a tip on one way to decrypt the SSL traffic:
> http://www.neilvandyke.org/weblog/2010/09/#2010-09-12
> Neil V.
> -- 
> http://www.neilvandyke.org/
> _________________________
>   Racket Developers list:
>   http://lists.racket-lang.org/dev

Posted on the dev mailing list.