SSL Context error

[Karthik T]

I am building a web app with kemal. I need to make API calls during initialization which are HTTPS based. I find that if i make the call during initialization of the app (before Kemal.run) I get `SSL_CTX_new: error:140A90A1:lib(20):func(169):reason(161) (OpenSSL::Error)` which google indicates is due to initialization (or lack therof) of the SSL library. The same call works if done after the Kemal.run, via a HTTP action.

Is this some problem with kemal or the standard library code itself?

The code that is leading to this error is essentially `HTTP::Client.get(rules_doc_url).body`

I am on OSX and my version is "Crystal 0.23.1 (2017-07-13) LLVM 4.0.1"

[Gustavo Giráldez]

There's a good chance that the server you're trying to access is using a cipher suite not supported by your OpenSSL library, which Crystal uses. In OSX, the system OpenSSL library is a very old version (0.9.8z) because Apple is deprecating it in favor of their own crypto libraries (Crypto Common).

You can use a newer OpenSSL from Homebrew though. You need to pass additional compilation flags to Crystal, eg:

crystal app.cr --link-flags -L/usr/local/opt/openssl/lib

Use brew info openssl to get the actual path, but that should work.

HTH,

Gustavo

--
You received this message because you are subscribed to the Google Groups "Crystal" group.
To unsubscribe from this group and stop receiving emails from it, send an email to crystal-lang...@googlegroups.com.
To post to this group, send email to crysta...@googlegroups.com.
Visit this group at https://groups.google.com/group/crystal-lang.
To view this discussion on the web visit https://groups.google.com/d/msgid/crystal-lang/CAJgcjqN7jkphftdKJ5zWN%3DBOd4kCG2Yxs6YhESSc-VEwDy39Wg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Karthik T]

Thanks for responding, however i feel you might missed one detail that it indeed does work, but only after Kemal.run. Also i have had this same situation with a different target server about a month back.

[Roger Pack]

Reproducible code please?

[Karthik T]

So while i was trying to prepare the reproducible code, I realised that it isnt so much "before Kemal.run" as it is before "require "kemal". Please take a look at the below code. @Roger Pack

ip_url = "https://api.ipify.org?format=json"
puts HTTP::Client.get(ip_url).body # fails
require "kemal"
puts HTTP::Client.get(ip_url).body # works
get "/ip" do |env|
  HTTP::Client.get(ip_url).body # works
end

Kemal.run ENV.has_key?("PORT") ? ENV["PORT"].to_i : 12345

[Karthik T]

Infact it isnt even "require "kemal"" but require http. This raises the question, how is the http code working without requiring it but requires requiring it to get HTTPS code to work..

Updated code

ip_url = "https://api.ipify.org?format=json"

puts HTTP::Client.get(ip_url).body # fails

require "http"

puts HTTP::Client.get(ip_url).body # works
require "kemal"
puts HTTP::Client.get(ip_url).body # works
get "/ip" do |env|
  HTTP::Client.get(ip_url).body # works
end

Kemal.run ENV.has_key?("PORT") ? ENV["PORT"].to_i : 12345

[Karthik T]

I am running this on OSX, with Crystal 0.23.1

[Luis Lavena]

On Tuesday, October 24, 2017 at 3:14:54 AM UTC-3, Karthik T wrote:

Infact it isnt even "require "kemal"" but require http. This raises the question, how is the http code working without requiring it but requires requiring it to get HTTPS code to work..

Updated code
ip_url = "https://api.ipify.org?format=json"

puts HTTP::Client.get(ip_url).body # fails
require "http"
puts HTTP::Client.get(ip_url).body # works
require "kemal"
puts HTTP::Client.get(ip_url).body # works
get "/ip" do |env|
  HTTP::Client.get(ip_url).body # works
end

Kemal.run ENV.has_key?("PORT") ? ENV["PORT"].to_i : 12345

Hello, it appears the code sample you're providing is incomplete:

ip_url = "https://api.ipify.org?format=json"

puts HTTP::Client.get(ip_url).body

Fails to compile:

Error in 1.cr:3: undefined constant HTTP::Client

puts HTTP::Client.get(ip_url).body # fails

     ^~~~~~~~~~~~

But changing to the following, works perfectly.

Code:

require "http/client"

ip_url = "https://api.ipify.org?format=json"

puts HTTP::Client.get(ip_url).body

Please try to remove as much as possible of variables in your test code in order for us to help you out more efficiently.

Cheers,

--

Luis Lavena

[Karthik T]

@luis, I would expect the behavior that you are seeing but I get the SSL error instead.

I am on OSX, using Crystal 0.23.1 (2017-10-12) LLVM 4.0.1.

I run that file with "crystal test.cr" and the only other files in the folder are kemal related (shard.yml, shard.lock, lib/)

[Karthik T]

Since it doesnt seem consistently reproducible, the exact error I get is the below.

SSL_CTX_new: error:140A90A1:lib(20):func(169):reason(161) (OpenSSL::Error)

0x105f10015: *CallStack::unwind:Array(Pointer(Void)) at ??
0x105f0ffb1: *CallStack#initialize:Array(Pointer(Void)) at ??
0x105f0ff88: *CallStack::new:CallStack at ??
0x105f06f15: *raise<OpenSSL::Error>:NoReturn at ??
0x105faad92: *OpenSSL::SSL::Context::Client@OpenSSL::SSL::Context#initialize<Pointer(Void)>:Nil at ??
0x105faad32: *OpenSSL::SSL::Context::Client#initialize:Nil at ??
0x105faacf9: *OpenSSL::SSL::Context::Client::new:OpenSSL::SSL::Context::Client at ??
0x105fa25cc: *HTTP::Client#initialize<String, (Int32 | Nil), Bool>:Bool at ??
0x105fa255d: *HTTP::Client::new<String, (Int32 | Nil), Bool>:HTTP::Client at ??
0x105fa20dd: *HTTP::Client::exec<String, String, Nil, Nil, Nil>:HTTP::Client::Response at ??
0x105fa1f3f: *HTTP::Client::get<String>:HTTP::Client::Response at ??
0x105ef1ba6: __crystal_main at ??
0x105f064f8: main at ??