Cannot connect to SSL host

[unique75m]

The following code worked in the past. Now i get an error -5. Where can i find an explanation about this error? I guess the server side has changed and possibly Squeak SSL does not support that. I can connect to the same server on VisualWorks with the TLS plugin, which uses only an OpenSSL library. I do not know what Squeak does in its primitives.

| stream | stream := SecureSocketStream openConnectionToHostNamed: 'stream.data.alpaca.markets' port: 443. stream sslConnect. stream binary. stream halt. stream close

This example with another server is working

| stream | stream := SecureSocketStream openConnectionToHostNamed: 'quotes-ws.boerse-go.de' port: 443. stream sslConnect. stream binary. stream halt. stream close

[unique75m]

I forget to write... i have tested this with the official 6.0 VM and the trunk version, both are failing.

[edoneel]

So, out of interest, can you connect to www.google.ch on port 443? This is my simple test case when I build a VM.

WebClient httpHead: 'https://www.google.ch'

and it shouldn't fail.

[unique75m]

Yes i can connect to www.google.ch. I see the debugger with the #halt, so #sslConnect was working.

[edoneel]

So on Linux (Raspberry Pi) I get the following message on the terminal

SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1543:SSL alert number 112

This leads us to

https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132

which mentions that 112 is unrecognized_name(112).

When I run it through the Qualsys SSL checker

https://www.ssllabs.com/ssltest/analyze.html?d=stream.data.alpaca.markets

it does mention that

This site works only in browsers with SNI support.

so I'm guessing at the level that sslConnect is working it is not getting SNI right.

=================

Now the good news is that this works (again Linux on a PI)

WebClient httpHead: 'https://stream.data.alpaca.markets'

returning

WebResponse(HTTP/1.1 404 Not Found date: Tue, 30 Aug 2022 18:22:48 GMT content-type: text/plain; charset=utf-8 content-length: 21 connection: keep-alive strict-transport-security: max-age=15724800; includeSubDomains )

Now we know that it should work because WebClient works, and it sounds like SNI is an issue.

SecureSocketStream sslConnect just calls self sslConnectTo: nil

And that leads us to the comment in sslConnectTo:

"Perform the SSL client handshake. This method uses all the common SocketStream methods to adhere to the various timeout/signalling settings of SocketStream. It only installs the SSL instance after the handshake is complete. If serverName is not nil, then try to use it for SNI."

So, if one modifies your code as above it seems to work

stream := SecureSocketStream openConnectionToHostNamed: 'stream.data.alpaca.markets' port: 443. stream sslConnectTo: 'stream.data.alpaca.markets'. stream binary. stream halt. stream close

[unique75m]

Yeaaaahhhh, it works... thank you very very much for that fast response and help :-)

Interesting, the message you described is only showed on Ubuntu/Raspberry when i start Squeak through terminal. But it is not shown on my MacOSX terminal, where i got the same error -5.

So for the moment, 1 problem more solved on my way to move my application to Squeak, thank you.

[krono]

-5 is the Generic SqueakSSL error, it can mean anything.

Note that on Linux, OpenSSL is used while on Mac we use SecureTransport, which are widely different Libraries/Frameworks.

Can you precisize your question/error a tad?

[unique75m]

Ok i think there is no need for further research, the problem is solved now for me coz of description from [edoneel].

I read already that there are some generic error codes and normally we should call a special error-function to get the real error description. But i think this can be done only in virtual machine directly after the command that produces the error. I remember that from Windows, where you need to call GetLastError() immediately. Maybe it would be useful to have a possibility in Smalltalk to delegate that full-error-description to the image and then it can be shown in debugger instead of just a generic error message.

[edoneel]

Yes, and this does not help that SSL is nothing but a bag of pain when it does not work.