search

elixir-mint / mint

Functional HTTP client for Elixir with support for HTTP/1 and HTTP/2 🌱
Apache License 2.0
1.36k stars 112 forks source link

Describe how to use the socket associated with a connection #309

Closed lukebakken closed 3 years ago

lukebakken commented 3 years ago

Related PR - https://github.com/elixir-mint/mint/pull/308

Using the connection's socket allows users to retrieve information from the socket. In my case, I would like to use the following to get the TLS secrets to be used later in Wireshark:

:ssl.connection_information(Socket, [:keylog])

Doing the above requires passing keep_secrets: true via transport_opts when the HTTP client is initialized.

cc @ericmj

ericmj commented 3 years ago

I would like @whatyouhide's and @josevalim's thoughts on if exposing the socket is the best solution.

josevalim commented 3 years ago

I don’t see an issue with exposing the socket as long as it comes with a gazillion disclaimers, especially about not changing the socket state in regards to the buffers.

lukebakken commented 3 years ago

I have only added a demo test for HTTP 1, but it appears the socket is indeed already available - #310. CI fails due to the fact that keylog is only supported by OTP versions that aren't yet being tested via GH actions. I tested locally using 23.3.1 and it passes.

I'm happy to fix the existing test, add more tests, and document the use of the socket with a gazillion caveats πŸ˜„

I'm assuming that using code like that in ssl_version/0 would be the preferred way to only test :keylog for version 10.2 and higher of the ssl module.

ericmj commented 3 years ago

The socket is available on the connection struct but all struct fields are private API. The proper way would be to add a function that returns the socked including documentation with the disclaimers Jose mentioned.

whatyouhide commented 3 years ago

I am on the same page as @josevalim: we can expose it at the complete risk of the user. We can disclaim that the only somewhat "endorsed" way of using the socket is with read-only functions to get information out of the socket. :)

lukebakken commented 3 years ago

Thanks for the input everyone. I'll give implementing this a shot.

lukebakken commented 3 years ago

See #310. Turns out get_socket was already available. I modified the documentation to clarify some of the risks. The test I added demonstrates how to retrieve information from the socket. Adding Erlang 23.3.1 to the GH workflow exposed some issues around TLS versions and ciphers that are resolved by enabling all supported ones 🀷 It must be specific to the version of openssl used on Ubuntu 16 since it worked fine on my machine.

whatyouhide commented 3 years ago

Closing in favor of the PR. Thanks @lukebakken! πŸ’Ÿ