Zorba

Zorba for Windows cannot make HTTPS requests

Bug #866886 reported by Gabriel Petrovay on 2011-01-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Zorba	Fix Released	High	Rodolfo Ochoa	Zorba 2.7 "Gaia"

Bug Description

We just discovered that under Windows, making requests to:
https://api-3t.sandbox.paypal.com/nvp
or
https://www.credit-suisse.com

using the http-client, one gets back a response with status -1.

The command line Curl tool on Windows also reject such calls because it cannot verify the certificates, reporting:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Tags:

Related branches

lp:~zorba-coders/zorba/bug866886

Merged into lp:zorba at revision 10895

Cezar Andrei: Approve on 2012-06-19

Chris Hillery: Approve on 2012-06-14

Revision history for this message

Markus Pilman (mpilman) wrote on 2011-02-09:

I committed a fix for the problem: download the certificates from http://curl.haxx.se/docs/caextract.html and place it in the same directory where zorba.exe is.

Revision history for this message

Gabriel Petrovay (gabipetrovay) wrote on 2011-02-23:

The are still 3 issues with this:

1. if the cacert.pem is missing the error should be relevant. Currently this is:

<?xml version="1.0" encoding="UTF-8"?>
Error in C:\Users\Gabriel\Work\28msec\zorba\src\api\external_function_data.cpp:106. Query: <>, line 0, column 0: [XQP0021] An HTTP
error occurred.
=================================================
http:tidy-result#2 ( http://www.zorba-xquery.com/modules/http-client )
C:\Users\Gabriel\Work\28msec\zorba\builds\debug10\dist\bin\..\include\zorba\modules\com/zorba-xquery/www/modules/http-client.xq at
line 162 column 12
=================================================
http:send-request#3 ( http://www.zorba-xquery.com/modules/http-client )
C:\Users\Gabriel\Work\28msec\zorba\builds\debug10\dist\bin\..\include\zorba\modules\org/expath/ns/http-client.xq at line 136 colum
n 5
=================================================
http:send-request#3 ( http://expath.org/ns/http-client )
C:\Users\Gabriel\Work\28msec\zorba\builds\debug10\dist\bin\..\include\zorba\modules\org/expath/ns/http-client.xq at line 161 colum
n 5
=================================================
http:send-request#1 ( http://expath.org/ns/http-client )
d:\mm.xq at line 3 column 1

2. this files has to be shipped. So make install should install it. So the cacert.pem file must be committed in the Zorba repository.

3. Should this be documented in the module itself?

Including one example for easier reproducing:

import module namespace http = "http://expath.org/ns/http-client";
http:send-request(href="https://www.credit-suisse.com" method="get"/>)

Chris Hillery (ceejatec) on 2012-04-18

Changed in zorba:
assignee:	Chris Hillery (ceejatec) → Rodolfo Ochoa (rodolfo-ochoa)

Rodolfo Ochoa (rodolfo-ochoa) on 2012-05-18

Changed in zorba:
status:	New → In Progress

Dana Florescu (dflorescu) on 2012-06-13

Changed in zorba:
milestone:	none → 2.7

Revision history for this message

Chris Hillery (ceejatec) wrote on 2012-06-13:

Zorba is actually able to make https requests by default on Windows now, I'm nearly sure. I believe this may have been done internally by de-activating curl's default "verify peer certificates" behaviour. There is a separate bug, bug 867136, which tracks making this a runtime option instead of a compile-time option.

Rodolfo, if you can verify that this is working by default and that my diagnosis about curl is correct, then you can resolve this bug.

Revision history for this message

Rodolfo Ochoa (rodolfo-ochoa) wrote on 2012-06-14:

Seems that this problem has been solved with new cURL libraries, anyway, I'm including cacert.pem file as requested.

Rodolfo Ochoa (rodolfo-ochoa) on 2012-06-19

Changed in zorba:
status:	In Progress → Fix Committed

Revision history for this message

Chris Hillery (ceejatec) wrote on 2012-06-26:

Marking this as "Confirmed" again as the fix is not actually committed to the trunk yet (at least I don't believe it is).

Changed in zorba:
status:	Fix Committed → Confirmed

Rodolfo Ochoa (rodolfo-ochoa) on 2012-06-27

Changed in zorba:
status:	Confirmed → Fix Committed

Dana Florescu (dflorescu) on 2012-10-24

Changed in zorba:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.