http-client icon indicating copy to clipboard operation
http-client copied to clipboard
verified publisher icon snoyberg

OpenSSL fails to resolve hostname in internal network

Open lazamar opened this issue 4 years ago • 3 comments

Hi, I am having what seems like DNS resolution issues with the OpenSSL library in my company's internal network and would appreciate some pointers to what it could be

The following program works correctly when I use a url with an address in the open internet, but when I use an address in our internal network, the http-client-tls part works and the http-client-openssl part throws an error

main = do
  let url = "https://<some_url>"
  req <- parseRequest url

  putStrLn "http-client-tls"
  tlsManager <- newManager tlsManagerSettings
  run req tlsManager

  putStrLn "http-client-openssl"
  withOpenSSL $ do
     openSSLManager <- newOpenSSLManager
     run req openSSLManager
  where
    run req manager = withResponse req manager $ brConsume . responseBody

This is the error thrown

http-test-exe: HttpExceptionRequest Request {
  host                 = <redacted>
  port                 = 1952
  secure               = True
  requestHeaders       = []
  path                 = <redacted> 
  queryString          = <redacted>
  method               = "GET"
  proxy                = Nothing
  rawBody              = False
  redirectCount        = 10
  responseTimeout      = ResponseTimeoutDefault
  requestVersion       = HTTP/1.1
}
 (ConnectionFailure Network.Socket.getAddrInfo (called with preferred socket type/protocol: AddrInfo {addrFlags = [AI_ADDRCONFIG,AI_NUMERICSERV], addrFamily = AF_INET, addrSocketType = Stream, addrProtocol = 0, addrAddress = <assumed to be undefined>, addrCanonName = <assumed to be undefined>}, host name: Just <redacted>, service name: Just "1952"): does not exist (Name or service not known))

The program is run with http_proxy and https_proxy set. It seems like the settings of the tlsManager are making the hostname be resolved correctly but the openSSLManager is failing to do so. Do you know what could cause that?

I am using

GHC 8.10.4
http-client 0.6.4.1
http-client-openssl 0.3.2.0
http-client-tls 0.3.5.3

lazamar avatar Jul 22 '21 09:07 lazamar

btw, nslookup resolves the internal hostname to an IPv6 address. I am not sure if this could be a factor here.

lazamar avatar Jul 22 '21 09:07 lazamar

I don't have deep insights here, but I'd recommend comparing the relevant code paths:

  • https://github.com/snoyberg/http-client/blob/master/http-client-openssl/Network/HTTP/Client/OpenSSL.hs
  • https://github.com/snoyberg/http-client/blob/master/http-client-tls/Network/HTTP/Client/TLS.hs

One thing that stands out is the most recent commit on http-client-openssl: https://github.com/snoyberg/http-client/commit/3bdfed4696deefc88356e3f8527bbb675036cc17. Not sure if that's relevant, since you're using an older version of the library. Perhaps you could try bumping to the latest version.

snoyberg avatar Jul 23 '21 03:07 snoyberg

It might be that openssl tries to read /etc/services whilst tls library does not

arianvp avatar Jan 12 '23 14:01 arianvp