mbedtls / websocket bug

[Macho0x]

Describe the bug

The V language's net.mbedtls module currently uses compile-time constants for SSL read timeouts, which prevents runtime configuration. This forces users to recompile their applications with -d mbedtls_client_read_timeout_ms=<value> whenever they need different timeout values for different environments or use cases.

Current Implementation

In vlib/net/mbedtls/ssl_connection.c.v:

const mbedtls_client_read_timeout_ms = $d('mbedtls_client_read_timeout_ms', 10_000)
const mbedtls_server_read_timeout_ms = $d('mbedtls_server_read_timeout_ms', 41_000)

Reproduction Steps

Example 1: WebSocket Connection Timeout

import net.websocket
import time

fn main() {
    // Attempt to connect to a WebSocket server with infrequent data
    mut ws := websocket.new_client('wss://stream.exchange.com/ws')!
    
    // Subscribe to a low-frequency feed
    ws.connect()!
    
    // If no data arrives within 10 seconds, mbedtls will timeout
    // even though the connection is healthy and the exchange will
    // eventually send data
    for {
        ws.listen() or {
            // Error: "did not receive any data within 10000ms"
            // No way to increase this at runtime!
            break
        }
    }
}

Example 2: Different Timeouts for Different Connections

import net.mbedtls
import time

fn main() {
    // I want Connection A to have 10s timeout (default)
    config_a := mbedtls.SSLConnectConfig{}
    mut conn_a := mbedtls.new_ssl_conn(config_a)!
    
    // I want Connection B to have 5min timeout (for WebSocket)
    // Currently impossible without recompiling with -d flag!
    config_b := mbedtls.SSLConnectConfig{
        // No read_timeout field available
    }
    mut conn_b := mbedtls.new_ssl_conn(config_b)!
}

Workaround Required

Users must compile with:

v -d mbedtls_client_read_timeout_ms=300000 run main.v

This sets a global 5-minute timeout for all connections, which is suboptimal when different connections need different timeouts.

---

Expected Behavior

Consistent API with Other Net Modules

The net.mbedtls module should follow the same pattern as net.tcp.TcpConn and net.raw.RawConn:

// TcpConn pattern (already exists)
pub struct TcpConn {
pub mut:
    read_timeout   time.Duration
    write_timeout  time.Duration
}

pub fn (mut c TcpConn) set_read_timeout(t time.Duration) {
    c.read_timeout = t
}

// RawConn pattern (already exists)
pub struct RawConn {
pub mut:
    read_timeout   time.Duration
    write_timeout  time.Duration
}

pub fn (mut c RawConn) set_read_timeout(t time.Duration) {
    c.read_timeout = t
}

// Expected mbedtls pattern (proposed)
pub struct SSLConn {
pub mut:
    read_timeout   time.Duration
}

pub fn (mut s SSLConn) set_read_timeout(t time.Duration) {
    s.read_timeout = t
    C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(t.milliseconds()))
}

Per-Connection Timeout Configuration

Users should be able to configure timeouts per connection:

import net.mbedtls
import time

fn main() {
    // Connection A: Default 10s timeout
    mut conn_a := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{})!
    
    // Connection B: 5-minute timeout for WebSocket
    mut conn_b := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
        read_timeout: 300 * time.second
    })!
    
    // Connection C: Modify timeout at runtime
    mut conn_c := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{})!
    conn_c.set_read_timeout(60 * time.second)  // Change to 1 minute
}

Backward Compatibility

• Existing code using -d mbedtls_client_read_timeout_ms=... should continue to work
• The compile-time value becomes the default for SSLConnectConfig.read_timeout
• No breaking changes to existing APIs

---

Current Behavior

Compile-Time Configuration Only

// File: vlib/net/mbedtls/ssl_connection.c.v:11-12
const mbedtls_client_read_timeout_ms = $d('mbedtls_client_read_timeout_ms', 10_000)
const mbedtls_server_read_timeout_ms = $d('mbedtls_server_read_timeout_ms', 41_000)

Usage in Connection Initialization

// File: vlib/net/mbedtls/ssl_connection.c.v:391-394
$if trace_mbedtls_timeouts ? {
    dump(mbedtls_client_read_timeout_ms)
}
C.mbedtls_ssl_conf_read_timeout(&s.conf, mbedtls_client_read_timeout_ms)

Error Message

// File: vlib/net/mbedtls/ssl_connection.c.v:587-592
C.MBEDTLS_ERR_SSL_TIMEOUT {
    return error_with_code(
        'net.mbedtls SSLConn.socket_read_into_ptr, did not receive any data within ${mbedtls_client_read_timeout_ms}ms. compile with `-d mbedtls_client_read_timeout_ms=100000` to set a higher timeout',
        res
    )
}

Limitations

1. Single global value: All connections in the application share the same timeout
2. Recompilation required: Changing timeout requires recompiling entire application
3. No runtime API: No methods like set_read_timeout() or get_read_timeout()
4. Inconsistent: Does not follow the pattern established by TcpConn and RawConn

---

Possible Solution

Implementation Plan

Step 1: Add read_timeout to SSLConnectConfig

File: vlib/net/mbedtls/ssl_connection.c.v
Lines: 318-329

@[params]
pub struct SSLConnectConfig {
pub:
    verify   string
    cert     string
    cert_key string
    validate bool
    in_memory_verification bool
    get_certificate ?fn (mut SSLListener, string) !&SSLCerts
    // NEW: Runtime-configurable timeout with compile-time default
    read_timeout time.Duration = $d('mbedtls_client_read_timeout_ms', 10_000) * time.millisecond
}

Step 2: Add read_timeout to SSLConn

File: vlib/net/mbedtls/ssl_connection.c.v
Lines: 139-155

pub struct SSLConn {
pub:
    config SSLConnectConfig
pub mut:
    server_fd C.mbedtls_net_context
    ssl       C.mbedtls_ssl_context
    conf      C.mbedtls_ssl_config
    certs     &SSLCerts = unsafe { nil }
    handle    int
    duration  time.Duration
    opened    bool
    ip        string
    owns_socket bool
    // NEW: Store current timeout for getter methods
    read_timeout time.Duration
}

Step 3: Initialize timeout from config

File: vlib/net/mbedtls/ssl_connection.c.v
Function: fn (mut s SSLConn) init() !
Lines: 391-394

$if trace_mbedtls_timeouts ? {
    dump(s.config.read_timeout)
}
// Use config timeout instead of compile-time constant:
C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(s.config.read_timeout.milliseconds()))

s.read_timeout = s.config.read_timeout  // Store for later use

Step 4: Add getter/setter methods

File: vlib/net/mbedtls/ssl_connection.c.v
**After line 329 (after SSLConnectConfig definition)

// read_timeout returns the current SSL read timeout for this connection
pub fn (s &SSLConn) read_timeout() time.Duration {
    return s.read_timeout
}

// set_read_timeout sets the SSL read timeout for this connection.
// Note: This modifies the underlying mbedtls configuration immediately.
// The change takes effect for subsequent read operations.
pub fn (mut s SSLConn) set_read_timeout(t time.Duration) {
    s.read_timeout = t
    C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(t.milliseconds()))
}

Step 5: Update error message

File: vlib/net/mbedtls/ssl_connection.c.v
Lines: 587-592

C.MBEDTLS_ERR_SSL_TIMEOUT {
    $if trace_ssl ? {
        eprintln('${@METHOD} ---> res: C.MBEDTLS_ERR_SSL_TIMEOUT')
    }
    return error_with_code(
        'net.mbedtls SSLConn.socket_read_into_ptr, did not receive any data within ${s.read_timeout.milliseconds()}ms. Use `conn.set_read_timeout(duration)` to increase timeout',
        res
    )
}

Alternative: Apply Same Pattern to SSLListener

For consistency, apply the same changes to SSLListener:

// In SSLListener struct (line ~220)
pub mut:
    read_timeout time.Duration

// In SSLConnectConfig
    server_read_timeout time.Duration = $d('mbedtls_server_read_timeout_ms', 41_000) * time.millisecond

// In SSLListener.init()
C.mbedtls_ssl_conf_read_timeout(&l.conf, u32(l.config.server_read_timeout.milliseconds()))
l.read_timeout = l.config.server_read_timeout

// Add getter/setter
pub fn (l &SSLListener) read_timeout() time.Duration { return l.read_timeout }
pub fn (mut l SSLListener) set_read_timeout(t time.Duration) { 
    l.read_timeout = t
    C.mbedtls_ssl_conf_read_timeout(&l.conf, u32(t.milliseconds()))
}

---

Additional Information/Context

Benefits of This Fix

1. No Longer Need Compile-Time Flag

Before:

v -d mbedtls_client_read_timeout_ms=300000 run main.v

After:

// In application code - no compile flag needed!
import net.mbedtls
import time

mut conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout: 300 * time.second
})!

2. Per-Connection Timeouts

Different connections can have different timeouts:

// API calls: Short timeout
mut api_conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout: 10 * time.second
})!

// WebSocket: Long timeout
mut ws_conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout: 300 * time.second
})!

3. Runtime Adjustability

Adjust timeouts based on runtime conditions:

mut conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{})!

// Later, based on user settings or network conditions:
if user_prefers_longer_timeout {
    conn.set_read_timeout(5 * time.minute)
}

4. Configuration File Support

Timeouts can now come from configuration files:

import toml

config := toml.parse_file('app.toml')!
ssl_timeout := config.value('websocket.ssl_timeout').i64()

mut conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout: ssl_timeout * time.second
})!

Comparison with Other Languages

Language	SSL Timeout Configuration	Runtime API
Go	tls.Config.HandshakeTimeout	✅ Yes
Python	ssl.SSLContext.timeout	✅ Yes
Rust	native_tls::TlsConnectorBuilder.timeout()	✅ Yes
Node.js	tls.connect({timeout: ...})	✅ Yes
V (current)	-d mbedtls_client_read_timeout_ms=...	❌ No
V (proposed)	SSLConnectConfig{read_timeout: ...}	✅ Yes

This fix makes V's mbedtls module consistent with other net modules (TcpConn, RawConn) and industry standards. It enables:

1. ✅ Runtime configuration without recompilation
2. ✅ Per-connection timeouts instead of global value
3. ✅ Configuration file support for timeouts
4. ✅ Backward compatibility with existing code
5. ✅ Consistent API across V's net modules

The implementation is minimal (~20 lines of changes) but provides significant flexibility improvements for applications requiring different SSL timeouts in different contexts.

V version

0.5

Environment details (OS name and version, etc.)

CachyOS

Note

You can use the 👍 reaction to increase the issue's priority for developers.

Please note that only the 👍 reaction to the issue itself counts as a vote.
Other reactions and those to comments will not be taken into account.

[gechandesu]

Why not do a pull request?

[Macho0x]

I didn't create a pull request in case the V Lang team wanted to debate the issue...

Same story with my other bug issue: #26644

[JalonSolov]

I don't see any reason not to submit a PR, however, a suggestion...

In general in V, we don't use getters/setters. Just declare things as public, and set them directly. getters/setters "smell" like OOP with it's enforced encapsulation.

Alternatively, use a params struct to pass it as an extra field on the connect, then set a default value in the struct to retain the current behavior, but it will allow changing the timeout when the connection is established, without having to do an extra statement to set the timeout.

Last... how about a write timeout?

[Macho0x]

@JalonSolov something like this for V Lang syntax for your three suggestions...?

1. Avoid Getters/Setters (V-idiomatic public fields)

// vlib/net/mbedtls/ssl_connection.c.v

@[params]
pub struct SSLConnectConfig {
pub:
    verify   string
    cert     string
    cert_key string
    validate bool
    in_memory_verification bool
    get_certificate ?fn (mut SSLListener, string) !&SSLCerts
    // Timeout as public field with default
    read_timeout time.Duration = $d('mbedtls_client_read_timeout_ms', 10_000) * time.millisecond
}

pub struct SSLConn {
pub:
    config SSLConnectConfig
pub mut:
    server_fd C.mbedtls_net_context
    ssl       C.mbedtls_ssl_context
    conf      C.mbedtls_ssl_config
    certs     &SSLCerts = unsafe { nil }
    handle    int
    duration  time.Duration
    opened    bool
    ip        string
    owns_socket bool
    // Public field - no getter/setter needed!
    read_timeout time.Duration
}
fn (mut s SSLConn) init() ! {
    // ...
    C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(s.config.read_timeout.milliseconds()))
    s.read_timeout = s.config.read_timeout
    // ...
}

// NO getter/setter methods needed!
// V style: public fields are accessed directly
// Usage:
mut conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout: 300 * time.second
})!

// Or modify directly (V-idiomatic):
conn.read_timeout = 60 * time.second

Key difference: No read_timeout() or set_read_timeout() methods. In V, fields are made pub and accessed directly rather than using OOP encapsulation patterns.

2. Use Params Struct with Default Values

// vlib/net/mbedtls/ssl_connection.c.v
// Define a params struct with sensible defaults

@[params]
pub struct SSLConnectConfig {
pub:
    verify   string
    cert     string
    cert_key string
    validate bool = true  // Default: validate certificates
    in_memory_verification bool
    get_certificate ?fn (mut SSLListener, string) !&SSLCerts
    // Timeout with compile-time default (backward compatible)
    read_timeout time.Duration = $d('mbedtls_client_read_timeout_ms', 10_000) * time.millisecond
    // NEW: Also add write_timeout for completeness
    write_timeout time.Duration = $d('mbedtls_client_write_timeout_ms', 10_000) * time.millisecond
}

pub struct SSLConn {
pub:
    config SSLConnectConfig
pub mut:
    server_fd C.mbedtls_net_context
    ssl       C.mbedtls_ssl_context
    conf      C.mbedtls_ssl_config
    certs     &SSLCerts = unsafe { nil }
    handle    int
    duration  time.Duration
    opened    bool
    ip        string
    owns_socket bool
    // Public fields - direct access
    read_timeout time.Duration
    write_timeout time.Duration
}

fn (mut s SSLConn) init() ! {
    // ...
    C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(s.config.read_timeout.milliseconds()))
    C.mbedtls_ssl_conf_write_timeout(&s.conf, u32(s.config.write_timeout.milliseconds()))
    s.read_timeout = s.config.read_timeout
    s.write_timeout = s.config.write_timeout
    // ...
}

// Usage - all configuration in ONE place at connection time:
mut conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout:  5 * time.minute,  // Long timeout for WebSocket
    write_timeout: 30 * time.second, // Shorter for writes
})!

// No need for extra statements after connection!
// The timeout is set during initialization from the config

Key difference: Configure everything in the params struct at connection time. No extra set_* calls needed after connection establishment.

3. Include Write Timeout (Completeness)

// vlib/net/mbedtls/ssl_connection.c.v
// Extended config with both timeouts

@[params]
pub struct SSLConnectConfig {
pub:
    verify   string
    cert     string
    cert_key string
    validate bool
    in_memory_verification bool
    get_certificate ?fn (mut SSLListener, string) !&SSLCerts
    read_timeout  time.Duration = $d('mbedtls_client_read_timeout_ms', 10_000) * time.millisecond
    write_timeout time.Duration = $d('mbedtls_client_write_timeout_ms', 10_000) * time.millisecond
}

pub struct SSLConn {
pub:
    config SSLConnectConfig
pub mut:
    server_fd C.mbedtls_net_context
    ssl       C.mbedtls_ssl_context
    conf      C.mbedtls_ssl_config
    certs     &SSLCerts = unsafe { nil }
    handle    int
    duration  time.Duration
    opened    bool
    ip        string
    owns_socket bool
    read_timeout  time.Duration
    write_timeout time.Duration
}

// Connection initialization sets both timeouts
fn (mut s SSLConn) init() ! {
    // ...
    C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(s.config.read_timeout.milliseconds()))
    C.mbedtls_ssl_conf_write_timeout(&s.conf, u32(s.config.write_timeout.milliseconds()))
    s.read_timeout = s.config.read_timeout
    s.write_timeout = s.config.write_timeout
    // ...
}

// Error messages updated for both timeouts
match res {
    C.MBEDTLS_ERR_SSL_TIMEOUT {
        return error_with_code(
            'net.mbedtls SSLConn.socket_read_into_ptr, did not receive any data within ${s.read_timeout.milliseconds()}ms.',
            res
        )
    }
    // ... handle write timeout similarly in write operations
}

// Usage with both timeouts:
mut api_conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout:  10 * time.second,
    write_timeout: 10 * time.second,
})!
mut ws_conn := mbedtls.new_ssl_conn(mbedtls.SSLConnectConfig{
    read_timeout:  5 * time.minute,   // Long read for WebSocket
    write_timeout: 30 * time.second,  // Normal write
})!

Key difference: Adds write_timeout alongside read_timeout for API completeness, following the same pattern.

[JalonSolov]

One wrench is that mbedtls doesn't appear to have a write timeout setting. At all.

Another is that there seems to be too much code for the changes required for read timeout.

For example, if SSLConnectConfig was embedded in SSLConn, the read_timeout field wouldn't need to be duplicated - it could just be used directly. The extra

    s.read_timeout = s.config.read_timeout

wouldn't be needed at all, and the new_ssl_conn would look like

mut conn := mbedtls.new_ssl_conn(mbedtls.SSLConn{
    read_timeout:  5 * time.minute,  // Long timeout for WebSocket
})!

Also this would no longer be needed

    C.mbedtls_ssl_conf_read_timeout(&s.conf, u32(s.config.read_timeout.milliseconds()))

since all it does is set the SSLConn.read_timeout to whatever was in SSLConnectConfig.read_timeout... but if SSLConnectConfig is embedded, it would be the same field - this call would be setting it to itself, like a = a... dead code.

In all cases, no matter what changes are done, tests would need to ensure that the changes worked correctly, and new tests may need to be added to ensure the read_timeout is being honored.