I have written web socket server with the help of (libwebsocket library )which accepts web socket client connection for non SSL.
Now I wanted it to accept SSL connection so I have generated the self signed certificate and key, while creating web socket context I have given the key and certificate path and option LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT as well.
But while making https connection using wss://ip:7681 from I am getting connection request callback i.e LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED and after that LWS_CALLBACK_WSI_DESTROY and in browser getting console error about not able to connect.
Firefox can’t establish a connection to the server at wss://192.168.4.254:7681/.
Please check the following server side code used for creating openSSL based web socket server.
struct lws_protocols WebSocketCommon::protocols[ 2 ] = { {"wss", WebSocketCommon::callback, 0, 0 },{ NULL, NULL, 0, 0 } };
int callback ( struct lws *wsi, enum lws_callback_reasons reason, void *user, void *in, size_t len ) {
switch ( reason ) {
case LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED:
{
//code
break;
}
case LWS_CALLBACK_WSI_DESTROY:
{
//code
break;
}
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS: {
Log::d( m_r_logger, TAG, "LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS\n");
SSL_CTX_load_verify_locations( (SSL_CTX*) user, NULL, getenv(SSL_CERT_FILE_PATH) );
break;
}
default: {
break;
}
}
return lws_callback_http_dummy(wsi, reason, user, in, len);
}
void createContext (bool useSSL) {
struct lws_context_creation_info info;
memset( &info, 0, sizeof(struct lws_context_creation_info) );
info.port = 7681;
info.uid = -1;
info.gid = -1;
info.protocols = protocols;
info.mounts = &mount;
info.extensions = exts;
info.timeout_secs = 5;
info.ip_limit_ah = 24; /* for testing */
info.ip_limit_wsi = 400; /* for testing */
// Following options for openSSL certificate
if(useSSL){
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT | LWS_SERVER_OPTION_DISABLE_IPV6 | LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED | LWS_SERVER_OPTION_IGNORE_MISSING_CERT;
info.ssl_cert_filepath = SSL_CERT_FILE_PATH;
info.ssl_private_key_filepath = SSL_PRIVATE_KEY_PATH;
}
fContext = lws_create_context( &info );
}
I am getting following logs while creating web socket context and accepting wss connection.
WebSocket.cpp:638...... :createContext ( ) - begin
WebSocket.cpp:640...... : createContext - fReferenceCount = 0
WebSocket.cpp:324...... : Creating Vhost 'default' port 7681, 1 protocols, IPv6 off
WebSocket.cpp:324...... : Using SSL mode
WebSocket.cpp:324...... : SSL ECDH curve 'prime256v1'
WebSocket.cpp:612...... : LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS
WebSocket.cpp:324...... : lws_tls_client_create_vhost_context: doing cert filepath /etc/nginx /ssl/mycert.crt
WebSocket.cpp:324...... : Loaded client cert /etc/nginx/ssl/mycert.crt
WebSocket.cpp:324...... : lws_tls_client_create_vhost_context: doing private key filepath
WebSocket.cpp:324...... : Loaded client cert private key /etc/nginx/ssl/mykey.key
WebSocket.cpp:324...... : created client ssl context for default
WebSocket.cpp:684...... : lws_create_context SUCCEEDED
WebSocket.cpp:759...... : start Starting Service Thread.
WebSocket.cpp:705...... : createContext - fReferenceCount = 1
WebSocket.cpp:706...... : createContext - end
Following is library versions I am using.
libwebsocket.so 13
OpenSSL 1.0.2o 27 Mar 2018
Please let me know what is going wrong ?
The problem is possibly not related to libwebsockets, but rather to do with Firefox being fussy about allowing connections to WSS that have a self signed certificate. Try to connect to your server from some other program, e.g., a simple python program.
related:
What is the problem with Websocket and Self-Signed SSL certificate
Firefox disconnects websockets connection for a self signed certificate
Related
When I am trying to migrate to Jetty 9.4.x from Jetty 8.1.12, I am getting errors because of following issue.
We use connector.getConnection() method. And I did not find any replacement in Jetty 9.4.x.
This is followup question on Jetty upgrade 8 to 9
We use connector.getConnection() to get inet socket address.
private InetSocketAddress findFirstInetConnector(Server server) {
Connector[] connectors = server.getConnectors();
if (connectors != null) {
for (Connector connector : connectors) {
Object connection = connector.getConnection();
if (connection instanceof ServerSocketChannel) {
SocketAddress address = ((ServerSocketChannel) connector.getConnection()).socket().getLocalSocketAddress();
if (address instanceof InetSocketAddress) {
return (InetSocketAddress) address;
}
} else if (connection instanceof ServerSocket) {
SocketAddress address = ((ServerSocket) connector.getConnection()).getLocalSocketAddress();
if (address instanceof InetSocketAddress) {
return (InetSocketAddress) address;
}
}
}
}
return null;
}
Can anyone help me find replacement for the same.
A Connector has no Connection anymore.
You cannot just arbitrarily get a SocketAddress or InetSocketAddress out of it anymore.
Why?
Well, we have logical connectors, physical connectors, non-network connectors, network connectors, server connectors, local connectors, pipe based connectors, jni based connectors, unixsocket based connectors, etc...
You'll have to create the InetSocketAddress you want from the information on a started and running connector (such as the NetworkConnector localPort and host).
To walk the connector information you can ...
for (Connector connector : server.getConnectors())
{
// What is the connector name (can be null or unset)
String connectorName = connector.getName();
// What is the declared protocol default for this connector?
String defaultProtocol = connector.getDefaultConnectionFactory().getProtocol();
// What other features does this connector handle?
for (ConnectionFactory connectionFactory : connector.getConnectionFactories())
{
// List of protocols handled by this specific connection factory for this specific connector
connectionFactory.getProtocols();
if (connectionFactory instanceof SslConnectionFactory)
{
// this can handle TLS/SSL based connections
}
if (connectionFactory instanceof HttpConnectionFactory)
{
// this can handle http protocols
// get the http specific configuration
HttpConfiguration httpConfig = ((HttpConnectionFactory) connectionFactory).getHttpConfiguration();
// what port is recognized as secure
httpConfig.getSecurePort();
// what scheme is recognized as secure
httpConfig.getSecureScheme();
}
if (connectionFactory instanceof HTTP2ServerConnectionFactory)
{
// can handle encrypted http/2 protocols (and alpn features)
}
if (connectionFactory instanceof HTTP2CServerConnectionFactory)
{
// this can handle http/2's special clear-text "h2c" protocol (no alpn features)
}
}
if (!connector.isRunning())
{
// no information below can be trusted unless the connector is started
continue;
}
if (connector instanceof NetworkConnector)
{
// we have a network capable connector
NetworkConnector networkConnector = (NetworkConnector) connector;
// What interface is it listening on?
String interfaceName = networkConnector.getHost();
// What local port is it bound to?
int localPort = networkConnector.getLocalPort();
}
}
Here is my procedure in OpenSSL Server Mode,
Initialization Part of SSL and BIO variables:
map<int, SSL> m_SSLMap;
map<int, BIO> m_BioWriteMap;
map<int, BIO> m_BioReadMap;
int InitializeServerNegotiationMode(int iFd)
{
SSL *pServSslFd;
BIO *pWb, *pRb;
pServSslFd = SSL_new(m_pCtx);
assert(pServSslFd);
if ( SSL_version(pServSslFd) == DTLS1_VERSION)
{
pWb = BIO_new(BIO_s_mem());
pRb = BIO_new(BIO_s_mem());
assert(pWb);
assert(pRb);
SSL_set_bio(pServSslFd, pRb, pWb);
SSL_set_accept_state(pServSslFd);
}
m_SSLMap[iFd] = *pServSslFd;
m_BioReadMap[iFd] = *pRb;
m_BioWriteMap[iFd] = *pWb;
return INITIALIZATION_SUCCESS;
}
Server Mode Negotiation Operations when DTLS data comes to the server:
int ServerModeDTLSNegotiation(int iChannel, const char *pBuff, const int iLen, int iFd)
{
SSL *pServSslFd;
BIO *pRbio;
BIO *pWbio;
pServSslFd = &m_SSLMap[iFd];
pRbio = &m_BioReadMap[iFd];
pWbio = &m_BioWriteMap[iFd];
char buff[4096];
memset(buff, 0, strlen(buff));
BIO_write(pRbio, pBuff, iLen);
if(!SSL_is_init_finished(pServSslFd))
{
int iRet = SSL_do_handshake(pServSslFd);
}
int iNewLen = BIO_read(pWbio, buff, 2048);
if(iNewLen>0)
{
char *pNewData = new char[iNewLen+1];
for(int i=0;i<iNewLen;i++)
pNewData[i] = buff[i];
m_pEventHandler->SendReply(iChannel, (unsigned char *)pNewData, iNewLen);
}
else
{
printf("[DTLS]:: HandShaking Response failed for this data,
return -1;
}
return NEGOTIATION_SUCCESS;
}
Here I am attaching Wireshark TCP-Dump for better monitoring about the issue.
https://www.dropbox.com/s/quidcs6gilnvt2o/WebRTC%20DTLS%20Handshake%20Failure.pcapng?dl=0
Now, I am confident about my initialization of SSL_CTX variable. Because, Sometimes Handshake successfully negotiate for every port. But sometimes Handshake fails for one or two port. I am working for 5 days to solve WebRTC DTLS Server Mode Negotiation for Google Chrome. But I haven't found the root cause for this problem.
The link for TCP-Dump is not working.
Anyway, it seems your solution should work.
As it's a server program, it's definitely multi threaded. But it's really dangerous to initialize SSL variables or to perform handshake procedure without locking. In that case so many things can happen if these two methods are processed by multiple thread.
My suggestion is to add locking mechanism for these methods.
I am writing a C++ program that connects using SSL. The certificate chain checks out using:
openssl verify -CAfile test.pem private.pem
where test.pem contains the intermediate and root certificate. My test program does not verify the certificate chain.
if ( !SSL_CTX_load_verify_locations( ctx, "c:/Certs/test.pem", NULL ) ) {
// Failure message and cleanup goes here.
}
SSL* ssl;
BIO* bio = BIO_new_ssl_connect( ctx );
BIO_get_ssl( bio, &ssl );
SSL_set_mode( ssl, SSL_MODE_AUTO_RETRY );
BIO_set_conn_hostname( bio, "url.com:https" );
if ( BIO_do_connect( bio ) <= 0 ) {
// Failure message and cleanup goes here.
}
if ( SSL_get_verify_result( ssl ) != X509_V_OK ){
// Here is where I get the error 20...
// Free all resources and exit.
}
OpenSSL documentation describes error 20 as:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate.
The issuer certificate could not be found: this occurs if the issuer certificate of an
untrusted certificate cannot be found.
I need help identifying the problem and how to solve it. I am certain the certificates I have are correct.
It seems the certificate or certificate chain is not trusted.
You can load your own from a pem file before trying to connect by using:
int rc = SSL_CTX_load_verify_locations(ssl_context, file_name, NULL);
if (rc != 1) { // verify authentication result
g_warning("Load of certificates failed!: %s", X509_verify_cert_error_string(ERR_get_error()));
return FALSE;
}
Additionally you can load from memory directly.
With something like this:
char *chain_certs = "------- BEGIN CERTIFICAT...."; /// <<< YOUR CERTIFICATE CHAIN
// Load chain of certs
X509 *cacert=NULL;
BIO *mem = BIO_new_mem_buf(chain_certs,strlen(chain_certs));
X509_STORE *cert_store = SSL_CTX_get_cert_store(ssl_context);
if(cert_store!=NULL){
int index = 0;
while ((cacert = PEM_read_bio_X509(mem, NULL, 0, NULL))!=NULL) {
if(cacert) {
g_debug("Our certificate name is %s", cacert->name);
X509_STORE_add_cert(cert_store, cacert);
X509_free(cacert);
cacert=NULL;
} /* Free immediately */
index++;
}
}
BIO_free(mem);
I need to connect my cross-platform program to a SOAP web service. I have compiled the gSOAP tools wsdl2h and soapcpp2 and with these tools I have generated the source code files from from the .wsdl file. I have putted in the stdsoap2.h the define "#define WITH_OPENSSL" and in this way SSL are used. The problem is that when i call the service the call return ERROR 30 that means SSL ERROR but i don't know what is really the problem. I know the server send a self-signed certificate because this is a testing environment. Indeed an error message related this is printed. The output is:
Creating SOAP objects ...
Calling SOAP httpAccessService:
SSL verify error or warning with certificate at depth 0: self signed certificate
certificate issuer /C=IT/ST=Milan/L=Milan/O=Company/OU=Company/CN=company.it
certificate subject /C=IT/ST=Milan/L=Milan/O=Company/OU=Company/CN=company.it
SOAP ERROR 30
The function i use to call the service is this:
void gSOAPTesting::runTest()
{
int result = 0;
size_t requestSize;
size_t responseSize;
char endpoint[1024];
char buffer[8192];
string SoapAction;
struct soap *soap_container;
ApplicationConfigurationServiceSoapBindingProxy Proxy1;
_ns1__httpAccessService *httpAccessService;
_ns1__httpAccessServiceResponse *httpAccessServiceResponse;
printf("Creating SOAP objects ...\n");
soap_container = soap_new();
//soap_container->mode
httpAccessService = (_ns1__httpAccessService *) soap_instantiate(soap_container , SOAP_TYPE___ns1__httpAccessService , "" , "" , &requestSize);
httpAccessServiceResponse = (_ns1__httpAccessServiceResponse *) soap_instantiate(soap_container , SOAP_TYPE___ns1__httpAccessService , "" , "" , &responseSize);
soap_ssl_init(); /* init OpenSSL (just once) */
if(soap_ssl_client_context(soap_container ,
SOAP_SSL_DEFAULT ,
NULL,
NULL,
NULL,
NULL,
NULL
) != SOAP_OK)
{
printf("SOAP SSL Initialization Failure\n");
soap_print_fault(soap_container , stderr);
return ;
}
printf("Calling SOAP httpAccessService:\n");
SoapAction.clear();
SoapAction.append(SOAP_NAMESPACE_OF_ns1);
SoapAction.append("/");
SoapAction.append("httpAccessService");
result = Proxy1.httpAccessService("https://XXX.XXX.XXX.XXX:XXXX" , NULL , httpAccessService , httpAccessServiceResponse);
if(result == SOAP_OK)
{
printf("SOAP OK\n");
}
else
{
printf("SOAP ERROR %d\n" , result);
if(soap_check_state(soap_container) ) printf("Error: request soap struct not initialized\n");
if(httpAccessService->soap == NULL)
{
printf("Error: NULL request SOAP struct\n");
return;
}
if(httpAccessService->soap->endpoint == NULL) printf("Error: Empty request endpoint\n");
soap_stream_fault(soap_container , std::cout);
}
}
Any help is appreciated.
The problem is related the certificate that is not trusted because is self-signed. If I comment these lines in stdsoap2.cpp...
if (!ok)
{ soap_set_sender_error(soap, "SSL/TLS error", "SSL/TLS certificate host name mismatch in tcp_connect()", SOAP_SSL_ERROR);
soap->fclosesocket(soap, sk);
return SOAP_INVALID_SOCKET;
}
...the certificate is accepted even if the it is issued by an unknown authority.
if (soap_ssl_client_context(&soap,
SOAP_SSL_NO_AUTHENTICATION,
NULL , NULL,
NULL, /* ````````````````````````````````*/
NULL,NULL )!= SOAP_OK)
{
If you are ok ignoring the host you can do something like above instead of commneting stuff in generated files
I have a working application that establishes an SSL connection to a server. The server uses a self-signed certificate and the client loads a certificate authority chain to tell it that the server is OK to trust. I did that with code like this on the client:
SSL_METHOD* method = TLSv1_client_method();
_ctx = SSL_CTX_new(method);
if ( SSL_CTX_load_verify_locations(_ctx, "ca-all.crt", NULL) != 1 )
{
return false;
}
_ssl = SSL_new(_ctx);
int val = SSL_set_fd(_ssl, _socket->GetFD());
if ( val != SSL_SUCCESS )
{
int err = SSL_get_error(_ssl, val);
return false;
}
val = SSL_connect(_ssl);
And on the server:
if ( SSL_CTX_use_certificate_chain_file( g_ctx, "ca-chain1.crt" ) <= 0 ) {
return 1;
}
ppem_file = getenv( "PEM_FILE" );
if ( ppem_file == NULL ) {
ppem_file = pem_file;
}
if ( SSL_CTX_use_certificate_file( g_ctx, ppem_file,
SSL_FILETYPE_PEM ) <= 0 ) {
return 1;
}
if ( SSL_CTX_use_PrivateKey_file( g_ctx, ppem_file,
SSL_FILETYPE_PEM ) <= 0 ) {
return 2;
}
I'm trying to modify this code so that the server also verifies the client's peer certificate (self-signed, using same issuer as the server) and having a bit of trouble. I haven't found good "conceptual overview" documentation anywhere, and that seems to be a typical hurdle with the OpenSSL libraries.
On the client I added this after the SSL_CTX_load_verify_locations() call:
if ( SSL_CTX_use_certificate_file(_ctx, "generic_client.pem", SSL_FILETYPE_PEM ) != 1 )
{
return false;
}
On the server I added this after the SSL_CTX_use_PrivateKey_file() call:
STACK_OF(X509_NAME) *list;
list = SSL_load_client_CA_file( "ca_chain2.crt" );
if( list == NULL ) {
return 4;
}
SSL_CTX_set_client_CA_list( g_ctx, list );
SSL_CTX_set_verify( g_ctx, SSL_VERIFY_PEER, NULL );
The connection fails because the certificate doesn't validate. The client seems to load the certificate fine and if I comment out the SSL_CTX_set_verify line, the client connects without trouble (because its certificate is never verified).
It seems that the server doesn't think that the client's certificate authority chain is good. What am I missing here?
From the commandline I can run:
openssl verify -CAfile ca-chain2.crt generic_client.pem
And it passes, so I have the right certificate data available, I must just be using it wrong somehow.
On the server, you must also call SSL_CTX_load_verify_locations(). This function tells the server what certificates to use for certificate verification; the SSL_CTX_set_client_CA_list() function sets the list of allowed CAs that are sent to the client in the handshake. Both are required.
(You also need a SSL_CTX_use_PrivateKey_file() call on the client, after the use_certificate_file call, but I guess you're doing that and just left it out).
SSL_CTX_set_client_CA_list sets the CA list. A CA certificate, by definition, is distinct from a user certificate (e.g. it has the CA bit set). So I recommend you create a proper CA (whose CA certificate is self-signed), and use that to sign both the client and the server certificate. I assume that OpenSSL isn't expecting that the client will actually use the CA certificate for communication also.