[Libwebsockets] iOS 9 issue

Andy Green andy at warmcat.com
Fri Oct 16 11:37:05 CEST 2015



On 16 October 2015 17:59:41 GMT+09:00, Roger Light <roger at atchoo.org> wrote:
>Hi all,
>
>I'm hoping for some help with a problem I've had reported to me by a
>user. When he connects to my program on a TLS socket provided through
>libwebsockets using Safari on OS X everything is fine. On iOS 9 using
>Safari or the web app it fails with the error:
>
>WebSocket network error: The operation couldn't be completed.
>(OSStatus error -9807.)
>
>The log on the server looks like:
>
>insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>inserted SSL accept into fds, trying SSL_accept
>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>SSL_ERROR_WANT_READ
>SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>close: just_kill_connection
>remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>not calling back closed
>insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>inserted SSL accept into fds, trying SSL_accept
>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>SSL_ERROR_WANT_READ
>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>SSL_ERROR_WANT_READ
>SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>close: just_kill_connection
>remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>not calling back closed
>
>This suggests to me something is failing in the DH lib part - maybe
>something to do with ciphers. Current libwebsockets doesn't configure
>DH ciper parameters which does mean that the list of ciphers it
>supports is smaller than it could be. I've created a patch[1] that
>adds this support, but my user says it didn't help. He's now testing
>using the lws test server, so the bug does look to be here, or in iOS
>9.
>
>I'm at a bit of a loss as to what to try next, so I'm wondering if
>anybody else has seen anything similar, or can help with the debugging
>process - I've not got access to any iOS devices.
>
>I'll still be submitting the patch as a pull request, it's still
>useful, but would like to make sure there isn't anything else missing
>first. The accepted answer at [2] shows a shell script for finding
>server supported ciphers so you can see what the patch achieves.

Just googling around, this

http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5

says something like your patch is needed if DH is the chosen cypher.

So it's interesting to know which cypher was used in the OSX case that worked.  On, eg, chrome, you can click something on the left of the url bar to find out.

-Andy

>Cheers,
>
>Roger
>
>
>[1] https://github.com/ralight/libwebsockets/tree/ssl-dh
>[2]
>http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers
>_______________________________________________
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets




More information about the Libwebsockets mailing list