[Libwebsockets] iOS 9 issue

Jon Mansey jon at mansey.com
Mon Oct 19 19:15:35 CEST 2015


Hi List, So some progress, myself and another user both get red failure message when using the test server in ssl mode from iOS9 safari browser. I can make it (and my app with js client) work if i manually install the ca cert as a profile on the iOS device. But i have a real cert on my server (i.e. not self signed), and mobile safari opens https pages on it just fine without asking to accept a cert, or saying untrusted, so I would have to guess the cert is properly installed/loaded into the phone’s certificate store. Seems the websocket client isn’t accessing it properly, or looking for something different, that manually installing the cert satisfies. No problem with desktop browsers, or Chrome on android, just iOS9 has this issue.

Any further thoughts on next steps gratefully welcomed. Im inclined to go to apple developers next, or is this a lws issue?

Jon


On 16 October 2015 17:59:41 GMT+09:00, Roger Light <roger at atchoo.org <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>> wrote:
>Hi all,
>
>I'm hoping for some help with a problem I've had reported to me by a
>user. When he connects to my program on a TLS socket provided through
>libwebsockets using Safari on OS X everything is fine. On iOS 9 using
>Safari or the web app it fails with the error:
>
>WebSocket network error: The operation couldn't be completed.
>(OSStatus error -9807.)
>
>The log on the server looks like:
>
>insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>inserted SSL accept into fds, trying SSL_accept
>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>SSL_ERROR_WANT_READ
>SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>close: just_kill_connection
>remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>not calling back closed
>insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>inserted SSL accept into fds, trying SSL_accept
>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>SSL_ERROR_WANT_READ
>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>SSL_ERROR_WANT_READ
>SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>close: just_kill_connection
>remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>not calling back closed
>
>This suggests to me something is failing in the DH lib part - maybe
>something to do with ciphers. Current libwebsockets doesn't configure
>DH ciper parameters which does mean that the list of ciphers it
>supports is smaller than it could be. I've created a patch[1] that
>adds this support, but my user says it didn't help. He's now testing
>using the lws test server, so the bug does look to be here, or in iOS
>9.
>
>I'm at a bit of a loss as to what to try next, so I'm wondering if
>anybody else has seen anything similar, or can help with the debugging
>process - I've not got access to any iOS devices.
>
>I'll still be submitting the patch as a pull request, it's still
>useful, but would like to make sure there isn't anything else missing
>first. The accepted answer at [2] shows a shell script for finding
>server supported ciphers so you can see what the patch achieves.

Just googling around, this

http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5 <http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5>

says something like your patch is needed if DH is the chosen cypher.

So it's interesting to know which cypher was used in the OSX case that worked.  On, eg, chrome, you can click something on the left of the url bar to find out.

-Andy

>Cheers,
>
>Roger
>
>
>[1] https://github.com/ralight/libwebsockets/tree/ssl-dh <https://github.com/ralight/libwebsockets/tree/ssl-dh>
>[2]
>http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers <http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers>
>_______________________________________________
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20151019/aa37da8b/attachment-0001.html>


More information about the Libwebsockets mailing list