[Libwebsockets] iOS 9 issue

Andy Green andy at warmcat.com
Tue Oct 20 05:38:02 CEST 2015



On 20 October 2015 01:15:35 GMT+08:00, Jon Mansey <jon at mansey.com> wrote:
>Hi List, So some progress, myself and another user both get red failure
>message when using the test server in ssl mode from iOS9 safari
>browser. I can make it (and my app with js client) work if i manually
>install the ca cert as a profile on the iOS device. But i have a real
>cert on my server (i.e. not self signed), and mobile safari opens https
>pages on it just fine without asking to accept a cert, or saying
>untrusted, so I would have to guess the cert is properly
>installed/loaded into the phone’s certificate store. Seems the
>websocket client isn’t accessing it properly, or looking for something
>different, that manually installing the cert satisfies. No problem with
>desktop browsers, or Chrome on android, just iOS9 has this issue.
>
>Any further thoughts on next steps gratefully welcomed. Im inclined to
>go to apple developers next, or is this a lws issue?

I dunno.  But the fact it works on other platforms suggests you at least need to look closer at the exact failure mechanism on the bad platform.

There are some #if APPLE type conditionals in lws but nothing like #ifdef APPLE break ssl AFAIK.

-Andy

>Jon
>
>
>On 16 October 2015 17:59:41 GMT+09:00, Roger Light <roger at atchoo.org
><http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>> wrote:
>>Hi all,
>>
>>I'm hoping for some help with a problem I've had reported to me by a
>>user. When he connects to my program on a TLS socket provided through
>>libwebsockets using Safari on OS X everything is fine. On iOS 9 using
>>Safari or the web app it fails with the error:
>>
>>WebSocket network error: The operation couldn't be completed.
>>(OSStatus error -9807.)
>>
>>The log on the server looks like:
>>
>>insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>>inserted SSL accept into fds, trying SSL_accept
>>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>SSL_ERROR_WANT_READ
>>SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>>SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>>close: just_kill_connection
>>remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>>not calling back closed
>>insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>>inserted SSL accept into fds, trying SSL_accept
>>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>SSL_ERROR_WANT_READ
>>SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>SSL_ERROR_WANT_READ
>>SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>>SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>>close: just_kill_connection
>>remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>>not calling back closed
>>
>>This suggests to me something is failing in the DH lib part - maybe
>>something to do with ciphers. Current libwebsockets doesn't configure
>>DH ciper parameters which does mean that the list of ciphers it
>>supports is smaller than it could be. I've created a patch[1] that
>>adds this support, but my user says it didn't help. He's now testing
>>using the lws test server, so the bug does look to be here, or in iOS
>>9.
>>
>>I'm at a bit of a loss as to what to try next, so I'm wondering if
>>anybody else has seen anything similar, or can help with the debugging
>>process - I've not got access to any iOS devices.
>>
>>I'll still be submitting the patch as a pull request, it's still
>>useful, but would like to make sure there isn't anything else missing
>>first. The accepted answer at [2] shows a shell script for finding
>>server supported ciphers so you can see what the patch achieves.
>
>Just googling around, this
>
>http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5
><http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5>
>
>says something like your patch is needed if DH is the chosen cypher.
>
>So it's interesting to know which cypher was used in the OSX case that
>worked.  On, eg, chrome, you can click something on the left of the url
>bar to find out.
>
>-Andy
>
>>Cheers,
>>
>>Roger
>>
>>
>>[1] https://github.com/ralight/libwebsockets/tree/ssl-dh
><https://github.com/ralight/libwebsockets/tree/ssl-dh>
>>[2]
>>http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers
><http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers>
>>_______________________________________________
>>Libwebsockets mailing list
>>Libwebsockets at ml.libwebsockets.org
><http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
><http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets




More information about the Libwebsockets mailing list