[Libwebsockets] iOS 9 issue

Jon Mansey jon at mansey.com
Tue Oct 20 05:47:41 CEST 2015


Heres the original thread I posted on the eclipse paho forum

https://www.eclipse.org/forums/index.php?t=rview&goto=1710554#msg_1710554

the JS console error message on failure is 

WebSocket network error: The operation couldn't be completed. (OSStatus error -9807.)

which resolves to "invalid certificate chain”

I’ve tried multiple permutations of cert chain all of which seem to work fine on other platforms except iOS.

Andy, have you seen a iOS safari connecting successfully to your websocket test server in ssl mode?

jon

> On Oct 19, 2015, at 8:38 PM, Andy Green <andy at warmcat.com> wrote:
> 
> 
> 
> On 20 October 2015 01:15:35 GMT+08:00, Jon Mansey <jon at mansey.com> wrote:
>> Hi List, So some progress, myself and another user both get red failure
>> message when using the test server in ssl mode from iOS9 safari
>> browser. I can make it (and my app with js client) work if i manually
>> install the ca cert as a profile on the iOS device. But i have a real
>> cert on my server (i.e. not self signed), and mobile safari opens https
>> pages on it just fine without asking to accept a cert, or saying
>> untrusted, so I would have to guess the cert is properly
>> installed/loaded into the phone’s certificate store. Seems the
>> websocket client isn’t accessing it properly, or looking for something
>> different, that manually installing the cert satisfies. No problem with
>> desktop browsers, or Chrome on android, just iOS9 has this issue.
>> 
>> Any further thoughts on next steps gratefully welcomed. Im inclined to
>> go to apple developers next, or is this a lws issue?
> 
> I dunno.  But the fact it works on other platforms suggests you at least need to look closer at the exact failure mechanism on the bad platform.
> 
> There are some #if APPLE type conditionals in lws but nothing like #ifdef APPLE break ssl AFAIK.
> 
> -Andy
> 
>> Jon
>> 
>> 
>> On 16 October 2015 17:59:41 GMT+09:00, Roger Light <roger at atchoo.org
>> <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>> wrote:
>>> Hi all,
>>> 
>>> I'm hoping for some help with a problem I've had reported to me by a
>>> user. When he connects to my program on a TLS socket provided through
>>> libwebsockets using Safari on OS X everything is fine. On iOS 9 using
>>> Safari or the web app it fails with the error:
>>> 
>>> WebSocket network error: The operation couldn't be completed.
>>> (OSStatus error -9807.)
>>> 
>>> The log on the server looks like:
>>> 
>>> insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>>> inserted SSL accept into fds, trying SSL_accept
>>> SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>> SSL_ERROR_WANT_READ
>>> SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>>> SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>>> close: just_kill_connection
>>> remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>>> not calling back closed
>>> insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>>> inserted SSL accept into fds, trying SSL_accept
>>> SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>> SSL_ERROR_WANT_READ
>>> SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>> SSL_ERROR_WANT_READ
>>> SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>>> SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>>> close: just_kill_connection
>>> remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>>> not calling back closed
>>> 
>>> This suggests to me something is failing in the DH lib part - maybe
>>> something to do with ciphers. Current libwebsockets doesn't configure
>>> DH ciper parameters which does mean that the list of ciphers it
>>> supports is smaller than it could be. I've created a patch[1] that
>>> adds this support, but my user says it didn't help. He's now testing
>>> using the lws test server, so the bug does look to be here, or in iOS
>>> 9.
>>> 
>>> I'm at a bit of a loss as to what to try next, so I'm wondering if
>>> anybody else has seen anything similar, or can help with the debugging
>>> process - I've not got access to any iOS devices.
>>> 
>>> I'll still be submitting the patch as a pull request, it's still
>>> useful, but would like to make sure there isn't anything else missing
>>> first. The accepted answer at [2] shows a shell script for finding
>>> server supported ciphers so you can see what the patch achieves.
>> 
>> Just googling around, this
>> 
>> http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5
>> <http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5>
>> 
>> says something like your patch is needed if DH is the chosen cypher.
>> 
>> So it's interesting to know which cypher was used in the OSX case that
>> worked.  On, eg, chrome, you can click something on the left of the url
>> bar to find out.
>> 
>> -Andy
>> 
>>> Cheers,
>>> 
>>> Roger
>>> 
>>> 
>>> [1] https://github.com/ralight/libwebsockets/tree/ssl-dh
>> <https://github.com/ralight/libwebsockets/tree/ssl-dh>
>>> [2]
>>> http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers
>> <http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers>
>>> _______________________________________________
>>> Libwebsockets mailing list
>>> Libwebsockets at ml.libwebsockets.org
>> <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>>> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>> <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>> 
>> 
>> 
>> ------------------------------------------------------------------------
>> 
>> _______________________________________________
>> Libwebsockets mailing list
>> Libwebsockets at ml.libwebsockets.org
>> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
> 




More information about the Libwebsockets mailing list