[Libwebsockets] iOS 9 issue

Andy Green andy at warmcat.com
Tue Oct 20 06:09:49 CEST 2015



On 20 October 2015 11:47:41 GMT+08:00, Jon Mansey <jon at mansey.com> wrote:
>Heres the original thread I posted on the eclipse paho forum
>
>https://www.eclipse.org/forums/index.php?t=rview&goto=1710554#msg_1710554
>
>the JS console error message on failure is 
>
>WebSocket network error: The operation couldn't be completed. (OSStatus
>error -9807.)
>
>which resolves to "invalid certificate chain”
>
>I’ve tried multiple permutations of cert chain all of which seem to
>work fine on other platforms except iOS.
>
>Andy, have you seen a iOS safari connecting successfully to your
>websocket test server in ssl mode?

No.  I don't have any Apple or Microsoft machines or devices (nor want any).  All the stuff related to that is contributed.

One idea, cheapo certs especially seem to have intermediate CAs that come along with the cert.  Maybe your problem is the device with trouble doesn't know how to deal with that when it comes back from the server.

-Andy

>jon
>
>> On Oct 19, 2015, at 8:38 PM, Andy Green <andy at warmcat.com> wrote:
>> 
>> 
>> 
>> On 20 October 2015 01:15:35 GMT+08:00, Jon Mansey <jon at mansey.com>
>wrote:
>>> Hi List, So some progress, myself and another user both get red
>failure
>>> message when using the test server in ssl mode from iOS9 safari
>>> browser. I can make it (and my app with js client) work if i
>manually
>>> install the ca cert as a profile on the iOS device. But i have a
>real
>>> cert on my server (i.e. not self signed), and mobile safari opens
>https
>>> pages on it just fine without asking to accept a cert, or saying
>>> untrusted, so I would have to guess the cert is properly
>>> installed/loaded into the phone’s certificate store. Seems the
>>> websocket client isn’t accessing it properly, or looking for
>something
>>> different, that manually installing the cert satisfies. No problem
>with
>>> desktop browsers, or Chrome on android, just iOS9 has this issue.
>>> 
>>> Any further thoughts on next steps gratefully welcomed. Im inclined
>to
>>> go to apple developers next, or is this a lws issue?
>> 
>> I dunno.  But the fact it works on other platforms suggests you at
>least need to look closer at the exact failure mechanism on the bad
>platform.
>> 
>> There are some #if APPLE type conditionals in lws but nothing like
>#ifdef APPLE break ssl AFAIK.
>> 
>> -Andy
>> 
>>> Jon
>>> 
>>> 
>>> On 16 October 2015 17:59:41 GMT+09:00, Roger Light <roger at
>atchoo.org
>>> <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>> wrote:
>>>> Hi all,
>>>> 
>>>> I'm hoping for some help with a problem I've had reported to me by
>a
>>>> user. When he connects to my program on a TLS socket provided
>through
>>>> libwebsockets using Safari on OS X everything is fine. On iOS 9
>using
>>>> Safari or the web app it fails with the error:
>>>> 
>>>> WebSocket network error: The operation couldn't be completed.
>>>> (OSStatus error -9807.)
>>>> 
>>>> The log on the server looks like:
>>>> 
>>>> insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>>>> inserted SSL accept into fds, trying SSL_accept
>>>> SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>>> SSL_ERROR_WANT_READ
>>>> SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>>>> SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>>>> close: just_kill_connection
>>>> remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>>>> not calling back closed
>>>> insert_wsi_socket_into_fds: wsi=0x1441130, sock=17, fds pos=2
>>>> inserted SSL accept into fds, trying SSL_accept
>>>> SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>>> SSL_ERROR_WANT_READ
>>>> SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
>>>> SSL_ERROR_WANT_READ
>>>> SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
>>>> SSL_accept failed skt 17: error:00000005:lib(0):func(0):DH lib
>>>> close: just_kill_connection
>>>> remove_wsi_socket_from_fds: wsi=0x1441130, sock=17, fds pos=2
>>>> not calling back closed
>>>> 
>>>> This suggests to me something is failing in the DH lib part - maybe
>>>> something to do with ciphers. Current libwebsockets doesn't
>configure
>>>> DH ciper parameters which does mean that the list of ciphers it
>>>> supports is smaller than it could be. I've created a patch[1] that
>>>> adds this support, but my user says it didn't help. He's now
>testing
>>>> using the lws test server, so the bug does look to be here, or in
>iOS
>>>> 9.
>>>> 
>>>> I'm at a bit of a loss as to what to try next, so I'm wondering if
>>>> anybody else has seen anything similar, or can help with the
>debugging
>>>> process - I've not got access to any iOS devices.
>>>> 
>>>> I'll still be submitting the patch as a pull request, it's still
>>>> useful, but would like to make sure there isn't anything else
>missing
>>>> first. The accepted answer at [2] shows a shell script for finding
>>>> server supported ciphers so you can see what the patch achieves.
>>> 
>>> Just googling around, this
>>> 
>>>
>http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5
>>>
><http://stackoverflow.com/questions/23479376/openssl-ssl-accept-error-5>
>>> 
>>> says something like your patch is needed if DH is the chosen cypher.
>>> 
>>> So it's interesting to know which cypher was used in the OSX case
>that
>>> worked.  On, eg, chrome, you can click something on the left of the
>url
>>> bar to find out.
>>> 
>>> -Andy
>>> 
>>>> Cheers,
>>>> 
>>>> Roger
>>>> 
>>>> 
>>>> [1] https://github.com/ralight/libwebsockets/tree/ssl-dh
>>> <https://github.com/ralight/libwebsockets/tree/ssl-dh>
>>>> [2]
>>>>
>http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers
>>>
><http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers>
>>>> _______________________________________________
>>>> Libwebsockets mailing list
>>>> Libwebsockets at ml.libwebsockets.org
>>> <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>>>> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>>> <http://ml.libwebsockets.org/mailman/listinfo/libwebsockets>
>>> 
>>> 
>>> 
>>>
>------------------------------------------------------------------------
>>> 
>>> _______________________________________________
>>> Libwebsockets mailing list
>>> Libwebsockets at ml.libwebsockets.org
>>> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>> 




More information about the Libwebsockets mailing list