[Libwebsockets] client connect in lwsws

Andy Green andy at warmcat.com
Sun Feb 12 04:08:13 CET 2017



On 02/12/2017 10:45 AM, Joel Winarske wrote:
> This all makes sense, and helps tremendously.
>
> I'm seeing an SSL connection error.  I 
> have lws_client_connect_info.ssl_connection set to:
> LCCSCF_USE_SSL |
> LCCSCF_ALLOW_SELFSIGNED |
> LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;
>
> Yet it's complaining:
> [2017/02/11 18:33:40:3076] ERR: SSL error: unable to get local issuer 
> certificate (preverify_ok=0;err=20;depth=2)
> [2017/02/11 18:33:40:3076] NOTICE: lws_ssl_client_connect2: 
> SSL_connect says -1
> [2017/02/11 18:33:40:3076] ERR: SSL connect error 337047686: 
> error:1416F086:SSL routines:tls_process_server_certificate:certificate 
> verify failed
> [2017/02/11 18:33:40:3076] INFO: closing conn at 
> LWS_CONNMODE...SERVER_REPLY

It seems you don't have all the intermediate certs?

https://www.sslshopper.com/ssl-checker.html#hostname=%20https://api.npr.org 
says these are required


	*Common name:* *.npr.org
*SANs:* *.npr.org
*Organization:* National Public Radio, Inc.
*Location:* Washington, District of Columbia, US
*Valid* from January 12, 2015 to January 17, 2018
*Serial Number:* 3d46073e85fe316e44e9c5f77d1a9a9f
*Signature Algorithm:* sha256WithRSAEncryption
*Issuer:* thawte SSL CA - G2 	
	
	*Common name:* thawte SSL CA - G2
*SANs:* DirName: CN = SymantecPKI-1-537
*Organization:* thawte, Inc.
*Location:* US
*Valid* from October 30, 2013 to October 30, 2023
*Serial Number:* 1687d6886de2300685233dbf11bf6597
*Signature Algorithm:* sha256WithRSAEncryption
*Issuer:* thawte Primary Root CA 	
	
	*Common name:* thawte Primary Root CA
*Organization:* thawte, Inc.
*Location:* US
*Valid* from November 16, 2006 to December 30, 2020
*Serial Number:* 3365500879ad73e230b9e01d0d7fac91
*Signature Algorithm:* sha1WithRSAEncryption
*Issuer:* Thawte Premium Server CA



The server should send the first one at least, but it seems this is the 
error you would get if you do not have both the other ones in your 
certificate bundle already

-Andy

>
>
> Complete log snippet:
> [2017/02/11 18:33:40:0992] INFO: Method: POST request for '/rest/send'
> [2017/02/11 18:33:40:0992] DEBUG: lws_set_timeout: 0145B278: 20 secs
> [2017/02/11 18:33:40:0992] INFO: lws_ensure_user_space: 0145B278 
> protocol 0153EAE8
> [2017/02/11 18:33:40:0992] DEBUG: lws_read: thinks we have used 171
> [2017/02/11 18:33:40:0997] NOTICE: lws_spa_create: Created SPA 034EF588
> [2017/02/11 18:33:40:0997] DEBUG: lws_set_timeout: 0145B278: 0 secs
> [2017/02/11 18:33:40:0997] NOTICE: di: ** 
> LWS_CALLBACK_HTTP_BODY_COMPLETION: v=031F3DE8, ctx=01487020
> [2017/02/11 18:33:40:0997] NOTICE: Send Request:
> [2017/02/11 18:33:40:0997] NOTICE:      url: 
> https://api.npr.org/listening/v2/recommendations?channel=shows
> [2017/02/11 18:33:40:0997] NOTICE:      method: GET
> [2017/02/11 18:33:40:0997] NOTICE:      sendheaders: 
> Authorization:Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> [2017/02/11 18:33:40:0997] NOTICE:  Using SSL
> [2017/02/11 18:33:40:0997] NOTICE:  Selfsigned certs allowed
> [2017/02/11 18:33:40:0997] NOTICE:  Skipping peer cert hostname check
> [2017/02/11 18:33:40:0997] NOTICE: using https mode (non-ws)
> [2017/02/11 18:33:40:0997] NOTICE: http client: connecting
> [2017/02/11 18:33:40:0997] DEBUG: lws_union_transition: 01545190: mode 32
> [2017/02/11 18:33:40:1002] INFO: lws_ensure_user_space: 01545190 
> protocol 0153EAD0
> [2017/02/11 18:33:40:1002] INFO: lws_ensure_user_space: 01545190 
> protocol pss 0, user_space=00000000
> [2017/02/11 18:33:40:1002] INFO: lws_header_table_attach: wsi 
> 01545190: ah 00000000 (tsi 0, count = 4) in
> [2017/02/11 18:33:40:1002] INFO: lws_header_table_attach: wsi 
> 01545190: ah 0149C0D0: count 5 (on exit)
> [2017/02/11 18:33:40:1002] CLIENT: lws_client_connect: direct conn
> [2017/02/11 18:33:40:1002] CLIENT: lws_client_connect_2
> [2017/02/11 18:33:40:1002] CLIENT: lws_client_connect_2: address 
> api.npr.org <http://api.npr.org>
> [2017/02/11 18:33:40:1526] ERR: getaddrinfo api.npr.org 
> <http://api.npr.org> -> 216.35.221.71
> [2017/02/11 18:33:40:1531] DEBUG: lws_libuv_accept: new wsi 01545190
> [2017/02/11 18:33:40:1531] DEBUG: insert_wsi_socket_into_fds: 
> 01545190: tsi=0, sock=632, pos-in-fds=13
> [2017/02/11 18:33:40:1531] DEBUG: lws_set_timeout: 01545190: 20 secs
> [2017/02/11 18:33:40:1536] CLIENT: nonblocking connect retry (errno = 
> 10035)
> [2017/02/11 18:33:40:1536] NOTICE: lws_client_connect_via_info 
> sucessful wsi=22303120
> [2017/02/11 18:33:40:1541] INFO: lws_read: read_ok, used 710
> [2017/02/11 18:33:40:1541] DEBUG: lws_server_socket_service: wsi 
> 0145B278: ah read rxpos 710, rxlen 710
> [2017/02/11 18:33:40:1546] DEBUG: lws_uv_idle
> [2017/02/11 18:33:40:1546] DEBUG: lws_uv_idle: done stop
> [2017/02/11 18:33:40:1546] DEBUG: fd=564, revents=9
> [2017/02/11 18:33:40:1546] DEBUG: lws_read: incoming len 22  state 5
> [2017/02/11 18:33:40:1546] PARSER: lws_interpret_incoming_packet: 
> received 22 byte packet
> [2017/02/11 18:33:40:1546] PARSER: spill on activation-protocol
> [2017/02/11 18:33:40:1551] EXTENSION: lws_rx_sm: passing 16 to ext
> [2017/02/11 18:33:40:1551] EXTENSION: 
>  lws_extension_callback_pm_deflate: LWS_EXT_CB_PAYLOAD_RX: in 16, 
> existing in 0
> [2017/02/11 18:33:40:1551] EXTENSION: inflate ret 0, avi 0, avo 894, 
> wsifinal 1
> [2017/02/11 18:33:40:1551] EXTENSION: RX APPEND_TRAILER-DO
> [2017/02/11 18:33:40:1551] EXTENSION: RX trailer inf returned 0, avi 
> 0, avo 894
> [2017/02/11 18:33:40:1551] EXTENSION: 
> lws_extension_callback_pm_deflate: RX leaving with new effbuff len 
> 130, ret 0, rx.avail_in=0, TOTAL RX since FIN 130
> [2017/02/11 18:33:40:1551] NOTICE: activate: LWS_CALLBACK_RECEIVE
> [2017/02/11 18:33:40:1556] DEBUG: _lws_rx_flow_control: no pending change
> [2017/02/11 18:33:40:1556] PARSER: lws_interpret_incoming_packet: exit 
> with 0 unused
> [2017/02/11 18:33:40:1556] INFO: lws_read: read_ok, used 22
> [2017/02/11 18:33:40:1556] DEBUG: lws_uv_idle
> [2017/02/11 18:33:40:1556] DEBUG: lws_uv_idle: done stop
> [2017/02/11 18:33:40:1556] DEBUG: fd=564, revents=2
> [2017/02/11 18:33:40:1556] DEBUG: lws_calllback_as_writeable: 01547DC0 
> (user=0146DAE0)
> [2017/02/11 18:33:40:1556] NOTICE: activate: LWS_CALLBACK_SERVER_WRITEABLE
> [2017/02/11 18:33:40:1556] EXTENSION: 
> lws_extension_callback_pm_deflate: TX: eff_buf length 74
> [2017/02/11 18:33:40:1561] EXTENSION: tx held 4
> [2017/02/11 18:33:40:1561] EXTENSION:   TX rewritten with new effbuff 
> len 8, ret 0
> [2017/02/11 18:33:40:1561] EXTENSION: 
> lws_extension_callback_pm_deflate: tx opcode 0xC1
> [2017/02/11 18:33:40:1561] PARSER: written 10 bytes to client
> [2017/02/11 18:33:40:1561] DEBUG: _lws_rx_flow_control: no pending change
> [2017/02/11 18:33:40:1561] DEBUG: lws_uv_idle
> [2017/02/11 18:33:40:1561] DEBUG: lws_uv_idle: done stop
> [2017/02/11 18:33:40:2276] DEBUG: fd=632, revents=2
> [2017/02/11 18:33:40:2276] CLIENT: lws_client_connect_2
> [2017/02/11 18:33:40:2276] CLIENT: lws_client_connect_2: address 
> api.npr.org <http://api.npr.org>
> [2017/02/11 18:33:40:2286] ERR: getaddrinfo api.npr.org 
> <http://api.npr.org> -> 216.35.221.71
> [2017/02/11 18:33:40:2286] CLIENT: connected
> [2017/02/11 18:33:40:2286] DEBUG: lws_set_timeout: 01545190: 20 secs
> [2017/02/11 18:33:40:2286] DEBUG: fd=632, revents=9
> [2017/02/11 18:33:40:2291] DEBUG: lws_uv_idle
> [2017/02/11 18:33:40:2291] DEBUG: lws_uv_idle: done stop
> [2017/02/11 18:33:40:3056] DEBUG: fd=632, revents=9
> [2017/02/11 18:33:40:3061] NOTICE: lws_ssl_client_connect2: 
> SSL_connect says -1
> [2017/02/11 18:33:40:3066] INFO: SSL_connect WANT_READ... retrying
> [2017/02/11 18:33:40:3066] DEBUG: lws_uv_idle
> [2017/02/11 18:33:40:3066] DEBUG: lws_uv_idle: done stop
> [2017/02/11 18:33:40:3066] DEBUG: fd=632, revents=9
> [2017/02/11 18:33:40:3076] ERR: SSL error: unable to get local issuer 
> certificate (preverify_ok=0;err=20;depth=2)
> [2017/02/11 18:33:40:3076] NOTICE: lws_ssl_client_connect2: 
> SSL_connect says -1
> [2017/02/11 18:33:40:3076] ERR: SSL connect error 337047686: 
> error:1416F086:SSL routines:tls_process_server_certificate:certificate 
> verify failed
> [2017/02/11 18:33:40:3076] INFO: closing conn at 
> LWS_CONNMODE...SERVER_REPLY
> [2017/02/11 18:33:40:3076] INFO: lws_close_free_wsi: real 
> just_kill_connection: 01545190 (sockfd 632)
> [2017/02/11 18:33:40:3081] INFO: remove_wsi_socket_from_fds: removing 
> same prot wsi 01545190
> [2017/02/11 18:33:40:3081] DEBUG: remove_wsi_socket_from_fds: 
> wsi=01545190, sock=632, fds pos=13, end guy pos=14, endfd=0
> [2017/02/11 18:33:40:3081] DEBUG: not calling back closed mode=39 state=7
> [2017/02/11 18:33:40:3081] DEBUG: lws_close_free_wsi: 
> lws_libuv_closehandle: wsi 01545190
> [2017/02/11 18:33:40:3081] DEBUG: lws_uv_idle
> [2017/02/11 18:33:40:3081] DEBUG: lws_uv_idle: done stop
> [2017/02/11 18:33:40:3081] INFO: ah det due to close
> [2017/02/11 18:33:40:3086] INFO: lws_header_table_detach: wsi 
> 01545190: ah 0149C0D0 (tsi=0, count = 5)
> [2017/02/11 18:33:40:3086] INFO: lws_header_table_detach: wsi 
> 01545190: ah 0149C0D0 (tsi=0, count = 4)
> [2017/02/11 18:33:40:3086] DEBUG: lws_free_wsi: 01545190, remaining wsi 13
> [2017/02/11 18:33:40:7005] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:41:7009] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:42:7018] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:43:7022] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:43:7024] INFO: lws_close_free_wsi: real 
> just_kill_connection: 0145C890 (sockfd 556)
> [2017/02/11 18:33:43:7029] INFO: remove_wsi_socket_from_fds: removing 
> same prot wsi 0145C890
> [2017/02/11 18:33:43:7034] DEBUG: remove_wsi_socket_from_fds: 
> wsi=0145C890, sock=556, fds pos=5, end guy pos=13, endfd=632
> [2017/02/11 18:33:43:7036] DEBUG: not calling back closed mode=0 state=0
> [2017/02/11 18:33:43:7036] DEBUG: lws_close_free_wsi: 
> lws_libuv_closehandle: wsi 0145C890
> [2017/02/11 18:33:43:7042] INFO: ah det due to close
> [2017/02/11 18:33:43:7042] INFO: lws_header_table_detach: wsi 
> 0145C890: ah 00000000 (tsi=0, count = 4)
> [2017/02/11 18:33:43:7047] INFO: lws_header_table_detach: wsi 
> 0145C890: ah 00000000 (tsi=0, count = 4)
> [2017/02/11 18:33:43:7047] DEBUG: lws_free_wsi: 0145C890, remaining wsi 12
> [2017/02/11 18:33:44:7022] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:45:7027] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:45:7027] INFO: lws_close_free_wsi: real 
> just_kill_connection: 0145B8C8 (sockfd 512)
> [2017/02/11 18:33:45:7037] INFO: remove_wsi_socket_from_fds: removing 
> same prot wsi 0145B8C8
> [2017/02/11 18:33:45:7042] DEBUG: remove_wsi_socket_from_fds: 
> wsi=0145B8C8, sock=512, fds pos=3, end guy pos=12, endfd=576
> [2017/02/11 18:33:45:7042] DEBUG: not calling back closed mode=0 state=0
> [2017/02/11 18:33:45:7042] DEBUG: lws_close_free_wsi: 
> lws_libuv_closehandle: wsi 0145B8C8
> [2017/02/11 18:33:45:7047] INFO: lws_close_free_wsi: real 
> just_kill_connection: 0145CBB8 (sockfd 560)
> [2017/02/11 18:33:45:7047] INFO: remove_wsi_socket_from_fds: removing 
> same prot wsi 0145CBB8
> [2017/02/11 18:33:45:7047] DEBUG: remove_wsi_socket_from_fds: 
> wsi=0145CBB8, sock=560, fds pos=6, end guy pos=11, endfd=612
> [2017/02/11 18:33:45:7052] DEBUG: not calling back closed mode=0 state=0
> [2017/02/11 18:33:45:7052] DEBUG: lws_close_free_wsi: 
> lws_libuv_closehandle: wsi 0145CBB8
> [2017/02/11 18:33:45:7057] INFO: ah det due to close
> [2017/02/11 18:33:45:7057] INFO: lws_header_table_detach: wsi 
> 0145CBB8: ah 014988B0 (tsi=0, count = 4)
> [2017/02/11 18:33:45:7062] NOTICE: lws_header_table_detach: wsi 
> 0145CBB8: ah held 6s, ah.rxpos 0, ah.rxlen 0, mode/state 0 
> 4,wsi->more_rx_waiting 0
> [2017/02/11 18:33:45:7062] INFO: lws_header_table_detach: wsi 
> 0145CBB8: ah 014988B0 (tsi=0, count = 3)
> [2017/02/11 18:33:45:7062] DEBUG: lws_free_wsi: 0145CBB8, remaining wsi 11
> [2017/02/11 18:33:45:7067] INFO: ah det due to close
> [2017/02/11 18:33:45:7067] INFO: lws_header_table_detach: wsi 
> 0145B8C8: ah 00000000 (tsi=0, count = 3)
> [2017/02/11 18:33:45:7067] INFO: lws_header_table_detach: wsi 
> 0145B8C8: ah 00000000 (tsi=0, count = 3)
> [2017/02/11 18:33:45:7072] DEBUG: lws_free_wsi: 0145B8C8, remaining wsi 10
> [2017/02/11 18:33:46:7023] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:47:7024] DEBUG: lws_uv_timeout_cb
> [2017/02/11 18:33:48:7034] DEBUG: lws_uv_timeout_cb
>
>
> On Sat, Feb 11, 2017 at 5:14 PM, Andy Green <andy at warmcat.com 
> <mailto:andy at warmcat.com>> wrote:
>
>
>
>     On 12 February 2017 07:21:55 GMT+08:00, Joel Winarske
>     <joel.winarske at gmail.com <mailto:joel.winarske at gmail.com>> wrote:
>     >Hi Andy,
>     >
>     >I want to client connect to https site from within
>     >LWS_CALLBACK_HTTP_BODY_COMPLETION, in a running instance of lwsws.
>     >lwsws
>     >is running in non-SSL
>     >
>     >Due to SSL, I was figuring lws_client_connect_via_info(), similar to
>
>     Yes this is the way.
>
>     >test-client.c.  I'm not clear where context and wsi should come
>     from in
>     >the
>     >case of running within lwsws.
>
>     All wsi are under the same context, and a context may mix client
>     and server wsi ok.
>
>     So you can get the context from the callback wsi with
>     lws_get_context(wsi).
>
>     When you call lws_client_connect_via_info(), he will try to start
>     the logical client connection process and return either a new wsi
>     representing the client connection if it got started, or NULL if
>     it failed.  However because the connection attempt may generate
>     callbacks before lws_client_connect_via_info() returned and told
>     you the new wsi, the info struct also contains a *pwsi member that
>     lws_client_connect_via_info() sets to the new wsi before it returns.
>
>     In that way you can recognize in the callback who the wsi is, even
>     during these early callbackS.  That's particularly useful if the
>     connection fails, since you get a callback with a descriptive
>     reason string, beimg able to know that's your wsi failed lets you
>     respond to it.
>
>     >I figure it would get serviced by the server loop, so no need to
>     >call lws_service().  Correct?
>
>     Yeah no need for that, lwsws context is using libuv event loop,
>     when you make the client connection it joins in with that.
>
>     Notice in lwsws you must mark a vhost as wanting to / being able
>     to make ssl client connections
>
>      - "enable-client-ssl": "1" enables the vhost's client SSL
>     context, you will need this if you plan to create client
>     conections on the vhost that will use SSL. You don't need it if
>     you only want http / ws client connections.
>
>     This causes the vhost to additionally init client ssl context.
>
>     -Andy
>
>     >Thanks,
>     >Joel
>
>     --
>     Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>




More information about the Libwebsockets mailing list