ws on ssl not working

[Canicio]

I run this in the server side. The client can't connect and it doesn't shows errors.

var cfg = {

 ssl: true,
 port: 8080,
 ssl_key: 'cert.key',
 ssl_cert: 'cert.crt'

};

var httpServ = ( cfg.ssl ) ? require('https') : require('http');

var WebSocketServer = require('ws').Server;

var app = null;

// dummy request processing
var processRequest = function( req, res ) {

res.writeHead(200);
res.end("All glory to WebSockets!\n");                  

};

if ( cfg.ssl ) {

 app = httpServ.createServer({

      // providing server with  SSL key/cert
      key: fs.readFileSync( cfg.ssl_key ),
      cert: fs.readFileSync( cfg.ssl_cert ),
      passphrase: '1234',
      requestCert: true,
      rejectUnauthorized: false,

      }, processRequest ).listen( cfg.port );

} else {
app = httpServ.createServer( processRequest ).listen( cfg.port );
}

var wss = new WebSocketServer( { server: app } );

wss.on('connection', function(ws) {
console.log("Connected!");
ws.on('message', function(message) {
console.log('received: %s', message);
});
ws.send('something');
});

---

In the client side, I use:
socket = new WebSocket("wss://192.168.1.34:8080");

[aembke]

I've been seeing this issue with the client myself recently too. Using node v0.10.20 I've been seeing the "Reserved fields must be empty" error when switching to https. When using http it works fine. Also, I've tried changing the server from pure node to pure sinatra to sinatra proxied by nginx to node proxied by nginx and the client error message is the same regardless of the server configuration.

It looks like some other people were having similar issues earlier in this thread (nodejs/node-v0.x-archive#5557) with socket.io. I'm not sure if socket.io uses ws but even if not maybe they're parsing data the same way?

[jaromirmuller]

Works for me. We're using [email protected] and [email protected] and [email protected]

[oskwazir]

Which client are you using? I've had problems in mobile Safari when the browser would not connect to a secure websocket connection because I was using a self signed cert.

[buley]

I'm having issues using [email protected] and [email protected] and [email protected]

The client gets an immediate disconnect with nothing but a 1006 CLOSE_ABNORMAL but the (insanely useful) wscat offers this interesting error response:

➜ app git:(master) ✗ ./node_modules/.bin/wscat --connect wss://localhost
? error: Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

I'm able to curl OK on 443:

➜  app git:(master) ✗ curl -IL https://localhost --insecure
HTTP/1.1 200 OK
X-Powered-By: Express
access-control-allow-origin: http://localhost
access-control-allow-headers: Content-Type, Content-Length, User-Agent
access-control-allow-methods: GET,POST,PUT,HEAD,DELETE,TRACE,COPY,LOCK,MKCOL,MOVE,PROPFIND,PROPPATCH,UNLOCK,REPORT,MKACTIVITY,CHECKOUT,MERGE,M-SEARCH,NOTIFY,SUBSCRIBE,UNSUBSCRIBE,PATCH
content-type: application/json
content-length: 16
Date: Tue, 29 Apr 2014 20:39:39 GMT
Connection: keep-alive

I have tried rejectUnauthorized set to false and secureProtocol set to SSLv3_method.

If I add to the .bin/wscat file node's equivalent to curl's --insecure flag:

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';

I get a disconnect like on the client side:

➜  app git:(master) ✗ ./node_modules/.bin/wscat --connect wss://localhost       
error: Error: socket hang up
> #  

[buley]

I had an issue with passing ws my express app rather than my https server, but once I got that resolved - and fixed my root CA certificate issue - I'm able to get closer to resolution: wscat now works 100%, as does Firefox 26, but Chrome 32 still disconnects on creating the WebSocket

could @aembke be right (#257 (comment)) on similarity to nodejs/node-v0.x-archive#5557? since this seems Chrome-only I would guess protocol related? other theories http://code.google.com/p/go/issues/detail?id=6121 theturtle32/WebSocket-Node#88 (comment)

[joealcorn]

I'm also seeing the error: Error: socket hang up error, even when using the ssl example in this repo.

[joealcorn]

Here's the SSL error I'm getting

$ openssl s_client -connect ws.gorealti.me:9000
CONNECTED(00000003)
3924:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:

[joealcorn]

Boom. Found the issue, had to add the CA bundle to the options object, instead of bundling them into my cert.

So

app = https.createServer({
    key: fs.readFileSync(config.ssl.key),
    cert: fs.readFileSync(config.ssl.cert),
}, processRequest).listen(config.port);

becomes

app = https.createServer({
    key: fs.readFileSync(config.ssl.key),
    cert: fs.readFileSync(config.ssl.cert),
    ca: fs.readFileSync(config.ssl.ca),
}, processRequest).listen(config.port);

[buley]

That's how I got past my initial problems as well. Next thing to check: Does it work in Chrome and not just on the command line or in FF?

[joealcorn]

You're right, looks like I celebrated too soon. hmm..

[buley]

You're the first person to verify my issue report, so - thanks!

But yeah, this library is not production ready w/o Chrome support.

I'm not the best person to offer his time but will do so regardless. If anyone can point me to where I should poke around for this issue, I'd love to use this library in my application and would be happy to spend some time on making Chrome work.

[joealcorn]

I loaded up wireshark to have a closer look and it began working. Very odd..
Will keep an eye on it

[vinodkumar4a5]

Hi,
I need a client which can communicate with the server using socket.io+ssl connection in c++. I got some codes in java but i want in c++.if it is a wesocketclient+ssl(wss) is also fine for me. can any body share the code or information with me please..

Thanks,
vvk.

[ralyodio]

I got it working, I wrote about it here for anyone interested: http://www.chovy.com/web-development/self-signed-certs-with-secure-websockets-in-node-js/

[aleclarson]

@chovy Any suggestions on connecting to a server (that uses a self-signed cert) from another server? (eg: another NodeJS process)

var WebSocket = require('ws');

var ws = new WebSocket('wss://192.x.x.x:4443', '', {
  headers: {token: 'xxxxxx'}
});

I can connect to my server from Google Chrome, but not from the terminal.

Error: unable to verify the first certificate

EDIT: Figured out how to allow self-signed certs (never use this in production):

// Do this before calling `new WebSocket` on the client server (not the websocket server).
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;

[lpinca]

@aleclarson You can also use the rejectUnauthorized option when creating the client instead of using the env variable.

Closing this as it seems everything has been addressed/solved.