0

I'm attempting to implement a WebSocket Client in an application that supports secure transmissions through SSL. The application already supports standard SSL connections over HTTP, by implementing custom Key and Trust managers (these custom implementations are in place to prompt the user for a certificate when needed).

I'm having trouble getting a secure connection to our remote WebSocket endpoint. The failure is occurring during the handshake. I've tried two different implementations of the WebSocket API (both Tyrus and Jetty), and both fail in the same way, which, of course, leads me to point to our SSL implementation.

As I mentioned, the failure is occurring during the handshake. It seems that the connection cannot figure out that there are client certificates that are signed by the supported authorities returned from the server. I'm stumped to figure out if I haven't supplied the client certificates to the WebSocket API correctly, or if our custom Key/Trust managers are even getting used.

Here's a dump of the SSL Debug logs: 

*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
(list of about 15 cert authorities supported by the server)
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** CertificateChain
<empty>
***

I've set breakpoints in our TrustManager implementation, to determine if they are ever getting called, and it seems that they are not being called at this point.

I've been attempting to debug this for a few days now, and am running out of things to try.

Any suggestions would be greatly appreciated!

Here's a snippet of the Jetty Code:

SSLContext context = SSLContext.getInstance("TLS");
// getKeyManagers / getTrustManagers retrieves an 
// array containing the custom key and trust manager
// instances:
KeyManager[] km = getKeyManagers();
TrustManager[] tm = getTrustManagers();
context.init(km, tm, null);

SslContextFactory contextFactory = new SslContextFactory();
contextFactory.setContext(context);

WebSocketClient client = new WebSocketClient(contextFactory);
SimpleEchoClient echoClient = new SimpleEchoClient();

try { 
    client.start();
    ClientUpgradeRequest request = new ClientUpgradeRequest();
    Future<Session> connection = client.connect(echoClient, uri, request);

    Session session = connection.get();

    // if everything works, do stuff here

    session.close();
    client.destroy();
} catch (Exception e) {
    LOG.error(e);
}
Robert K
  • 472
  • 4
  • 17
  • Unclear what side those ssl logs are from, client? server? what's the server? how is the server setup/configured? does the server work with other ssl clients (eg: openssl s_client)? – Joakim Erdfelt Jun 27 '17 at 16:18
  • Those logs are from the client side. We also maintain a web (angular) version of the application, and this server endpoint does work with that implementation. – Robert K Jun 27 '17 at 17:10
  • If you skip your custom TrustManager and KeyManager and simply use `new SslContextFactory(true);` does it work? – Joakim Erdfelt Jun 27 '17 at 17:22
  • After `client.start();` what is the value of `contextFactory.getState()`? – Joakim Erdfelt Jun 27 '17 at 17:27
  • After `client.start()`, the value of `contextFactory.getState()` is `STARTED`. Trying it without my custom managers and `new SslContextFactory(true)` results in the same behavior. – Robert K Jun 27 '17 at 17:42
  • Cannot replicate with `wss://echo.websocket.org` and your code. What version of Jetty are you using? (please say a recent stable release) – Joakim Erdfelt Jun 27 '17 at 17:45
  • The jetty version is 9.2.15.v20160210. I'll try to hit wss://echo.websocket.org – Robert K Jun 27 '17 at 17:55
  • I was able to connect to wss://echo.websocket.org, successfully, using the more recent jetty version (9.4.6.v20170531). That proves out that I can actually write a client :) Unfortunately, that site doesn't require a client certificate for 2-way SSL, so I guess is points to the configuration of the SSLContext or SslContextFactory? – Robert K Jun 27 '17 at 20:43

1 Answers1

0

can you try with rejectUnAuthorized:false so that your certificates for which your browser is unable to authorize will skip the authorization. 

var ws = new WebSocket('wss://localhost:xxxx', {
  protocolVersion: 8,
  origin: 'https://localhost:xxxx',
  rejectUnauthorized: false
});
nagoor hussain
  • 14
  • 1