x/net/websocket: chrome wss doesn't work with go-lang https/tls server #6121
Labels
Milestone
Comments
this updated version of ws.go (attached) now works in chrome browser with secure websockets! with one important caveat, however: it embeds a node.js tls proxy server, which handles the tls on the frontend, proxying the secure sockets to insecure ones (plain http) on the go-lang backend. so for whatever reason, it seems the root issue is chrome-vs-golang tls, not secure websockets per se. node.js-to-chrome connections here are TLS 1.1, whereas the original go-lang-only ones were SSL 3.0 with an additional warning about possibly outdated server code on chrome's connection detail popup. so for now, this is my workaround. Attachments:
|
i have the same problem with wss: in chrome. it worked fine until revision 47ec7a68b1a2. https://code.google.com/p/go/source/detail?r=47ec7a68b1a2b01cd9d6a4ea6d4f4042ea377eb7&name=default the other problem after this revision is that client certificate authentication also fails in chrome. i would like to provide more info, but i have no idea where to start. |
i found a workaround. if i disable the ECDHE-ECDSA ciphers in chromium, both secure websockets (wss:) and client certificate authentication work again: $ chromium-browser --cipher-suite-blacklist=0xc007,0xc009,0xc00a i got the cipher ids from crypt/tls/cipher_suites.go TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a |
I've added a workaround to my program that disables the malfunctioning ciphers. Something similar could work for other programs, so I'll post the commit here: BenLubar/Rnoadm@45e1006 |
I'm having a the same problem, but not with websockets. Running a MITM HTTPS proxy, I get a lot of errors related to ECDHE_ECDSA when Chrome connects to Google sites through my proxy. The problem seems to be that somehow a cipher suite using ECDSA is being chosen even though my server certificate has an RSA private key—and therefore it can't do ECDSA. If I disable the ECDHE_ECDSA cipher suites in crypto/tls/cipher_suites.go, the errors go away. But the real solution would be for the function that picks the cipher suite to take the type of server certificate into account. |
using this workaround provided by ben, works for me now -- thanks! i'm really curious
what should be fixed though --- golang or chromium browser or both?
TLSConfig: &tls.Config{
// BUG: https://golang.org/issue/6121
CipherSuites: []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
|
mikioh
changed the title
mikioh
changed the title
|
Nowadays looks like it's okay. I just tried with Chrome Version 39.0.2171.99 (64-bit), Go 1.4 and current x/net subrepo, and didn't see any failures. |
|
I don't think its completely fixed, or it is broken again in the same way. This is still happening for me on go version 1.4.2 x64. Safari (version 9.0) works, but Firefox (version 39.0) and Chrome do not (version 43 on OSX). It also appears that javax.websocket gets a 403. I get this error in Chrome: Nothing is produced at the go terminal, unless i hit it with javax.websocket - which produces this: In Safari I get the expected result in the javascript console: in Firefox I get a 403 similar to Chrome and the console shows this: Here is some go code to serve TLS websockets. sub in your own cert.key and cert.pem files. package main
import (
"golang.org/x/net/websocket"
"io"
"log"
"net/http"
)
func copyTest(ws *websocket.Conn) {
io.Copy(ws, ws)
}
func main() {
// setup http handler
http.Handle("/copyTest", websocket.Handler(copyTest))
// start secure websocket server
log.Println("Listening for secure websocket connections on localhost port 8000...")
if err := http.ListenAndServeTLS(":8000", "cert.pem", "cert.key", nil); err != nil {
panic("ListenAndServeTLS Error: " + err.Error())
}
}Here is a javascript client. Sub in the proper domain name for your cert instead of localhost and connect using it. Results will be written to the javascript console. <!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<title>Websocket connector</title>
<script src="http://code.jquery.com/jquery-compat-git.js">
</script>
</head>
<body>
<input id="name" type="text" />
<button id="sendBtn">send</a>
<script>
var ws = new WebSocket("wss://localhost:8000/copyTest");
ws.onmessage = function(e) {
console.log("got data:" + e.data);
};
ws.onerror = function(e) {
console.log("got error:", e);
};
ws.onclose = function(e) {
console.log("got close:", e);
};
$('#sendBtn').click(function(){
var data = $('#name').val();
ws.send(data);
console.log("sent data:" + data);
});
</script>
</body>
</html> |
|
Please open a new issue. |
mikioh
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Attachments:
The text was updated successfully, but these errors were encountered: