Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http/httputil: WSS does not perform TLS termination properly #66855

Closed
azukaar opened this issue Apr 16, 2024 · 2 comments
Closed

net/http/httputil: WSS does not perform TLS termination properly #66855

azukaar opened this issue Apr 16, 2024 · 2 comments
Labels
WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@azukaar
Copy link

azukaar commented Apr 16, 2024

Go version

go version go1.21.0 windows/amd64

Output of go env in your module/workspace:

set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\azuka\AppData\Local\go-build
set GOENV=C:\Users\azuka\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\azuka\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\azuka\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.21.0
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOMOD=NUL
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\azuka\AppData\Local\Temp\go-build1597027050=/tmp/go-build -gno-record-gcc-switches

What did you do?

I am using go's reverse proxy from the httputils package. It works really well, and perform HTTPS TLS termination perfectly when proxying HTTPS > HTTPS.

See implementation: https://github.com/azukaar/Cosmos-Server/blob/master/src/proxy/routeTo.go#L53

What did you see happen?

When proxying a WSS connection to a WSS server however, the certificate does not seem to be the right one.
Here's an example server:

const fs = require('fs');
const https = require('https');
const WebSocket = require('ws');

// Load SSL certificate and key files
const privateKey = fs.readFileSync('./key.pem', 'utf8');
const certificate = fs.readFileSync('./cert.pem', 'utf8');

const credentials = { key: privateKey, cert: certificate };

const httpsServer = https.createServer(credentials);

const wss = new WebSocket.Server({ server: httpsServer });

wss.on('connection', function connection(ws) {
  ...
});

const PORT = 6443;
httpsServer.listen(PORT, () => {
    console.log(`Server is running on https://localhost:${PORT}`);
});

if I proxy it from the reverse proxy, and connect to it via a client:

const WebSocket = require('ws');

const options = {
  // rejectUnauthorized: false
};

const ws = new WebSocket(serverUrl, options);
ws.on('open', function open() {
...
});

I will see this error, which basically tells me I am using a self signed certificate.

node:events:492
      throw er; // Unhandled 'error' event
      ^

Error: self-signed certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)
    at TLSSocket.emit (node:events:514:28)
    at TLSSocket._finishInit (node:_tls_wrap:1070:8)
    at ssl.onhandshakedone (node:_tls_wrap:856:12)
Emitted 'error' event on WebSocket instance at:
    at emitErrorAndClose (C:\Users\azuka\Desktop\New folder\node_modules\ws\lib\websocket.js:1033:13)
    at ClientRequest.<anonymous> (C:\Users\azuka\Desktop\New folder\node_modules\ws\lib\websocket.js:880:5)
    at ClientRequest.emit (node:events:514:28)
    at TLSSocket.socketErrorListener (node:_http_client:495:9)
    at TLSSocket.emit (node:events:514:28)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {        
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

Node.js v20.9.0

Note that if I un-comment rejectUnauthorized: false, it will start working perfectly

What did you expect to see?

I would expect WSS to act like HTTPS in general: the reverse proxy terminate the SSL connection, et re-encrypt with the new certificate, but instead it seems to be carrying over the origin certificate.
@seankhliao
Copy link
Member

this doesn't look very actionable without a complete, self contained reproducer

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Apr 16, 2024
@azukaar
Copy link
Author

azukaar commented Apr 17, 2024
edited

OK so I have spent the evening debugging this and I came to the conclusion that it's a Synology specific problem, as unlike what I initially thought, I am unable to reproduce the issue again

Will close the issue apologies for the mistake

@azukaar azukaar closed this as completed Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@azukaar @seankhliao