WebSocket errors when using TLS (but not without)

0
votes

I have a web application that uses WebSockets to communicate between browser and server. When serving as ws, everything works as intended. If I change the protocol to wss, things mostly work as expected (the majority of messages passed from client to server, or vice versa, are received), but I occasionally one of the following errors in the Chrome console:

"Could not decode a text frame as UTF-8."

or

"Invalid frame header"

...at which point Chrome releases the connection.

I have observed this both when serving wss directly from the server (runs on .NET, uses SuperWebSocket), and in a configuration where the server uses ws and Apache's mod_proxy_wstunnel to reverse proxy to this using the wss protocol. I have also set up a simple "echo" server under the same Apache configuration, and don't observe the issue; this leads me to believe there's something funny about the data we're passing to the SuperWebSocket API. (The messages which cause the error are valid UTF-8, and again, don't see this issue when serving over ws.)

I'm at a loss for how a protocol change would cause such an issue to occur, which leads me to my question:

Are there cases where a WebSocket frame might be valid when sent without TLS but would become corrupted when sent with TLS?

1
javascript.netsslwebsocket
Out of curiosity, did you get a clue to this issue? IMHO trying tests with several combinations of TLS and algorithm version might help you to narrow down which combination occurs such issue. - Donghwan Kim

1 Answers

0
votes

Are there cases where a WebSocket frame might be valid when sent without TLS but would become corrupted when sent with TLS?

No, wss:// is the same as ws:// only that it is not using plain TCP but TCP+TLS. The WebSockets protocol itself is not aware if it is running inside a plain TCP connection or a TLS protected TCP connection. This is similar to https:// vs. http://.

But a TLS connection is more sensible to data corruption. That is if some man in the middle modifies the packets properly simple ws:// will not notice while wss:// will croak because the modification of the packet was detected. But you should get the error then at the connection level (i.e. connection broke or similar) and not at the WebSockets level like in your case (invalid frame header).

I have no idea what you are running as a WebSockets backend but I would suggest that the problem lies there. Because of the additional TLS layer wss:// might behave slightly different regarding timing and buffering of data inside the server so there might be a race conditions which happens more likely when wss:// is in use compared to ws://.