SSL WebSocket connection not working with webkit browsers?

1
votes

I have installed Let's Encypt (https://letsencrypt.org/) certificate for my web server (Apache) and WebSocket server (PHPWS). Problem is that SSL WebSocket is working fine with Firefox but fails to work with Chrome, Chromium and Opera. I have tryed before with self-signed certificate and secure WebSocket was working in Chrome and Chromium.

My webpage is located at https://warsoftheheroes.eu

login: zosia and password: zaqwsx

This is what you should see in Chrome javascript console when you log in:

WebSocket connection to 'wss://warsoftheheroes.eu:1025/chat' failed: WebSocket opening handshake was canceled websocket.js?v=20170506:4 
WebSocket connection to 'wss://warsoftheheroes.eu:1025/main' failed: WebSocket opening handshake was canceled websocket.js?v=20170506:5

This is what I see in WebSocket (PHPWS) server logs:

PHP Warning:  stream_socket_accept(): Failed to enable crypto in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126

Warning: stream_socket_accept(): Failed to enable crypto in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126

PHP Warning:  stream_socket_accept(): accept failed: Success in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126

Warning: stream_socket_accept(): accept failed: Success in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126

[some path] is added by me instead of real path

What could be wrong? Certificate is working with Apache over HTTPS but fails to work with WebSocket over WSS.

-= E D I T =-

This is from my Apache SSL configuration:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

-= EDIT 2 =-

There is output of nmap after openssl update:

nmap --script ssl-enum-ciphers -p 443 warsoftheheroes.eu

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 18:44 CEST
Nmap scan report for warsoftheheroes.eu (81.163.204.80)
Host is up (0.013s latency).
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

and

nmap --script ssl-enum-ciphers -p 1025 warsoftheheroes.eu

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 19:07 CEST
Nmap scan report for warsoftheheroes.eu (81.163.204.80)
Host is up (0.015s latency).
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl
PORT     STATE SERVICE
1025/tcp open  NFS-or-IIS
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A
2
google-chromesslwebsocketssl-certificatelets-encrypt

2 Answers

1
votes

If you inspect the Chrome Internals and start recording while the socket is attempting to connect, you'll see the following:

net-internals

The ERR_SSL_CLIENT_AUTH_CERT_NEEDED is pretty explicit, and tell us that there's an issue with your certificate.

By looking at it, we can see you are using RSA, which is an obsolete key exchange. Instead you should use DHE_RSA or ECDHE_RSA. Even if you get no issue with https, this might be an issue for establishing a secure websocket connection, make sure you are using strong cyphers and key exchange mechanisms.

There is also the pretty basic issues of your phpws process not having read access to the certificate / pem file, the certificate being expired.. So you might want to double check that too, just in case.

1
votes

Ok, I have found a solution to my problem. There is this PHP SSL context option "verify_peer" which defaults to "true" which I think makes the server requests the client to provide a client certificate. So I set it to "false" and now Chrome/Chromium/Opera is working with WSS.