search

FrogTheFrog / moondeck-buddy

A server-side part of the MoonDeck plugin for the SteamDeck.
GNU Lesser General Public License v3.0
151 stars 9 forks source link

SSL issue #44

Closed Co0l closed 1 year ago

Co0l commented 1 year ago

Hi,

I'm having an issue getting moondeck buddy working on my host PC.

MoonDeckBuddy 1.5.2 MoonDeck 1.6.5 Host: Win10 Pro 22H2 with latest redistributables

  1. Moondeck buddy status returns "SSL Verification Failed" on my device
  2. Accessing https://192.168.1.99:59999/apiVersion from both host and client device browsers gives the following error 
This site can’t provide a secure connection 192.168.1.99 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
  1. Curl
* Expire in 0 ms for 6 (transfer 0x559cb1b8d110)
*   Trying 192.168.1.99...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x559cb1b8d110)
* Connected to 192.168.1.99 (192.168.1.99) port 59999 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS alert, illegal parameter (559):
* error:14264074:SSL routines:tls_parse_stoc_supported_versions:bad protocol version number
* Closing connection 0
curl: (35) error:14264074:SSL routines:tls_parse_stoc_supported_versions:bad protocol version number
  1. Adding a reverse proxy on my router solves the issues, but there is no way to configure Moondeck to use custom URL for integration with buddy. Only port can be specified.
* Connected to ***.***.keenetic.name (***) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=***.***.keenetic.name
*  start date: May 12 19:30:19 2023 GMT
*  expire date: Aug 10 19:30:18 2023 GMT
*  subjectAltName: host "***.***.keenetic.name" matched cert's "*.***.keenetic.name"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cee4ddc110)
> GET /apiVersion HTTP/2
> Host: ***.***.keenetic.name
> User-Agent: curl/7.64.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: Web server
< date: Wed, 12 Jul 2023 20:52:01 GMT
< content-type: application/json
< content-length: 13
< 
* Connection #0 to host ***.***.keenetic.name left intact
{"version":3}

Any ideas on how to solve this?

FrogTheFrog commented 1 year ago

I have been trying to solve this for a while, however I can't reproduce it :/.

If you are able to compile, could you perhaps try changing the https://github.com/FrogTheFrog/moondeck-buddy/blob/a07ce12f3db67ddd907aab21b12798d933bda27d/src/lib/server/httpserver.cpp#L63 line and add a 3rd argument for the sslSetup?

Maybe it is selecting a wrong protocol somehow?

The allowed values can be found here: https://doc.qt.io/qt-6/qssl.html#SslProtocol-enum.

If you create a fork and make a PR, github will build it for you in case you can't build it yourself.

Co0l commented 1 year ago

:x: TlsV1_2OrLater - didn't work :heavy_check_mark: TlsV1_2 - works for me

FrogTheFrog commented 1 year ago

❌ TlsV1_2OrLater - didn't work ✔️ TlsV1_2 - works for me

Ty for the investigation! Will make the TLS version configurable soon'ish :)

FrogTheFrog commented 1 year ago

@Co0l can you please verify that https://github.com/FrogTheFrog/moondeck-buddy/pull/46 still works for you? Then I can merge it and do another release.

FrogTheFrog commented 1 year ago

The supported string values are in https://github.com/FrogTheFrog/moondeck-buddy/wiki/Configuration#ssl-protocol

Co0l commented 1 year ago

@FrogTheFrog yes, it works with this version and TlsV1_2 option configured in the settings. None of the others seem to work on my system. Win10 in general doesn't support tls1.3 according to Microsoft https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

FrogTheFrog commented 1 year ago

Closed with https://github.com/FrogTheFrog/moondeck-buddy/pull/46