Secure WebSocket connection error on twisted version

[spiiin]

I try to connect to my remote router: https://gist.github.com/spiiin/5f425e2c769e766bb5fb8d4a51b65bbc I have ssl-certificate on router valid for name "example.com", but looks like this code, try to connect via IP-address, not via server name so I have ssl verification error (I think, i see any logs, but only forever connection attempt)

I check code with Python 2.7 & Python 3.6 on windows and ubuntu, using version of autobahn installed via pip, nothing works.

If I change first line of code to: from autobahn.asyncio.wamp import ApplicationRunner connection established as expected, so, possible, bug in twisted library. I normally connects to remote router via domain name, but not via ip (as expected - certificate valid for domain name only).

I also check this idea with autobahn-js - default router page https://example.com:8080/frontend.html connects as expected, but http://1.2.3.4:8080/frontend.html (where 1.2.3.4 - ip of my example server) shows me "SSL_ERROR_BAD_CERT_DOMAIN - certificate valid only for name: example.com"

[meejah]

Can you try installing with pip install autobahn[encryption] (that is, include the "encryption" extra)?

[spiiin]

https://gist.github.com/spiiin/15926ed48129d7d3842ebe4303d28409 I think, I already have all needed packages. This test works for me as expected: https://github.com/crossbario/autobahn-python/tree/master/examples/twisted/wamp/pubsub/tls

Problem appears only when I use real certificate, and only for twisted version

[meejah]

Does "pip install certifi" fix it?

[spiiin]

pip install certifi
Requirement already satisfied: certifi in d:\python27\lib\site-packages

No, nothing changed, twisted version still not worked

[meejah]

Hmmmmmm. Sounds like "probably a Twisted issue" .. but, can you try the Component interface? See also http://autobahn.readthedocs.io/en/latest/wamp/programming.html#running-components but something like:

from autobahn.twisted.component import Component, run

comp = Component(
     transports=u"wss://example.com:8080/ws",
     realm=u"realm1",
 )
# you can just drop in your ApplicationSession subclass:
comp.session_factory = MyAppSessionSubclass

run([comp])

[spiiin]

Trying now:

2017-12-14T02:32:35+0300 connecting once using transport type "websocket" over endpoint "tcp"
2017-12-14T02:32:35+0300 Starting factory <autobahn.twisted.websocket.WampWebSocketClientFactory object at 0x0624D3D0>
2017-12-14T02:32:36+0300 component failed: Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
2017-12-14T02:32:36+0300 TLS failure: certificate verify failed
2017-12-14T02:32:36+0300 Marking this transport as failed
2017-12-14T02:32:36+0300 No remaining transports to try
2017-12-14T02:32:36+0300 Stopping factory <autobahn.twisted.websocket.WampWebSocketClientFactory object at 0x0624D3D0>
2017-12-14T02:32:36+0300 Main loop terminated.

[meejah]

Definitely it's sad about the certificate. This leads me to believe it might be "Twisted can't find the root certifications" for whatever reason (hence "certifi", etc). Can it connect to anything? (E.g. can you try a plain Twisted Web client request?)

[spiiin]

I used twisted version while development about two monthes via plain WebSocket (local and remote), it also worked with self-signed certificate via provided example), if I understand your question correct.

Strange, why asyncio version and autobahn-js can connects normally.

[meejah]

Yeah. They might be using a different technique to get the root certificates. This was all on Ubuntu it was failing, or Mac OS (or both)?

[spiiin]

Both Windows 10 and Ubuntu 16.04, both python 2.7 and 3.6

[meejah]

Oh, can you try pip install twisted[tls] as well? Or does this help: http://twistedmatrix.com/trac/ticket/9209

[oberstet]

fun with x509;) here is a long shot: use "example.com" in url when contructing app runner, but patch in your IP for host below this line https://github.com/crossbario/autobahn-python/blob/master/autobahn/twisted/wamp.py#L264

[spiiin]

@meejah pip install twisted[tls] already done.

sudo cp .crossbar/server_root.crt /usr/local/share/ca-certificates/server_root.crt
sudo update-ca-certificates

also done

Nothing changed

I can see exactly my server_root certificate in firefox, when try to connecting https://1.2.3.4:8080/frontend.html and click on SSL_ERROR_BAD_CERT_DOMAIN error.

I am new with ssl, is it possible to have ssl certificate for domain and ip-address, ip-address only?

Also, my config.json file for router: https://gist.github.com/spiiin/6187b8ae5db3fdaf587eb5f62392e718

result of: openssl s_client -showcerts -connect example.com:8080 (i change my real hostname to example.com, i think it doesn't matter) https://gist.github.com/spiiin/18202e5ec904a36f488c07e739dd5033

[meejah]

So, just to be clear here you're changing your actual hostname to example.com in all the above things so as not to reveal the real name, right? You're not actually using example.com?

[oberstet]

SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't.Anyway, the cert must match the hostname part of the URL you provide to app runner.Am 14.12.2017 5:54 vorm. schrieb meejah notifications@github.com:So, just to be clear here you're changing your actual hostname to example.com in all the above things so as not to reveal the real name, right? You're not actually using example.com?

—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.

[spiiin]

@meejah , yes, I use my real hostname in certificate and in all my examples above, and just replace it only in logs output. Sorry for miscommunications and misprints, English is not my native.

I can provide more detailed information of my environment and reveal real hostname/ip, if that can helps somehow.

For now I just switched to asyncio as solution, I can continue testing after finishing current project.

[oberstet]

cannot reproduce