Safari wss Invalid certificate chain

[suquant]

For example whe have:

• example.com <- simple site with socket.io
• example.com:8080 <- tornadio2 with ssl mode

In Safari when js connect to the server on host wss://example.com:8080/socket.io/1/websocket/121a6ae3852addac4c159379a585a27a that return error "WebSocket network error: OSStatus Error -9807: Invalid certificate chain"

but in Chrom, Firefox working correctly.

My server config: Nginx

nginx version: nginx/1.3.6
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.3.6/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.3.6/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.3.6/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.3.6/debian/modules/nginx-dav-ext-module

example.com

server {
    listen 80;
    server_name example.com www.example.com;

    rewrite ^(.*)$ https://example.com$1 permanent;
}

server {
    listen 443 ssl;

    server_name example.com www.example.com;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    access_log /var/log/nginx/example.access.log;
    error_log /var/log/nginx/example.error.log;

    root  /var/www/example/htdocs/;
    expires +1M;

    location / {
            include uwsgi_params;
            uwsgi_pass unix:///run/uwsgi/app/example/socket;
    }

    location /websocket_status {
        check_status;
    }

}

example.com:8080

upstream cluster {
    server 127.0.0.1:8001;

    check interval=3000 rise=2 fall=5 timeout=1000;
}

server {
    listen 8080;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    proxy_pass cluster;
}

Thanks.

[mrjoes]

1. If it is client-side error, looks like your client is missing certain certificates from the certification chain and you have to install them. This is quite possible if you're using self-signed certificate;
2. Can you check if you can access static files in Safari via SSL?
3. If yes, can you access http://example.com:8080/echo/ (if your endpoint name is echo) from Safari? It should display SockJS welcome message.

[suquant]

Static files works exccelent in https://example.com/st/jquery.js for example :) When i open https://example.com:8080/echo/ tornado print "404: Not Found" but when i request https://example.com:8080/socket.io/1/ printed "3fa3901358f37e091ae402455aa52a39:17:25:websocket,flashsocket,xhr-polling,jsonp-polling,htmlfile" in Safari

i have standart settings that my endoint name socket.io< and also when i requested https://example.com:8080/socket.io/ server printe "404: Not Found"

you can see this error in "https:// guesscards [dot] com" when you open developer console in Safari ;)

What do you mean in 1 point? Can you write mini tutrial how do this? :)

Thanks in advance.

[mrjoes]

Not sure what can cause it, because it is browser issue.

1. Try connecting your socket.io to http://example.com:8080/ so it won't go through nginx
2. Try terminating SSL on nginx - tornadio2 will receive decrypted connections. Not sure if nginx supports this for websockets
3. Googling showed that Safari might show error -9807 if there are time problems, there's missing certificate in the storage, etc. However this does not explain why you can access static content.

Overall, I never had this problem in Safari, so can't say anything for sure.

[suquant]

We strongly need ssl connection. Nginx tcp proxy moduel supported SSL (https://github.com/yaoweibin/nginx_tcp_proxy_module/tree/master/doc#ngx_tcp_ssl_module)

I thinks this cause that self-signed certificate, but in this time i do not have signed certificate to test it :(

[mrjoes]

OK, here's small update:

According to https://github.com/igrigorik/em-websocket - "Safari 5 does not currently support prompting on untrusted SSL certificates therefore using signed certificates is highly recommended."

So, it means you can't use websocket transport with SSL enabled on Safari with self-signed certificate. Socket.IO can't fallback to the polling transport for whatever reason and connection can not be established.

Take a look at sockjs-tornado, http://github.com/mrjoes/sockjs-tornado/ - it is websocket polyfill, so has somewhat simpler API. But it will fallback to polling transport in this case.

[suquant]

Thanks mrjoes.

I was complicated this fact. After developed first version we buy signed certificat and Safari was worjing correctly :) Pretty fact - socket.io automaticlly switch to xhr-pooling in Safari :)

[hsleewis]

I have a signed certificat, "PositiveSSL CA 2" and every 5-6 days clients (safari) trying to connect to my Node App give the same error that the certificate is untrusted. A simple restart of the node app fixes that.

Does anyone have an idea if that's a problem of safari or a problem of the type of certificate?

[sebhildebrandt]

So I also had the same problem (node app, nginx, ssl, socket.io) and I also discovered, that with Safari socket.io fell back to XHR (which took nearly 10 seconds). Chrome, Firefox worked fine. The reason was, that I had a self signed certificate. After getting an official certificate, everything worked fine!