search

novnc / websockify

Websockify is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service.
GNU Lesser General Public License v3.0
3.94k stars 777 forks source link

wss access fails from Safari #22

Closed jmcintyre closed 10 years ago

jmcintyre commented 12 years ago

When connecting through ssl (wss://) from Safari (windows, mac, and iOS) the connection will fail with the following console output:

>python.exe websockify 82 localhost:8988 --cert="server.crt" --key="server.key" --ssl-only -v
WARNING: no 'resource' module, daemonizing is slower or disabled
WebSocket server settings:
  - Listen on :82
  - Flash security policy server
  - SSL/TLS support
  - Deny non-SSL/TLS connections
  - proxying from :82 to localhost:8988

  1: 10.108.2.223: new handler Process
WARNING: no 'resource' module, daemonizing is slower or disabled
  1: handler exception: 'WSRequestHandler' object has no attribute 'last_code'
  1: Traceback (most recent call last):
  File "D:\Perforce\Compass\dev\bin\websockify\websocket.py", line 750, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "D:\Perforce\Compass\dev\bin\websockify\websocket.py", line 622, in do_handshake
    if wsh.last_code == 101:AttributeError: 'WSRequestHandler' object has no attribute 'last_code'

Chrome connects and forwards successfully. Chrome is connecting with hybi-13 and Safari with Hixie-76. Standard ws connections work when allowed (no --ssl-only).

Python 3.2.2 Safari 5.1.2 iOS 4.3

jmcintyre commented 12 years ago

I saw what appears to be a related issue on the noVNC page.

https://github.com/kanaka/noVNC/issues/86

It appears that the discussion has stopped there. Is there anything I can do to further isolate the issue for you?

kanaka commented 12 years ago

@jmcintyre Can you update to the latest websockify (updating noVNC will get it) and try this again? I think I fixed an issue with using python 3 not detecting encrypted connections properly.

You will likely get a different (slightly more informative error) that is caused by Safari rejecting self-signed certificates. If you do, can you please report back the error and also follow the instructions on this wiki for forcing firefox (you will need to adjust for Safari) to accept a certificate?

https://github.com/kanaka/noVNC/wiki/Troubleshooting

If that works can you post back here the error you get and also the process for accepting the cert in Safari so that I can update that page with the Safari version of the error and instructions that are specific to Safari.

Thanks!

jmcintyre commented 12 years ago

Sorry for the late response. When I ran the output above the websockify code was up-to-date with what is now in github in both websockify and novnc including the "elif handshake[0] in ("\x16", "\x80", 22, 128):" change. Was there another change that I might not know about?

kanaka commented 12 years ago

@jmcintyre okay, understood. Were you able to manually validate the certificate (browsing directly to the websocket port) and see if that addresses the issue?

miztsai commented 12 years ago

@kanaka Hi, I ran into this same issue. Posting my logs hoping to help -

python wsproxy/wsproxy.py -v --web /var/www/vnc 6080 192.168.56.101:5900 --cert vrsn-test-cert.pem --key key.pem

WebSocket server settings:

Python 2.6.5 Safari 5.17

non-SSL mode works fine for the above setup. I am using self-signed certificate where the CA and Roots are installed on my Mac's Keychain (similar to cert manager in MS Windows).

NOTE: I am able to browse directly to the port (https://xxx:6080) and see file listing just fine. (With lock icon on top right of Safari window to denote that the cert is trusted)

CyrilPeponnet commented 11 years ago

Litte bump on this one ? I'll appreciate :)

DirectXMan12 commented 10 years ago

Closing due to age. Please reopen if this is still an issue.