WebSockets and mTLS

[iliyan85]

Is there an existing issue for this?

• [X] I have searched the tracker for existing similar issues and I know that duplicates will be closed

Describe the Issue

Based on the previous issue WebSockets and mTLS #11865,

I conducted several tests about using of TLS client certificates for wss connection and as a result, the connection didn't establish. The err log file of nginx says:

client sent no required SSL certificate while reading client request headers

I tested with Postman v11.1.14 for Windows and Postman v11.1.13 for Linux and unfortunately the situation was the same for both.

Steps To Reproduce

1. Import p12 file in Postman for the given domain
2. Create an websocket request to wss endpoint
3. Configure https server for the given domain (nginx for example) to websocket location
4. Try to connect

Screenshots or Videos

No response

Operating System

Windows

Postman Version

11.1.14

Postman Platform

Postman App

User Account Type

Signed In User

Additional Context?

No response

[parthverma1]

Hi @iliyan85, I understand that you are having trouble connecting to websocket servers using mTLS and understand how frustrating it can be. I tried replicating this on the latest version of the desktop app on mac v11.1.4.

I was able to successfully connect to a websocket server running behind a nginx server with self signed certificates. I tested the connection using both a p12 file as well as using the cert + key file combination.

In order to diagnose the issue it would be helpful if you could:

• Share the response that you see on the workbench response pane as that might help us to isolate the problem better based on the error message received.
• Try making an http GET request to the websocket server (replacing the wss:// prefix with https://) and share the response from the server. If the certificates are configured correctly (in postman and nginx), you should see a 426 Upgrade Required status code from the server, similar to the screenshot below. You should also be seeing the certificates that are being used to make the request.
• (Optional but super helpful) Share the SSL config section of your nginx config to see if there is something specific there that we could replicate while replicating. For reference, here is the config that we tested with

listen 8080 ssl;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/ca.crt;
ssl_verify_client on;

I suspect there could be one of the following reasons for a failed connection

1. The hostname/port combination being used don't match the address the server is running on. In this case, you should not be seeing the certificates being listed in the console.
2. There is a mismatch in the certificates that are configured on the proxy (nginx etc) that is being used in front of the websocket server and what is configured in postman. In this case, the http request should also return an error with a similar message to what you are receiving when making the websocket connection indicating that the certificates setup in Postman don't match the ones configured on nginx.

It would be helpful if you can share any additional steps/information that are specific to your setup that might help us reproduce the issue so that we could investigate further.

[iliyan85]

First of all, I don't have any problem with nginx. :) Postman works fine for https locations with client certificate.

Also Postman works fine for this one and can establish wss connection If I turn ssl_verify_client off.

In otherwise (ssl_verify_client on) nginx returns 400.

[parthverma1]

Hi @iliyan85,

It would be helpful if you could share a demo-repo or dummy certificates with which we can replicate the issue and fix it.