Closed raymond-h closed 1 year ago
I've had the exact same problem trying to host a server on both DigitalOcean and AWS, each with separate domain names. I would be interested in helping to find a solution.
I'm not at all familiar with the code base, but I noticed this URL regex includes a literal '.' character:
https://github.com/smogon/pokemon-showdown-client/blob/master/crossdomain.php#L7
...and this other regex does not:
https://github.com/smogon/pokemon-showdown-client/blob/master/config/config-example.inc.php#L37
...which is used here to verify cross-domain requests:
https://github.com/smogon/pokemon-showdown-client/blob/master/lib/dispatcher.lib.php#L79
Perhaps related to this issue?
Sorry, wildcard certificates don't support an arbitrary number of levels, and we aren't going to register extra certificates to support this use-case.
That is perfectly understandable. As far as I know, because any and all domain names and IP addresses are going to contain at minimum one period, that leaves exactly one single option left - accessing the client using plain HTTP. Unfortunately this is a huge problem for my group of friends, because we've tried that plenty of times for many months now but keep hitting a problem that won't let that happen.
Specifically the problem is that for a handful of us in said group, their browser(s) will entirely at random just refuse to use HTTP for the Showdown client, and always enforce use of HTTPS (and being met with the above TLS issue). We have no idea what causes it, but we've tried pretty much everything there is to try - wiping every imaginable cache, trying different browsers, inspected the network traffic in the browser console... Sometimes it starts working again, but then sometimes it does not, and none of it provides a real lead on what's going on. The only thing close to a clue is that Chrome-based browsers do the redirect by apparently returning a 307 Internal Redirect
from cache with the header Non-Authoritative-Reason: DNS
, which leads to only a handful of Google results, none of which provide any further help.
It is a common enough issue that every time our friend group meets up (6-7 people), there's always 1-2 people who are hit by it and are completely unable to get around it, no matter what we try. I would've loved to have those issues with my friends' browsers just solved somehow instead, but we're at our wit's end with it.
What if the client was changed so the server address wasn't directly part of the client URL? Like what if periods were replaced with some other character(s)? Or maybe the server address as a whole was encoded with Base64 or something similar? It should be fairly straightforward and non-intrusive change to then just decode that before connecting to the server via Websocket, and TLS would no longer be a problem because the client address would no longer contain extra periods. I'm willing to contribute that change, if you consider that to be a good idea.
RE: 307 redirects, we were having the same issue a few months ago because of browser updates shipping new settings. In Chrome, I had to disable the "Async DNS resolver" flag. In Firefox, you have to disable "Enable DNS over HTTPS". It's currently documented as a workaround: https://github.com/smogon/pokemon-showdown/blob/master/CONTRIBUTING.md
Unsure where else to post this, as it is seemingly not an issue with the client as much as it's the web server hosting
*.psim.us
.When self-hosting a server, the officially-hosted client is still used with a domain of
[server-hostname].psim.us
. This works fine, when connecting with plain HTTP to that hostname. If[server-hostname]
contains no extra periods, using HTTPS also works fine.However, if you use HTTPS and
[server-hostname]
contains any extra periods, the browser will complain about failing to establish a TLS connection, with any variant of "no matching ciphers" as error message. This is a problem since regardless if you are hosting the server on a custom domain or just using its IP address, it's almost guaranteed there will be multiple periods in[server-hostname]
, making it impossible to use HTTPS for the client itself if playing on a self-hosted server.Example:
https://ab.psim.us/
loads the client just fine (and fails to connect to server at domainab
, but that is irrelevant - what matters is that the client loads), whilehttps://a.b.psim.us/
reports a problem connecting with errorSSL_ERROR_NO_CYPHER_OVERLAP
in Firefox.openssl version
:OpenSSL 1.1.1m 14 Dec 2021
Output from running
echo -n | openssl s_client -connect a.b.psim.us:443 -servername a.b.psim.us
:Output from
echo -n | openssl s_client -connect ab.psim.us:443 -servername ab.psim.us
(slightly abbreviated):