search

snapview / tokio-tungstenite

Future-based Tungstenite for Tokio. Lightweight stream-based WebSocket implementation
MIT License
1.88k stars 236 forks source link

IO error: cannot decrypt peer's messag #291

Closed rosejober closed 1 year ago

rosejober commented 1 year ago

The features setting in tokio-tungstenite is rustls-tls-webpki-roots. When calling tokio_tungstenite::connect_async_tls_with_config, sometimes an "IO error: cannot decrypt peer's message" error occurs, but calling tokio_tungstenite::connect_async_tls_with_config multiple times works fine. How to solve this problem?

agalakhov commented 1 year ago

We need a network traffic log (i.e. the one of Wireshark) in order to debug this. I suspect some weird cipher to be used at server side. In any case, this has nothing to do with Tungstenite. This is a TLS problem.

rosejober commented 1 year ago

@agalakhov Strangely, the error doesn't occur every time. Sometimes it works fine, and if it were a TLS issue, theoretically it would happen consistently. When the error occurs, trying to connect multiple times often resolves the issue.

agalakhov commented 1 year ago

Could it be just some kind of router issue? That is, some network packets get corrupted in transit? Is it reproducible with i.e. HTTPS browser connections, ssh connections and so on? Does it affect networking software other than WebSocket? What is between your client and your server, are both in the same net or far away from each other with unknown hardware between them?

rosejober commented 1 year ago

"The HTTP request works perfectly fine, but I encounter this issue with WebSocket. I use the C library libwebsockets for communication without any issues. I suspect that it may be necessary to initialize rustls-tls-webpki-roots. When I didn't initialize it properly, it threw an exception error."

Could it be just some kind of router issue? That is, some network packets get corrupted in transit? Is it reproducible with i.e. HTTPS browser connections, ssh connections and so on? Does it affect networking software other than WebSocket? What is between your client and your server, are both in the same net or far away from each other with unknown hardware between them?

agalakhov commented 1 year ago

What you're saying means that the issue is due to wrong certificate and/or CA chain being used. You need correct TLS roots in order to get TLS to work. As before, this is not directly related to Tungstenite. But if you're experiencing difficulties with webpki roots, there are also different choices such as providing roots manually or using native TLS with system built-in roots.