Closed barkermn01 closed 5 years ago
statianzo
commented
7 years ago This client and server cannot communicate, because they do not possess a common algorithm
The error reads like an SSL protocol incompatibility
Do you control the browser that's connecting?
What is your WebSocketServer.EnabledSslProtocols set to?
barkermn01
commented
7 years ago I'm not sure coz i don't get a break from the exception in VS however it is setup using
Server = new WebSocketServer(String.Format("wss://{0}:{1}", wsIPAddress, wsPort));
// point it at the certificate file
Server.Certificate = new X509Certificate2(keyFile, keyPass);
// pass the sub protocols to the server core
Server.SupportedSubProtocols = SubProtocols.ToArray();and the keyFile Variable is a working path to the pfx key and does work i have tested this and never been able to cause this error from my web browser.
However i would assume that it is set to true as it is setup with a Certificate.
wsIPAddress and wsPort are also working as my web browser connects without a problem.
statianzo
commented
7 years ago Looks like you haven't set EnabledSslProtocols and the default is just SslProtocols.Tls.
Try setting the following and seeing if you get the same error.
Server.EnabledSslProtocols = SslProtocols.Ssl3 | SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12
barkermn01
commented
7 years ago Ok will try that could you provide a little more detail though why would this cause problems only for certain connections... is this just a browser compatibly problem? as i test in FF, Chrome, Edge & Safari lol
statianzo
commented
7 years ago Sure. When SSL connections are created, it's done through a process of negotiating protocols. For example, if a client (browser) supports TLS 1.1 and TLS 1.2 and a server (Fleck) supports TLS 1.0 and TLS 1.1, then the connection will use TLS 1.1. However, if no compatible protocol is available (client only TLS 1.2 and server only TLS 1.0), then the connection will be closed.
AdrianBathurst
commented
7 years ago Does the order of the ssl protocols added to EnabledSslProtocols make any difference? Will it always try use the best possible regardless?
statianzo
commented
7 years ago Order doesn't matter because they're enum values bitwise ORed | together.
As for the decided option, I would expect any modern browser to use the latest possible transport.
Also, I would recommend only including the SSL protocols you need. SSL v3 and TLS v1 have some vulnerabilities. Enabling everything should only be done temporarily to debug and see if this makes that error go away.
barkermn01
commented
7 years ago I'm still getting this issue with
Server.EnabledSslProtocols = SslProtocols.Ssl3 | SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12
It seem to be time based though it's fine for 12-16 hours then every web socket connection seems to be causing that the RSA was generated by IIS the SSL Cert from namecheap and issued by Comodo of Type PKCS#7 then installed into the Windows Certificates system and exported as a PFX from that.
statianzo
commented
7 years ago Is your certificate a sha2? Clients using older OSs like XP don't support newer cert types.
barkermn01
commented
7 years ago Erm I'm using Windows Server 2012 R2 EC2 instance and i don't know if it's using sha2 or not that would be up to IIS Certificate Signing Request Generator i would think it would not allow certificate it can't support.
statianzo
commented
7 years ago It wouldn't be that your server doesn't support it, but the clients who are connecting to your websocket.
Getting an exception that does not trigger a catch in Visual Studios so i can't debug it.
[Error] Listener socker is closed System.AggregateException: One or more errors occurred . ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.componentModle.Win32Exception: This client and server cannot communicate, because they do not possess a common algorithm.