search

vi / websocat

Command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions
MIT License
7.17k stars 278 forks source link

MAC verification failed during PKCS12 import #32

Closed toonetown closed 5 years ago

toonetown commented 5 years ago

Running the latest version from Homebrew (websocat 1.2.0, and socat 1.7.3.2)

In one window, running this command (using test.pkcs12 from the git repo):

$ websocat --pkcs12-der=test.pkcs12 -s 1234
Listening on wss://127.0.0.1:1234/

In another window, running the command:

websocat -t --ws-c-uri=wss://127.0.0.1:1234/ - ws-c:cmd:'socat - ssl:127.0.0.1:1234,verify=0'

Once the connection is established, the "server" window displays the error:

websocat: MAC verification failed during PKCS12 import (wrong password?)

And the "client" window displays the error:

2019/03/01 07:15:13 socat[44652] E SSL_connect(): socket closed by peer
websocat: WebSocketError: WebSocket protocol error
websocat: error running
vi commented 5 years ago

Failed to reproduce on GNU/Linux, both when using websocat -k wss://127.0.0.1:1234/ and when using websocat -t --ws-c-uri=wss://127.0.0.1:1234/ - ws-c:cmd:'socat - ssl:127.0.0.1:1234,verify=0' as a client.

I get hovewer websocat: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:../crypto/pkcs12/p12_kiss.c:66: if I try to load a password-protected pkcs12 file instead of test.pkcs12.

Is test.pkcs12 unmodified? md5sum should be adf5b4fbfd89386ec3878f40cdf4fb15.

Do you get the same error if you try to load a password-protected pkcs12 file (example attached)?

q.pkcs12.zip

toonetown commented 5 years ago

This is on macOS...I will attempt on a Linux machine.

vi commented 5 years ago

Reproduced the problem on Mac.

vi commented 5 years ago

Workaround using socat until Mac issue is addressed:

socat openssl-listen:1234,cert=cert.pem,key=key.pem,verify=0,fork,reuseaddr system:"./websocat_mac -t inetd-ws\\: open-fd\\:2"

Command to generate test certificate: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes.

toonetown commented 5 years ago

Verified that the workaround works!

vi commented 5 years ago

Implemented passwords for certificate archives and a warning for Mac users:

$ ./w --pkcs12-der ./test.pkcs12 -s 1234  
Listening on wss://127.0.0.1:1234/
websocat: PKCS12 archives without password may be unsupported on Mac
websocat: If you want a pre-made test certificate, use other file: `--pkcs12-der 1234.pkcs12 --pkcs12-passwd 1234`

1234.pkcs12 file is also in Git like test.pkcs12.

vi commented 5 years ago

Released Websocat 1.3.0 that inclues this fix.

itrack commented 3 months ago

Hi, i have same issue:


websocat -E --text wss-listen:0.0.0.0:8000 wss://testro.uisp.com:443 -v --pkcs12-der myfile.p12 --pkcs12-passwd "test" --one-message > output_file.txt
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56472)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56474)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56476)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56478)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56480)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56482)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56484)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
[INFO  websocat::net_peer] Incoming TCP connection from Some(10.20.0.3:56486)
[INFO  websocat::sessionserve] Serving 1 ongoing connections
websocat: MAC verification failed during PKCS12 import (wrong password?)
vi commented 3 months ago

Is the password correct? Does error change if you use deliberately incorrect password?

Are you also on macOS platform?

itrack commented 3 months ago

Hi @vi ,

Password is correct and yes, MacOS.

Thank you, Alex