search

warmcat / libwebsockets

canonical libwebsockets.org networking library
https://libwebsockets.org
Other
4.66k stars 1.46k forks source link

Problem configuring SSL #1401

Closed pblemel closed 5 years ago

pblemel commented 5 years ago

Hi,

The symptom is that libwebsockets-test-server does not use SSL on QNX Neutrino 6 when started with ssl. Firefox/chrome each report errors when attempting to access https://172.23.93.35:7681/ ('172.23.93.35 sent an invalid response', and 'An error occurred during a connection to 172.23.93.35:7681. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG').

I've read through the docs and issues enough to know that this is almost certainly a mis-configuration, however I don't see what I missed :-/.

============================================================== My configuration (in file cross-qnx-cmake) is :

SET(CMAKE_CROSSCOMPILING 1)
SET(CMAKE_SYSTEM_NAME QNX)
SET(arch gcc_ntoarmv7le)
SET(CMAKE_SYSTEM_PROCESSOR armv7-a)
SET(CMAKE_C_COMPILER qcc)
SET(CMAKE_C_COMPILER_TARGET ${arch})
SET(CMAKE_CXX_COMPILER QCC)
SET(CMAKE_CXX_COMPILER_TARGET ${arch})

SET(CMAKE_FIND_ROOT_PATH "/opt/qnx660/host/linux/x86/usr")
SET(OPENSSL_ROOT_DIR /opt/qnx660/host/linux/x86/usr)
SET(OPENSSL_INCLUDE_DIR /opt/qnx660/host/linux/x86/usr/include)
SET(OPENSSL_CRYPTO_LIBRARY /opt/qnx660/target/qnx6/armle-v7/usr/lib/libcrypto.so)
SET(OPENSSL_SSL_LIBRARY /opt/qnx660/target/qnx6/armle-v7/usr/lib/libssl.so)

SET(ZLIB_ROOT_DIR /opt/qnx660/host/linux/x86/usr)
SET(ZLIB_INCLUDE_DIR /opt/qnx660/host/linux/x86/usr/include)
SET(ZLIB_LIBRARY /opt/qnx660/target/qnx6/armle-v7/usr/lib/libz.so)

# Search headers and libraries in the target environment only.
SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)

SET(LWS_WITH_SSL ON)
SET(LWS_WITH_ZLIB ON)

SET(LWS_WITH_STATIC ON)
SET(LWS_WITH_SHARED ON)
SET(LWS_LINK_TESTAPPS_DYNAMIC ON)

==============================================================

/bin/cmake .. -DCMAKE_INSTALL_PREFIX:PATH=/tmp/lws-epic-root \
         -DCMAKE_TOOLCHAIN_FILE=../cross-qnx-cmake \
         -DLWS_WITH_MINIMAL_EXAMPLES=1 \
         -DLWS_WITHOUT_EXTENSIONS=0 \
         -DLWS_WITH_HTTP2=1 \
         -DLWS_WITH_SSL=1 \
         -DLWS_WITH_ZLIB=1 \
         -DLWS_WITH_ZIP_FOPS=1

-- The C compiler identification is QCC 4.7.3
-- Check for working C compiler: /opt/qnx660/host/linux/x86/usr/bin/qcc
-- Check for working C compiler: /opt/qnx660/host/linux/x86/usr/bin/qcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- CMAKE_TOOLCHAIN_FILE='/home/users/staff/peter/src/msi/libwebsockets-master/cross-qnx-aarch64.cmake'
-- Found Git: /bin/git
fatal: Not a git repository (or any parent up to mount point /)
Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).
Git commit hash:
-- Performing Test LWS_HAVE_inline
-- Performing Test LWS_HAVE_inline - Success
-- Performing Test LWS_HAVE___inline__
-- Performing Test LWS_HAVE___inline__ - Success
-- Performing Test LWS_HAVE___inline
-- Performing Test LWS_HAVE___inline - Success
-- Looking for bzero
-- Looking for bzero - found
-- Looking for fork
-- Looking for fork - found
-- Looking for getenv
-- Looking for getenv - found
-- Looking for malloc
-- Looking for malloc - found
-- Looking for memset
-- Looking for memset - found
-- Looking for realloc
-- Looking for realloc - found
-- Looking for socket
-- Looking for socket - not found
-- Looking for strerror
-- Looking for strerror - found
-- Looking for vfork
-- Looking for vfork - found
-- Looking for execvpe
-- Looking for execvpe - found
-- Looking for getifaddrs
-- Looking for getifaddrs - not found
-- Looking for snprintf
-- Looking for snprintf - found
-- Looking for _snprintf
-- Looking for _snprintf - not found
-- Looking for _vsnprintf
-- Looking for _vsnprintf - not found
-- Looking for getloadavg
-- Looking for getloadavg - not found
-- Looking for atoll
-- Looking for atoll - found
-- Looking for _atoi64
-- Looking for _atoi64 - not found
-- Looking for _stat32i64
-- Looking for _stat32i64 - not found
-- Looking for dlfcn.h
-- Looking for dlfcn.h - found
-- Looking for fcntl.h
-- Looking for fcntl.h - found
-- Looking for in6addr.h
-- Looking for in6addr.h - not found
-- Looking for memory.h
-- Looking for memory.h - found
-- Looking for netinet/in.h
-- Looking for netinet/in.h - found
-- Looking for stdint.h
-- Looking for stdint.h - found
-- Looking for stdlib.h
-- Looking for stdlib.h - found
-- Looking for strings.h
-- Looking for strings.h - found
-- Looking for string.h
-- Looking for string.h - found
-- Looking for sys/prctl.h
-- Looking for sys/prctl.h - not found
-- Looking for sys/socket.h
-- Looking for sys/socket.h - found
-- Looking for sys/sockio.h
-- Looking for sys/sockio.h - found
-- Looking for sys/stat.h
-- Looking for sys/stat.h - found
-- Looking for sys/types.h
-- Looking for sys/types.h - found
-- Looking for unistd.h
-- Looking for unistd.h - found
-- Looking for vfork.h
-- Looking for vfork.h - not found
-- Looking for sys/capability.h
-- Looking for sys/capability.h - not found
-- Looking for malloc.h
-- Looking for malloc.h - found
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Looking for cap_set_flag in cap
-- Looking for cap_set_flag in cap - not found
-- Looking for zlib.h
-- Looking for zlib.h - found
-- Looking for 4 include files stdlib.h, ..., float.h
-- Looking for 4 include files stdlib.h, ..., float.h - found
-- Performing Test LWS_HAS_INTPTR_T
-- Performing Test LWS_HAS_INTPTR_T - Success
-- Performing Test LWS_HAVE_VISIBILITY
-- Performing Test LWS_HAVE_VISIBILITY - Success
-- Found ZLIB: /opt/qnx660/target/qnx6/armle-v7/usr/lib/libz.so
zlib include dirs: /opt/qnx660/host/linux/x86/usr/include
zlib libraries: /opt/qnx660/target/qnx6/armle-v7/usr/lib/libz.so
Compiling with SSL support
-- Found OpenSSL: /opt/qnx660/target/qnx6/armle-v7/usr/lib/libcrypto.so
OpenSSL include dir: /opt/qnx660/host/linux/x86/usr/include
OpenSSL libraries: /opt/qnx660/target/qnx6/armle-v7/usr/lib/libssl.so;/opt/qnx660/target/qnx6/armle-v7/usr/lib/libcrypto.so
-- Looking for openssl/ecdh.h
-- Looking for openssl/ecdh.h - found
-- Looking for SSL_CTX_set1_param
-- Looking for SSL_CTX_set1_param - found
-- Looking for SSL_set_info_callback
-- Looking for SSL_set_info_callback - found
-- Looking for X509_VERIFY_PARAM_set1_host
-- Looking for X509_VERIFY_PARAM_set1_host - not found
-- Looking for RSA_set0_key
-- Looking for RSA_set0_key - not found
-- Looking for X509_get_key_usage
-- Looking for X509_get_key_usage - not found
-- Looking for SSL_CTX_get0_certificate
-- Looking for SSL_CTX_get0_certificate - not found
-- Looking for SSL_get0_alpn_selected
-- Looking for SSL_get0_alpn_selected - not found
-- Looking for SSL_set_alpn_protos
-- Looking for SSL_set_alpn_protos - not found
-- Looking for SSL_CTX_get_extra_chain_certs_only
-- Looking for SSL_CTX_get_extra_chain_certs_only - not found
-- Looking for TLS_client_method
-- Looking for TLS_client_method - not found
-- Looking for TLSv1_2_client_method
-- Looking for TLSv1_2_client_method - found
-- Performing Test LWS_HAVE_PIPE2
-- Performing Test LWS_HAVE_PIPE2 - Failed
-- Performing Test LWS_HAVE_TCP_USER_TIMEOUT
-- Performing Test LWS_HAVE_TCP_USER_TIMEOUT - Failed
Searching for OpenSSL executable and dlls
OpenSSL executable: /usr/bin/openssl
 GENCERTS = 1
Generating SSL Certificates for the test-server...
Generating a 1024 bit RSA private key
..............++++++
...................++++++
writing new private key to '/home/users/staff/peter/src/msi/libwebsockets-master/build-qnx/libwebsockets-test-server.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:State or Province Name (full name) []:Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:SUCCESSFULLY generated SSL certificate
-- Looking for RPMTools... - found rpmuild is /bin/rpmbuild
-- RPMTools:: Using RPM_ROOTDIR=/home/users/staff/peter/src/msi/libwebsockets-master/build-qnx/RPM
-- Simple copy spec file <scripts/libwebsockets.spec> --> </home/users/staff/peter/src/msi/libwebsockets-master/build-qnx/RPM/SPECS/libwebsockets.spec>
---------------------------------------------------------------------
  Settings:  (For more help do cmake -LH <srcpath>)
---------------------------------------------------------------------
 LWS_WITH_STATIC = ON
 LWS_WITH_SHARED = ON
 LWS_WITH_SSL = ON (SSL Support)
 LWS_SSL_CLIENT_USE_OS_CA_CERTS = 1
 LWS_WITH_WOLFSSL = OFF (wolfSSL/CyaSSL replacement for OpenSSL)
 LWS_WITH_MBEDTLS = OFF (mbedTLS replacement for OpenSSL)
 LWS_WITHOUT_BUILTIN_SHA1 = OFF
 LWS_WITHOUT_BUILTIN_GETIFADDRS = OFF
 LWS_WITHOUT_CLIENT = OFF
 LWS_WITHOUT_SERVER = OFF
 LWS_LINK_TESTAPPS_DYNAMIC = ON
 LWS_WITHOUT_TESTAPPS = OFF
 LWS_WITHOUT_TEST_SERVER = OFF
 LWS_WITHOUT_TEST_SERVER_EXTPOLL = OFF
 LWS_WITHOUT_TEST_PING = OFF
 LWS_WITHOUT_TEST_CLIENT = OFF
 LWS_WITHOUT_EXTENSIONS = 0
 LWS_WITH_LATENCY = OFF
 LWS_WITHOUT_DAEMONIZE = ON
 LWS_WITH_LIBEV = OFF
 LWS_WITH_LIBUV = OFF
 LWS_WITH_LIBEVENT = OFF
 LWS_IPV6 = OFF
 LWS_UNIX_SOCK = ON
 LWS_WITH_HTTP2 = 1
 LWS_SSL_SERVER_WITH_ECDH_CERT = OFF
 LWS_MAX_SMP = 1
 LWS_HAVE_PTHREAD_H = 1
 LWS_WITH_CGI = OFF
 LWS_HAVE_OPENSSL_ECDH_H = 1
 LWS_HAVE_SSL_CTX_set1_param = 1
 LWS_HAVE_RSA_SET0_KEY =
 LWS_WITH_HTTP_PROXY = OFF
 LIBHUBBUB_LIBRARIES =
 PLUGINS =
 LWS_WITH_ACCESS_LOG = OFF
 LWS_WITH_SERVER_STATUS = OFF
 LWS_WITH_LEJP = ON
 LWS_WITH_LEJP_CONF = ON
 LWS_WITH_SMTP = OFF
 LWS_WITH_GENERIC_SESSIONS = OFF
 LWS_STATIC_PIC = OFF
 LWS_WITH_RANGES = OFF
 LWS_PLAT_OPTEE = OFF
 LWS_WITH_ESP32 = OFF
 LWS_WITH_ZIP_FOPS = 1
 LWS_AVOID_SIGPIPE_IGN = OFF
 LWS_WITH_STATS = OFF
 LWS_WITH_SOCKS5 = OFF
 LWS_HAVE_SYS_CAPABILITY_H =
 LWS_HAVE_LIBCAP =
 LWS_WITH_PEER_LIMITS = OFF
 LWS_HAVE_ATOLL = 1
 LWS_HAVE__ATOI64 =
 LWS_HAVE_STAT32I64 =
 LWS_HAS_INTPTR_T = 1
 LWS_WITH_EXPORT_LWSTARGETS = ON
---------------------------------------------------------------------
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/client-server/minimal-ws-proxy
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-client/minimal-http-client
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-client/minimal-http-client-certinfo
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-client/minimal-http-client-hugeurl
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-client/minimal-http-client-multi
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-client/minimal-http-client-post
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-basicauth
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-dynamic
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-eventlib
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-eventlib-demos
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-eventlib-foreign
Extra libs:
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-form-get
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-form-post
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-form-post-file
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-mimetypes
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-multivhost
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-smp
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-sse
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-sse-ring
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-tls
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/http-server/minimal-http-server-tls-80
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/raw/minimal-raw-adopt-tcp
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/raw/minimal-raw-adopt-udp
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/raw/minimal-raw-file
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/raw/minimal-raw-netcat
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/raw/minimal-raw-vhost
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-client/minimal-ws-client-echo
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-client/minimal-ws-client-ping
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-client/minimal-ws-client-pmd-bulk
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-client/minimal-ws-client-rx
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-client/minimal-ws-client-tx
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-broker
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server-echo
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server-pmd
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server-pmd-bulk
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server-ring
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server-threadpool
Processing /home/users/staff/peter/src/msi/libwebsockets-master/minimal-examples/ws-server/minimal-ws-server-threads
-- Configuring done
-- Generating done
-- Build files have been written to: /home/users/staff/peter/src/msi/libwebsockets-master/build-qnx

==============================================================

'make' builds everything without errors (output omitted)

./bin/libwebsockets-test-server --ssl

[2000/01/01 19:02:15:8020] NOTICE: libwebsockets test server - license LGPL2.1+SLE [2000/01/01 19:02:15:8050] NOTICE: (C) Copyright 2010-2018 Andy Green andy@warmcat.com

When a browser/client connects in HTTP everything works. When using https://172.23.93.35:7681 : Using resource path "/tmp/lws-cross-root/share/libwebsockets-test-server" [2000/01/01 19:02:15:8160] NOTICE: Creating Vhost 'default' port 7681, 5 protocols, IPv6 off [2000/01/01 19:02:20:4650] NOTICE: forbidding on uri sanitation [2000/01/01 19:02:20:4710] NOTICE: forbidding on uri sanitation

Thanks in advance! Peter

pblemel commented 5 years ago

I apologize for the font weirdness. I'm not sure how to escape program output to prevent that.

Thanks, Peter

lws-team commented 5 years ago

The markdown wants three backticks before and after to show it as pre... I edited it in.

First check with native ldd (or objdump) on the target lws library / test app binary binds to the native openssl as you expect. Check the path is where you think you put the lastest versions on the target.

Check timestamps / sha1sum on target + crossbuild machine that the files on the target are the latest ones you built.

If you build with -DCMAKE_BUILD_TYPE=DEBUG, you can run with -d1039 or so to see more verbose INFO logs.

pblemel commented 5 years ago

First check with native ldd (or objdump) on the target lws library / test app binary binds to the native openssl as you expect. Check the path is where you think you put the lastest versions on the target.

# ldd bin/libwebsockets-test-server
./bin/libwebsockets-test-server:
        libwebsockets.so.13 => /fs/emmc/lib/libwebsockets.so (0x78000000)
        libz.so.2 => /fs/emmc/usr/lib/libz.so.2 (0x78030000)
        libssl.so.2 => /fs/emmc/usr/lib/libssl.so.2 (0x78050000)
        libcrypto.so.2 => /fs/emmc/usr/lib/libcrypto.so.2 (0x78100000)
        libsocket.so.3 => /proc/boot/libsocket.so.3 (0x78090000)
        libm.so.2 => /proc/boot/libm.so.2 (0x780c0000)
        libc.so.3 => /usr/lib/ldqnx.so.2 (0x1000000)

# ldd lib/libwebsockets.so*
./lib/libwebsockets.so:
        libwebsockets.so.13 => /mnt/tmp/lws-epic-root/lib/libwebsockets.so.13 (0x78000000)
        libz.so.2 => /fs/emmc/usr/lib/libz.so.2 (0x78030000)
        libssl.so.2 => /fs/emmc/usr/lib/libssl.so.2 (0x78050000)
        libcrypto.so.2 => /fs/emmc/usr/lib/libcrypto.so.2 (0x78100000)
        libsocket.so.3 => /proc/boot/libsocket.so.3 (0x78090000)
        libm.so.2 => /proc/boot/libm.so.2 (0x780c0000)

./lib/libwebsockets.so.13:
        libwebsockets.so.13 => /mnt/tmp/lws-epic-root/lib/libwebsockets.so.13 (0x78000000)
        libz.so.2 => /fs/emmc/usr/lib/libz.so.2 (0x78030000)
        libssl.so.2 => /fs/emmc/usr/lib/libssl.so.2 (0x78050000)
        libcrypto.so.2 => /fs/emmc/usr/lib/libcrypto.so.2 (0x78100000)
        libsocket.so.3 => /proc/boot/libsocket.so.3 (0x78090000)
        libm.so.2 => /proc/boot/libm.so.2 (0x780c0000)

These appear to be correct.

On host

make clean ; make -DCMAKE_BUILD_TYPE=DEBUG ; make install

On target 

# ls -l bin
total 6580
-rwxr-xr-x   1 1001      300          682116 Sep 08 14:18 libwebsockets-test-client
-rwxr-xr-x   1 1001      300          658380 Sep 08 14:18 libwebsockets-test-fuzxy
-rwxr-xr-x   1 1001      300          623080 Sep 08 14:18 libwebsockets-test-lejp
-rwxr-xr-x   1 1001      300          701759 Sep 08 14:18 libwebsockets-test-server
-rwxr-xr-x   1 1001      300          702898 Sep 08 14:18 libwebsockets-test-server-extpoll

The timestamps match up

``

./bin/libwebsockets-test-server --ssl -d1039

[2018/09/08 14:29:41:8970] NOTICE: libwebsockets test server - license LGPL2.1+SLE [2018/09/08 14:29:41:9000] NOTICE: (C) Copyright 2010-2018 Andy Green andy@warmcat.com Using resource path "/mnt/tmp/lib/lws-cross-root/share/libwebsockets-test-server" [2018/09/08 14:29:41:9110] NOTICE: Creating Vhost 'default' port 7681, 5 protocols, IPv6 off [2018/09/08 14:29:41:9200] INFO: LWS_CALLBACK_EVENT_WAIT_CANCELLED [2018/09/08 14:29:46:3270] INFO: LWS_CALLBACK_EVENT_WAIT_CANCELLED [2018/09/08 14:29:46:3350] NOTICE: forbidding on uri sanitation [2018/09/08 14:29:46:3400] INFO: LWS_CALLBACK_EVENT_WAIT_CANCELLED [2018/09/08 14:29:46:3410] NOTICE: forbidding on uri sanitation `` Edited after re-cmake'ing.

Thanks for taking a look :-)

Peter

lws-team commented 5 years ago

make clean ; make -DCMAKE_BUILD_TYPE=DEBUG ; make install

No... that's an argument to cmake. You can set() it (without the -D) in the cmake cross file then redo the build process.

./bin/libwebsockets-test-server: 
libwebsockets.so.13 => /fs/emmc/lib/libwebsockets.so (0x78000000) 
# ldd lib/libwebsockets.so* 
./lib/libwebsockets.so: libwebsockets.so.13 => /mnt/tmp/lws-epic-root/lib/libwebsockets.so.13 (0x78000000)

These paths differ? How come the .so includes itself in the ldd list, is that a qnx thing? The .so should be a symlink to .so.13 no need to list both.

pblemel commented 5 years ago

Good catch :-) There was indeed a conflicting libwebsockets.so on the target, even though the library is not in the host tool chain or in the QNX distro as far as I can tell. There must have been a previous attempt to port to this target in the past.

I am now getting a different failure, that I have not yet had time to check the various README's to resolve :+1: 

# ./bin/libwebsockets-test-server --ssl -d1039
[2000/01/01 20:22:25:1360] NOTICE: libwebsockets test server - license LGPL2.1+SLE
[2000/01/01 20:22:25:1380] NOTICE: (C) Copyright 2010-2018 Andy Green <andy@warmcat.com>
Using resource path "/mnt/tmp/lib/lws-cross-root/share/libwebsockets-test-server"
[2000/01/01 20:22:25:1390] INFO: Initial logging level 1039
[2000/01/01 20:22:25:1400] INFO: Libwebsockets version: 3.0.99 unknown-build-hash
[2000/01/01 20:22:25:1410] INFO: Compiled with
[2000/01/01 20:22:25:1420] INFO: IPV6 not compiled in
[2000/01/01 20:22:25:1430] INFO:  LWS_DEF_HEADER_LEN    : 4096
[2000/01/01 20:22:25:1440] INFO:  LWS_MAX_PROTOCOLS     : 5
[2000/01/01 20:22:25:1440] INFO:  LWS_MAX_SMP           : 1
[2000/01/01 20:22:25:1450] INFO:  sizeof (*info)        : 296
[2000/01/01 20:22:25:1460] INFO:  SYSTEM_RANDOM_FILEPATH: '/dev/urandom'
[2000/01/01 20:22:25:1470] INFO:  HTTP2 support         : available
[2000/01/01 20:22:25:1480] INFO: Using event loop: poll
[2000/01/01 20:22:25:1490] INFO: Default ALPN advertisment: h2,http/1.1
[2000/01/01 20:22:25:1500] INFO:  default timeout (secs): 5
[2000/01/01 20:22:25:1530] INFO:  Threads: 1 each 1000 fds
[2000/01/01 20:22:25:1540] INFO:  mem: context:          4728 B (632 ctx + (1 thr x 4096))
[2000/01/01 20:22:25:1550] INFO:  mem: http hdr rsvd:   5032000 B (1 thr x (4096 + 936) x 1000))
[2000/01/01 20:22:25:1560] INFO:  mem: pollfd map:       8000
[2000/01/01 20:22:25:1570] INFO:  mem: platform fd map:  4000 bytes
[2000/01/01 20:22:25:1590] INFO:  Compiled with OpenSSL support
[2000/01/01 20:22:25:1600] INFO: Doing SSL library init
[2000/01/01 20:22:25:2150] INFO:  LWS_MAX_EXTENSIONS_ACTIVE: 1
[2000/01/01 20:22:25:2160] INFO:  mem: per-conn:          360 bytes + protocol rx buf
[2000/01/01 20:22:25:2170] INFO:  canonical_hostname = cigm_10
[2000/01/01 20:22:25:2180] INFO: lws_cancel_service
[2000/01/01 20:22:25:2190] NOTICE: Creating Vhost 'default' port 7681, 5 protocols, IPv6 off
[2000/01/01 20:22:25:2200] INFO:    mounting file:///mnt/tmp/lib/lws-cross-root/share/libwebsockets-test-server to /
[2000/01/01 20:22:25:2210] INFO:    mounting callback://protocol-post-demo to /formtest
[2000/01/01 20:22:25:2220] INFO:    mounting file:///mnt/tmp/lib/lws-cross-root/share/libwebsockets-test-server/candide.zip to /ziptest
[2000/01/01 20:22:25:2230] NOTICE:  SSL ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:!SHA1:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!AES128-GCM-SH...
[2000/01/01 20:22:25:2250] NOTICE:  Using SSL mode
[2000/01/01 20:22:25:2550] INFO:  SSL options 0x13520004
[2000/01/01 20:22:25:2740] ERR: problem getting cert '/mnt/tmp/lib/lws-cross-root/share/libwebsockets-test-server/libwebsockets-test-server.pem' 33558530: error:02001002:lib(2):func(1):reason(2)
[2000/01/01 20:22:25:2760] ERR: lws_create_vhost: lws_context_init_server_ssl failed
[2000/01/01 20:22:25:2770] INFO: lws_vhost_destroy1
[2000/01/01 20:22:25:2780] INFO: __lws_vhost_destroy2: 8057620
[2000/01/01 20:22:25:2840] INFO:   __lws_vhost_destroy2: Freeing vhost 8057620
[2000/01/01 20:22:25:2850] ERR: vhost creation failed
pblemel commented 5 years ago

This one appears to be on me. There's a typo in the path (related to the other issue I posted re: resource path). I'll fix it and let you know how it goes.

Thanks for your help.

Peter

lws-team commented 5 years ago

2000/01/01 20:22:25:2740] ERR: problem getting cert '/mnt/tmp/lib/lws-cross-root/share/libwebsockets-test-server/libwebsockets-test-server.pem' 33558530: error:02001002:lib(2):func(1):reason(2)

That path presumably doesn't exist.

When you correct it (just hack the correct path in or whatever) your next problem is the date is garbage, the cert will be rejected since its starting validity date is in the future.

pblemel commented 5 years ago

When you correct it (just hack the correct path in or whatever) your next problem is the date is garbage, the cert will be rejected since its starting validity date is in the future.

Yes, I rebooted the target after removing the conflicting shared lib. The target isn't configured to pick up NTP, and I need to manually set the date/time.

pblemel commented 5 years ago

It looks like my next step is updating openssl. The version shipped with QNX gives LWS grief.

# ./bin/libwebsockets-test-server --ssl -d1039
[2018/09/08 14:24:35:0500] NOTICE: libwebsockets test server - license LGPL2.1+SLE
[2018/09/08 14:24:35:0510] NOTICE: (C) Copyright 2010-2018 Andy Green <andy@warmcat.com>
Using resource path "/mnt/tmp/lws-epic-root/share/libwebsockets-test-server"
[2018/09/08 14:24:35:0530] INFO: Initial logging level 1039
[2018/09/08 14:24:35:0540] INFO: Libwebsockets version: 3.0.99 unknown-build-hash
[2018/09/08 14:24:35:0550] INFO: Compiled with
[2018/09/08 14:24:35:0550] INFO: IPV6 not compiled in
[2018/09/08 14:24:35:0560] INFO:  LWS_DEF_HEADER_LEN    : 4096
[2018/09/08 14:24:35:0570] INFO:  LWS_MAX_PROTOCOLS     : 5
[2018/09/08 14:24:35:0580] INFO:  LWS_MAX_SMP           : 1
[2018/09/08 14:24:35:0590] INFO:  sizeof (*info)        : 296
[2018/09/08 14:24:35:0600] INFO:  SYSTEM_RANDOM_FILEPATH: '/dev/urandom'
[2018/09/08 14:24:35:0610] INFO:  HTTP2 support         : available
[2018/09/08 14:24:35:0620] INFO: Using event loop: poll
[2018/09/08 14:24:35:0630] INFO: Default ALPN advertisment: h2,http/1.1
[2018/09/08 14:24:35:0640] INFO:  default timeout (secs): 5
[2018/09/08 14:24:35:0670] INFO:  Threads: 1 each 1000 fds
[2018/09/08 14:24:35:0680] INFO:  mem: context:          4728 B (632 ctx + (1 thr x 4096))
[2018/09/08 14:24:35:0690] INFO:  mem: http hdr rsvd:   5032000 B (1 thr x (4096 + 936) x 1000))
[2018/09/08 14:24:35:0700] INFO:  mem: pollfd map:       8000
[2018/09/08 14:24:35:0710] INFO:  mem: platform fd map:  4000 bytes
[2018/09/08 14:24:35:0730] INFO:  Compiled with OpenSSL support
[2018/09/08 14:24:35:0740] INFO: Doing SSL library init
[2018/09/08 14:24:35:1290] INFO:  LWS_MAX_EXTENSIONS_ACTIVE: 1
[2018/09/08 14:24:35:1310] INFO:  mem: per-conn:          360 bytes + protocol rx buf
[2018/09/08 14:24:35:1320] INFO:  canonical_hostname = cigm_10
[2018/09/08 14:24:35:1330] INFO: lws_cancel_service
[2018/09/08 14:24:35:1340] NOTICE: Creating Vhost 'default' port 7681, 5 protocols, IPv6 off
[2018/09/08 14:24:35:1350] INFO:    mounting file:///mnt/tmp/lws-epic-root/share/libwebsockets-test-server to /
[2018/09/08 14:24:35:1360] INFO:    mounting callback://protocol-post-demo to /formtest
[2018/09/08 14:24:35:1370] INFO:    mounting file:///mnt/tmp/lws-epic-root/share/libwebsockets-test-server/candide.zip to /ziptest
[2018/09/08 14:24:35:1380] NOTICE:  SSL ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:!SHA1:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!AES128-GCM-SH...
[2018/09/08 14:24:35:1390] NOTICE:  Using SSL mode
[2018/09/08 14:24:35:1690] INFO:  SSL options 0x13520004
[2018/09/08 14:24:35:3200] NOTICE:  SSL ECDH curve 'prime256v1'
[2018/09/08 14:24:35:3210] ERR:  HTTP2 / ALPN configured but not supported by OpenSSL 0x1000103f
[2018/09/08 14:24:35:3270] NOTICE: lws_tls_client_create_vhost_context: doing cert filepath /mnt/tmp/lws-epic-root/share/libwebsockets-test-server/libwebsockets-test-server.pem
[2018/09/08 14:24:35:3310] NOTICE: Loaded client cert /mnt/tmp/lws-epic-root/share/libwebsockets-test-server/libwebsockets-test-server.pem
[2018/09/08 14:24:35:3330] NOTICE: lws_tls_client_create_vhost_context: doing private key filepath
[2018/09/08 14:24:35:3350] NOTICE: Loaded client cert private key /mnt/tmp/lws-epic-root/share/libwebsockets-test-server/libwebsockets-test-server.key.pem
[2018/09/08 14:24:35:3370] NOTICE: created client ssl context for default
[2018/09/08 14:24:35:3390] INFO: lws_vhost_bind_wsi: vh default: count_bound_wsi 1
[2018/09/08 14:24:35:3400] INFO: lws_protocol_init
[2018/09/08 14:24:35:3410] NOTICE: openssl is too old to support lws_tls_vhost_cert_info
[2018/09/08 14:24:35:3420] INFO: LWS_CALLBACK_EVENT_WAIT_CANCELLED
[2018/09/08 14:24:38:5830] INFO: lws_vhost_bind_wsi: vh default: count_bound_wsi 2

Process 294938 (libwebsockets-test-server) terminated SIGSEGV code=1 fltno=11 ip=0106dc60(/usr/lib/ldqnx.so.2@__generic_strlen+0x0) mapaddr=0006dc60. ref=00000000

Thanks for all your help! Peter

pblemel commented 5 years ago

Follow up (and potentially new issue) :
The segmentation violation 

Process 294938 (libwebsockets-test-server) terminated SIGSEGV code=1 fltno=11 ip=0106dc60(/usr/lib/ldqnx.so.2@__generic_strlen+0x0) mapaddr=0006dc60. ref=00000000

is caused by enabling the extra debug level that you suggested. If I run the binary without it (i.e. not specifying -d), clients connect and the test.html page works as expected.

# ./bin/libwebsockets-test-server --ssl
[2018/09/08 16:36:05:8287] NOTICE: libwebsockets test server - license LGPL2.1+SLE
[2018/09/08 16:36:05:8307] NOTICE: (C) Copyright 2010-2018 Andy Green <andy@warmcat.com>
Using resource path "/mnt/tmp/lws-epic-root/share/libwebsockets-test-server"
[2018/09/08 16:36:05:8887] NOTICE: Creating Vhost 'default' port 7681, 5 protocols, IPv6 off
[2018/09/08 16:36:05:8897] NOTICE:  SSL ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:!SHA1:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!AES128-GCM-SH...
[2018/09/08 16:36:05:8917] NOTICE:  Using SSL mode
[2018/09/08 16:36:06:0117] NOTICE:  SSL ECDH curve 'prime256v1'
[2018/09/08 16:36:06:0127] ERR:  HTTP2 / ALPN configured but not supported by OpenSSL 0x1000103f
[2018/09/08 16:36:06:0207] NOTICE: lws_tls_client_create_vhost_context: doing cert filepath /mnt/tmp/lws-epic-root/share/libwebsockets-test-server/libwebsockets-test-server.pem
[2018/09/08 16:36:06:0247] NOTICE: Loaded client cert /mnt/tmp/lws-epic-root/share/libwebsockets-test-server/libwebsockets-test-server.pem
[2018/09/08 16:36:06:0267] NOTICE: lws_tls_client_create_vhost_context: doing private key filepath
[2018/09/08 16:36:06:0297] NOTICE: Loaded client cert private key /mnt/tmp/lws-epic-root/share/libwebsockets-test-server/libwebsockets-test-server.key.pem
[2018/09/08 16:36:06:0307] NOTICE: created client ssl context for default
[2018/09/08 16:36:06:0327] NOTICE: openssl is too old to support lws_tls_vhost_cert_info
[2018/09/08 16:36:12:8007] NOTICE: callback_lws_mirror: mirror name ''
[2018/09/08 16:36:12:8027] NOTICE: Created new mi 80632f0 ''

Unfortunately, debugging the code on this target is a little bit problematic for me at the moment so I can't give you a traceback to where it crashes.

Anyway, the long and short of it is that I have a working test-server and know that things work on this target. Now I can get on to the main monkey business of my app :).

Thanks again, Peter

thistlerv commented 2 years ago

Hi, Andy. I wonder is there any way to set minimum TLS version when use OpenSSL as TLS backend library without edit the source code in line 547 of

lib/tls/openssl/openssl-server.c

I found a CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 MACRO in sdkconfig.h but can't found the equivalent of OpenSSL version.

Thanks, Thistle

lws-team commented 2 years ago

https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags

https://libwebsockets.org/git/libwebsockets/tree/include/libwebsockets/lws-context-vhost.h#n523-526

thistlerv commented 2 years ago

https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags

https://libwebsockets.org/git/libwebsockets/tree/include/libwebsockets/lws-context-vhost.h#n523-526

Thanks, and sorry to ask a silly question.