search

warmcat / libwebsockets

canonical libwebsockets.org networking library
https://libwebsockets.org
Other
4.78k stars 1.49k forks source link

Not able to get LWS 4.2 working with SSL #2484

Closed Rajasekhar-topgear closed 3 years ago

Rajasekhar-topgear commented 3 years ago

Hi Experts,

             I have compiled LWS 4.2 in non-secure mode and it is working fine with my server.
             Now I am compiling LWS 4.2 in secure mode and I am getting below error.

Error::

SSL_new failed: error:00000063:lib(0):func(0):reason(99) Lost websocket connection with Server.., ERROR: bio_create failed 

          I am trying to use openssl. So in my Makefile, I have excluded mbedtls files under the directory "lib/tls/mbedtls/".  I could see the error is coming from the file "openssl-client.c" in below code. "SSL_new()" is failing. But the SSL_new() definition is in the mbedtls directory "lib/tls/mbedtls/wrapper/library/ssl_lib.c". So if I start including the mbedtls files under the directory "lib/tls/mbedtls/wrapper/library/" in the makefile then corresponding header files "lib/tls/mbedtls/wrapper/include/platform/" also included, which in turn causing multiple definition errors.

        So to include SSL_new definition(), do I have to include mbedtls files also (OR) I need to include the SSL library.  

         Could you please let me know how to resolve this issue.

Code Snippet:: lib/tls/openssl/openssl-client.c

    wsi->tls.ssl = SSL_new(wsi->a.vhost->tls.ssl_client_ctx);
    if (!wsi->tls.ssl) {
            lwsl_err("%s:: SSL_new failed",__func__);
            const char *es = ERR_error_string(

if defined(LWS_WITH_BORINGSSL)

    (uint32_t)

else

    (unsigned long)

endif

    lws_ssl_get_error(wsi, 0), NULL);
            lwsl_err("SSL_new failed: %s\n", es); =====> Error
            lws_tls_err_describe_clear();
            return -1;
    }

Client Code::

struct lws_client_connect_info client_con_info; struct lws_context_creation_info info; int ietf_version = -1;

info.port = CONTEXT_PORT_NO_LISTEN;
info.protocols = ida_ws_protocols;
info.gid = -1;
info.uid = -1;
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_DISABLE_IPV6;
use_ssl = LCCSCF_USE_SSL | LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;

if (access(CLIENT_PKEY, F_OK) == 0) {
    info.client_ssl_private_key_filepath = CLIENT_PKEY;  
} 
if (access(CLIENT_CERTS, F_OK) == 0) {
    info.client_ssl_cert_filepath = CLIENT_CERTS;   
} 

if (!ws_context) {
    ws_context = lws_create_context(&info);
    if (ws_context == NULL) {
        ERR("Creating libwebsocket context failed\n");
        ret = -1;
        return ret;
    }
}

client_con_info.context = ws_context;
client_con_info.address = address;
client_con_info.port = port;
client_con_info.ssl_connection = use_ssl;
client_con_info.path = tppr_url_info->path;
client_con_info.host = address;
client_con_info.origin = address;
client_con_info.protocol = ida_ws_protocols[PROTOCOL_IDA].name;
client_con_info.ietf_version_or_minus_one = ietf_version;

ws_socket = lws_client_connect_via_info(&client_con_info);
 --------------------------------------------------------------------------------------------

Thanks, Rajasekhar.

lws-team commented 3 years ago

mbedtls or openssl is an either-or thing, you build for one or the other and link to the tls library you built for,

I think you are making things extra hard for yourself by ignoring cmake, cmake is there to make your life easier. I really recommend letting it do its job and create the Makefile for you, for your platform.

The error seems to be coming because there is no client SSL_CTX created on the default vhost, presumably it failed earlier. So you should look at the lws logs and see if they have to say anything.

lws-team commented 3 years ago

... and this

if (!ws_context) {
    ws_context = lws_create_context(&info);

does that mean you are calling this multiple times from different threads? You can't...

https://libwebsockets.org/git/libwebsockets/tree/READMEs/README.event-loops-intro.md?h=main

lws-team commented 3 years ago

Well, from your other issue, it seems you have some other problem, closing this.

Rajasekhar-topgear commented 3 years ago

Thanks a lot for your reply. Yes, I could see SSL_CTX is NULL. I have created the SSL_CTX and passing to LWS like below. Is this correct OR there is any other way ?

info.provided_client_ssl_ctx = ssl_ctx;

FYI, My client is running in the single thread only.

Also, for secure connection, I am following the code in the "test-apps/test-client.c". Would there be any other example ?

lws-team commented 3 years ago

FYI, My client is running in the single thread only.

That's good.

Also, for secure connection, I am following the code in the "test-apps/test-client.c". Would there be any other example ?

Yes you should look at

https://libwebsockets.org/git/libwebsockets/tree/minimal-examples-lowlevel/http-client/minimal-http-client

or

https://libwebsockets.org/git/libwebsockets/tree/minimal-examples-lowlevel/ws-client/minimal-ws-client

these are CC0 / public domain, you can literally cut and paste them into your code as your starting point.

lws-team commented 3 years ago

... you should look at the lws logs and see if they have to say anything.

Not looking at lws logs is the # 2 cause of going around in circles... it is not saving you time ignoring them. (# 1 cause is not using the minimal examples as your starting point).

info.provided_client_ssl_ctx = ssl_ctx;

You do not have to provide an SSL_CTX, lws will create it. Best thing to do is build the example as it is (using cmake) and confirm that works, then cut and paste that as your starting point.

Rajasekhar-topgear commented 3 years ago

Thanks a lot for your suggestions. Ok sure, I will build the examples as it is and test.

Rajasekhar-topgear commented 3 years ago

Actually, I checked the lws logs but I don't see any other error other than "SSL_new failed: error:00000063:lib(0):func(0):reason(99)". So I suspect SSL_CTX is NULL. But even after creating and passing the SSL_CTX, the same error is seen. I am missing something. I will try to run examples and try to find out the root cause.

Logs::

2021/11/11 14:20:52.102320040 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): Connect_server:: use_ssl: 5 2021/11/11 14:20:52.102350000 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): Connect_server:: Have access for CLIENT_PKEY: /tmp/pkey.pem 2021/11/11 14:20:52.102365120 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): Connect_server:: Have access for CLIENT_CERTS: /tmp/cert.pem 2021/11/11 14:20:52.102740440 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): Connect_server:: SSL_CTX: 0xaaab0fc6ec30 2021/11/11 14:20:52.102743760 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): Connect_Server: NULL FD 2021/11/11 14:20:52.102746000 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (note): Connect_Server:: Server:: 172.27.169.51, Port: 9121, PATH: /ws/cgna/ios 2021/11/11 14:20:52.102753960 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_via_info:: BEGIN 2021/11/11 14:20:52.102775800 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_via_info:: wsi: 0xfc80350 2021/11/11 14:20:52.102793840 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_via_info: role binding to h1 2021/11/11 14:20:52.102798120 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_via_info: vh default protocol binding to ida-protocol 2021/11/11 14:20:52.102816440 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_via_info: : h1 ida-protocol entry 2021/11/11 14:20:52.102863760 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_http_client_connect_via_info2:: BEGIN 2021/11/11 14:20:52.102868000 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_http_client_connect_via_info2: [wsicli|1|WS/h1/172.27.169.51|default] (stash 0xaaab0fc7cf20) 2021/11/11 14:20:52.102877520 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_2_dnsreq:: BEGIN 2021/11/11 14:20:52.102881440 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_2_dnsreq: new conn on no pipeline flag 2021/11/11 14:20:52.102893280 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_2_dnsreq: [wsicli|1|WS/h1/172.27.169.51|default]: lookup 172.27.169.51:9121 2021/11/11 14:20:52.102910840 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_2_dnsreq:: invoke lws_client_connect_3_connect 2021/11/11 14:20:52.102929280 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect:: BEGIN 2021/11/11 14:20:52.102955880 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect: peer_route_uidx 0 2021/11/11 14:20:52.103056080 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect: [wsicli|1|WS/h1/172.27.169.51|default]: WAITING_CONNECT 2021/11/11 14:20:52.103108520 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): LWS callback: Success to read select Websocket: fd(21) - Success) 2021/11/11 14:20:52.103264720 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect: connect: errno: 115 2021/11/11 14:20:52.103280640 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect:: AFTER CHANGE POLLFD, wsi: 0xfc80350 2021/11/11 14:20:52.103287400 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_via_info: [wsicli|1|WS/h1/172.27.169.51|default]: adoption cb 19 to h1 ida-protocol 2021/11/11 14:20:52.103487240 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (note): Connect_server:: FD: 21 2021/11/11 14:20:52.103489320 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): abcdefghijklmnopabcdefghij: fd(21) 2021/11/11 14:20:52.104494520 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): abcdefghijklmnopabcdefghij:: n: 1 2021/11/11 14:20:52.104532320 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect:: BEGIN 2021/11/11 14:20:52.104558160 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect: [wsicli|1|WS/h1/172.27.169.51|default]: source ads 172.27.169.54 2021/11/11 14:20:52.104570600 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_client_connect_3_connect: going into connect_4 2021/11/11 14:20:52.104598560 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_ssl_client_bio_create:: BEGIN 2021/11/11 14:20:52.104611320 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_ssl_client_bio_create:: SSL_new failed 2021/11/11 14:20:52.104648640 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): SSL_new failed: error:00000063:lib(0):func(0):reason(99) 2021/11/11 14:20:52.104679400 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): Lost websocket connection with Server.. will reconnect, ERROR: bio_create failed 2021/11/11 14:20:52.104956920 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (ERR): lws_plat_service_fd: warning servicing fd(21): m=1 2021/11/11 14:20:52.104986840 {ida_ws_R0-0}{255}: [ida_ws] [6428]: UUID: 0, ra: 0, TID: 0, (note): RET: 0