Websocket / TLS(SSL) configuration issue

[jayesh9977]

Hi all,

I am successfully able to verify mosquitto websocket on http (without SSL support). I am not able to verify websocket a. on http (with SSL support) b. on httpS (with or without SSL).

I am following the below link for setting up the enviroment. http://jpmens.net/2014/07/03/the-mosquitto-mqtt-broker-gets-websockets-support/ I have also generated the certificates and used the same.

Below are mosquitto web page error which I am facing: a. Http with SSL support

b. Https is not working with / without SSL support Console logs for Https with SSL: 1463386582: mosquitto version 1.4.8 (build date 2016-05-12 11:27:54+0530) starting 1463386582: Config loaded from mosquitto.conf. 1463386582: Opening websockets listen socket on port 8883. 1463386582: Warning: Mosquitto should not be run as root/administrator. 1463386586: http serving file "/debug/cert/index.html". 1463386586: http serving file "/debug/cert/mqttws31.js". 1463386587: http serving file "/debug/cert/jquery.min.js". 1463386588: http serving file "/debug/cert/config1.js". 1463441771: http serving file "/debug/cert/index.html". 1463441771: http serving file "/debug/cert/mqttws31.js". 1463441772: http serving file "/debug/cert/jquery.min.js". 1463441773: http serving file "/debug/cert/config1.js".

Error snapshot Https with SSL:

I have also enable the websocket logs: log_type all, log_type websockets, websockets_log_level 255 mosquitto_websocket.txt

could you please help on this topic to connect Http with SSL and Https with and withoud SSL connection.

Thanks.

[lws-team]

Hm... ssl works fine on lws, you can go to https://libwebsockets.org and see for yourself.

• What platform is this?
• what ssl library is in use?
• how did you configure lws at cmake when you built it?
• what logs are coming out of lws when it starts up?

[jayesh9977]

What platform is this? QnX neutrino (x86 processor)
what ssl library is in use? OpenSSL 1.0.1c 10 May 2012 (Library: OpenSSL 1.0.1l 15 Jan 2015)
how did you configure lws at cmake when you built it? Built seperate package of lws on QnX 
what logs are coming out of lws when it starts up? here are logs:

//////////////////// 1463443821: Libwebsockets version: 1.7.0 developer@developer-VirtualBox- 1463443821: IPV6 not compiled in 1463443821: libev support not compiled in 1463443821: libuv support not compiled in 1463443821: LWS_DEF_HEADER_LEN : 1024 1463443821: LWS_MAX_PROTOCOLS : 5 1463443821: LWS_MAX_SMP : 32 1463443821: Compiled with OpenSSL support 1463443821: SSL disabled: no LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT 1463443821: insert_wsi_socket_into_fds: 8075570: tsi=0, sock=7, pos-in-fds=1 1463443821: Listening on port 8883 1463443821: LWS_MAX_EXTENSIONS_ACTIVE: 2 1463443842: lws_adopt_socket_vhost: new wsi 80753f8, sockfd 8 1463443842: lws_set_timeout: 80753f8: 20 secs 1463443842: lws_header_table_attach: wsi 80753f8: ah 0 (tsi 0) 1463443842: lws_header_table_attach: wsi 80753f8: ah 809f020: count 1 (on exit) 1463443842: lws_adopt_socket_vhost: new wsi 8075230, sockfd 9 1463443842: lws_set_timeout: 8075230: 20 secs 1463443842: lws_header_table_attach: wsi 8075230: ah 0 (tsi 0) 1463443842: lws_header_table_attach: wsi 8075230: ah 809fcb8: count 2 (on exit) 1463443842: lws_server_socket_service: 80753f8: rxpos:0 rxlen:0 1463443842: lws_server_socket_service: wsi 80753f8, ah->rxlen = 517 1463443842: lws_read: incoming len 517 state 0 1463443842: lws_parse failed 1463443842: lws_header_table_detach: wsi 80753f8: ah 809f020 (tsi=0, count = 2) 1463443842: lws_close_free_wsi: shutting down connection: 80753f8 (sock 8, state 2)

//////////////////// Please have a look. Thanks.

[jayesh9977]

Hi, it seems problem lies here as per below logs: 1463448233: WSI_TOKEN_NAME_PART '' (mode=0) (From parsers.c file) 1463448233: Unknown method - dropping 1463448233: forbidding on uri sanitation 1463448233: lws_parse failed

Could you please guide.

[lws-team]

This is what you see if lws is configured for non-SSL, and you try to connect to it by SSL.

You can see

SSL disabled: no LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT

if you want SSL on 1.7.0 and above you have to give LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT in info.options

[jayesh9977]

• I have added below line (marked between \ ) in websockets.c and built the mosquitto binary

  ifdef WITH_TLS

  info.ssl_ca_filepath = listener->cafile; info.ssl_cert_filepath = listener->certfile; info.ssl_private_key_filepath = listener->keyfile; \ info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT; **

• Please see the logs for SSL connection error 1463453581: inserted SSL accept into fds, trying SSL_accept 1463453581: SSL_accept failed 1 / error:00000001:lib(0):func(0):reason(1) 1463453581: SSL_accept failed skt 8: error:00000001:lib(0):func(0):reason(1) 1463453581: * error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 1463453581: lws_adopt_socket_vhost: fail ssl negotiation 1463453581: lws_close_free_wsi: shutting down connection: 809d9e8 (sock 8, state 0) 1463453581: lws_set_timeout: 809d9e8: 20 secs 1463453581: fd=8, revents=65 1463453581: SSL_accept failed 1 / error:00000001:lib(0):func(0):reason(1) 1463453581: SSL_accept failed skt 8: error:00000001:lib(0):func(0):reason(1) 1463453581: * error:1407609C:SSL routines:SSL

[lws-team]

Sounds like you are accessing http://blah:8883, when now it really is using ssl and you must tell your client to access https://blah:8883

[jayesh9977]

Many thanks Andy :)

[lws-team]

Then we can close this?

[jayesh9977]

Yes, we can close. Thanks.