Problems with WSS running on linux and Edge(or ie) browser

[Irahe]

Hello,

I'm having a bit of a issue.
On my local environment, when i create the server and try to run it, i can connect correctly with all browsers, thanks to fix #466 , However, when i export to my test server, that runs Ubuntu, PHP 7,1 and apache2, i simple cant make it work with Edge or IE.
Using Firefox and Chrome works correctly.
I'm using oracle-java8 on the server...
java -version returns: java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

The problem happens when i try to connect with the server via Edge or IE. It freezes and time out on the client, but the server dont show me anything.. However, if i close the tab before it times out, the server spill a exception:
java.io.IOException: Broken pipe at sun.nio.ch.FileDispatcherImpl.write0(Native Method) at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47) at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93) at sun.nio.ch.IOUtil.write(IOUtil.java:65) at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471) at org.java_websocket.SSLSocketChannel2.close(SSLSocketChannel2.java:319) at org.java_websocket.WebSocketImpl.closeConnection(WebSocketImpl.java:492) at org.java_websocket.WebSocketImpl.closeConnection(WebSocketImpl.java:522) at org.java_websocket.server.WebSocketServer.handleIOException(WebSocketServer.java:494) at org.java_websocket.server.WebSocketServer.run(WebSocketServer.java:424) at java.lang.Thread.run(Thread.java:748)

I just cant make it work. Please help me again @marci4 =D

PS: My server is running on : 35.xxx.223.xxx:8283

[marci4]

Hello @Irahe,

when I am trying to connect to your address I first of all get a certificate error (in chrome as well as in firefox) so you should connect to wss://:8283/.

Second problem is that edge is not able to connect to the revokation server..

This could be to the following reasons:

• http://letsencrypt.status.io/ LetsEncrypt having some stability issues
• https://community.letsencrypt.org/t/identrust-com-crl-server-not-responding-connection-error-in-edge-browser/21697 Issues connection to the crl server of LetsEncrypt
• https://community.letsencrypt.org/t/windows-live-mail-revocation-warning/26310 LetsEncrypt certificate and edge/ie not working together.

Greetings
marci4

[Irahe]

I know about the domain issue, i just dont wanted to post it publicly here ;D
I'll investigate the issues you sent me, however i may say that yesterday morning it was working like a champ.

[marci4]

Upps sorry :)

Ok then it is probably just LetsEncrypt trying to fix their issues!

Greetings
marci4

EDIT:
It really looks like LetsEncrypt is having problems!
Was able to connect to my production wss once, then a few times not, and then again!

[Irahe]

Lets hope they do.
I'll keep monitoring they status and keep you posted.
Thank you again for your help.
And another thing, about #466 , the fix only works on linux if you use Oracle Java 8. With Openjdk-8 it does not work for some reason.

[Irahe]

Let's encrypt is back to action, and connections are back to work.
However, if i try multiple connections on Edge, i still get freeze state.

=D

[Irahe]

Hey, @marci4 ,

I still having problems with edge and ie on the same server.
Somehow, i cant connect with edge. Some times i can, however is only works if edge is the first to connect to the server. If i try to connect another tab, it keeps eternally loading. Dont even times out.

[marci4]

Hey @Irahe
gonna look into this tomorrow!

Probably some cipher suites...

Greetings
marci4

[Irahe]

Dear @marci4,

I completely renewed the environment of the server today.
Sorry to say, but nothing has changed on the edge and ie behavior.
i`m using:
Apache2, PHP7.0, Oracle Java8.

I figured that if i go to websockets.org client and keep pushing the connect button, it connects after some like 20 tries.
Mys server is online, and you can try it for yourself:
Please tell me when you see this message so i can erase the domain.. =D

[marci4]

Hello @Irahe,
sorry for getting back to you so late.
Was working on a fix for #424 the whole day (and I think it is fixed YEAH :D )

Could you please tell me what exact version of java you are using?
Under windows, I was not able to reproduce it (with the new SSLSocketChannel).

Gonna look into this still more! Just wanted to give you a status update.

Greetings
marci4

[Irahe]

Dear @marci4 ,

In response to java -version on the server i have the following:
#########@instancialeilao:~$ java -version java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

[marci4]

hey,

sorry for the slow update.
Wasted my whole day on this issue..

To be honest I have no clue why Edge is fucking so bad with me .
Even with my production wss it is not working any more (haven't patched that..)

For now my tip is just not to use Edge/IE. Hopefully this issue resolves itself with the new SocketChannel...

Greetings
marci4

[marci4]

Hello @Irahe ,

I pushed some changes with #488.

This works fine for my production wss now! (Still using openjdk-7 though)

Greetings
marci4

[Irahe]

Dear @marci4 ,

I'll test it soon and give you an feedback.
Thank you for your support again.

[Irahe]

Dear @marci4 ,

I have patched my server with the new version released.
Unfortunately, Edge is not working properly yet.
I have tested with Firefox and Chrome, and some times, with multiple connections i get a freeze on browser and exception on server:

Firefox:
javax.net.ssl.SSLException: Unsupported record version Unknown-156.126 at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.java_websocket.SSLSocketChannel.read(SSLSocketChannel.java:140) at org.java_websocket.SocketChannelIOHelper.read(SocketChannelIOHelper.java:13) at org.java_websocket.server.WebSocketServer.run(WebSocketServer.java:370) at java.lang.Thread.run(Thread.java:748)

Chrome:
javax.net.ssl.SSLException: Unsupported record version Unknown-124.66 at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.java_websocket.SSLSocketChannel.read(SSLSocketChannel.java:140) at org.java_websocket.SocketChannelIOHelper.read(SocketChannelIOHelper.java:13) at org.java_websocket.server.WebSocketServer.run(WebSocketServer.java:370) at java.lang.Thread.run(Thread.java:748)

With Edge, i can connect only if i am not connected to the server with any other browser. If i connect with any other browser, Edge simple not work.
This problem is really fucking with both of us... =(
I hope we can find an solution.

PS: I'm still using oracle-java8... I have installed OpenJDK-8, however, i get the similar problem with Edge, and Firefox stop working(similar to #466) on that version. I was not able to install openjdk-7 because I'm running Ubuntu 17.04, and it is not available via ppa.

[marci4]

Hello @Irahe

trust me, I am really sorry right now (and pissed for that matter ;) )

Lets try the following (like #466)

ciphers.remove("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
ciphers.remove("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
ciphers.remove("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
ciphers.remove("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
ciphers.remove("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
ciphers.remove("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
ciphers.remove("TLS_DHE_RSA_WITH_AES_256_CBC_SHA");

Greetings
marci4

[Irahe]

Hello @marci4 ,

I'v tested the above, and with this change, Firefox works on OpenJDK-8 correctly. However, Edge and IE still not working properly. In Chrome and Firefox, if i connect 2 or 3 tabs in a row, i still get the following exception(with does not happen on previously socketchannel implementation):
javax.net.ssl.SSLException: Unsupported record version Unknown-221.189 at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.java_websocket.SSLSocketChannel.read(SSLSocketChannel.java:140) at org.java_websocket.SocketChannelIOHelper.read(SocketChannelIOHelper.java:13) at org.java_websocket.server.WebSocketServer.run(WebSocketServer.java:370) at java.lang.Thread.run(Thread.java:748)

I have figured that if i try to connect to my server on http://www.websocket.org/echo.html (using edge) and keep pressing the connect button(like crazy), it will eventually connect....Thats Odd.... seems like Edge is suffering the same issues as Firefox on #466 ...

[marci4]

To be honest I think we do have somewhere else a problem (apart from the mentioned SSLException which is caused by the new SocketChannel, please revert this locally for you as well).
I feel that the selector is not correctly updating/blocking or something like that...
That would also explain why some ciphers often work and sometimes not (timing....)

Apart from this, it is killing me right now!

What you can try is to activate the java debug output (with -Djavax.net.debug=all) and check what cipher is used in your case!

I will try to locate this issue with the selector!

Greetings
marci4

[Irahe]

Hello @marci4 ,

I have done as requested with java debug. A lot of information was showed when trying to connect via Edge.
The Cipher used is: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256].
You think i should remove this cipher to see if it works?

I hope we can sort it out.

=D

[marci4]

Hello @Irahe,

yes try to remove this specific cipher suite.
Lets hope we get around this issue....

Greetings
marci4

[Irahe]

Hello @marci4 ,

I removed the cipher, but it is still a no go...
However, i decided to chalange this issue!
When i removed (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) Edge picked a new one(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) so i removed this too, and it picked a new one(TLS_RSA_WITH_AES_128_GCM_SHA256) and so on...

At the end, i removed some ciphers, and finally i can tell you its working on Firefox, Edge, Chrome and IE.

However, i still have some problems with the new sslSocketChannel, some times on all browsers i need to restart the connection, causing the exeption i already have mentioned.

At the end, my WrapChannel method is like this:

`public ByteChannel wrapChannel(SocketChannel channel, SelectionKey key) throws IOException {
    SSLEngine e = sslcontext.createSSLEngine();
    /*
     * See https://github.com/TooTallNate/Java-WebSocket/issues/466
     *
     * We remove TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from the enabled
     * ciphers since it is just available when you patch your java
     * installation directly. E.g. firefox requests this cipher and this
     * causes some dcs/instable connections
     */
    List<String> ciphers = new ArrayList<String>(Arrays.asList(e.getEnabledCipherSuites()));
   // Recomendend ciphers to remove
    ciphers.remove("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
    ciphers.remove("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
    ciphers.remove("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
    ciphers.remove("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
    ciphers.remove("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
    ciphers.remove("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
    ciphers.remove("TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
   //Ciphers removed on my own
    ciphers.remove("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
    ciphers.remove("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
    ciphers.remove("TLS_RSA_WITH_AES_128_GCM_SHA256");
    ciphers.remove("TLS_RSA_WITH_AES_128_CBC_SHA256");
    ciphers.remove("TLS_RSA_WITH_AES_128_CBC_SHA");
    //edge is using now -> SSL_RSA_WITH_3DES_EDE_CBC_SHA
    e.setEnabledCipherSuites(ciphers.toArray(new String[]{}));
    e.setUseClientMode(false);
    return new SSLSocketChannel(channel, e, exec, key);
}`

[marci4]

Hello @Irahe

happy to hear that you managed to solve this issue on your own!

As mentioned earlier please dont use the new SocketChannel, there is still a bug in it (Was not able to locate it...)

I also added an easier way for removing specific cipher suites.
Please check out CustomSSLWebsocketServerFactory.

Greetings
marci4

[Irahe]

Hello, @marci4 ,

I went back to SSLSocketChannel2 and all is back to work. no exception.
Only for your information, SSLSocketChannel2 also have the above explained exception, however it just don't show it....
I noticed if you try to connect to the server continuously, it will eventually freeze and then connect.
I guess its ok for the moment.

Anyway, thanks for your help and support.

I believe you can close this issue now.
If i have any news i'll post it here on another issue.
If you guys need any help, i'll be pleased to help.

=D

[marci4]

Help is always appreciated :)

Greetings
marci4