Safari disallows websocket communication when using self-signed certificates #1241
Comments
I've looked around and it seems it could be related to our certificate. Specifically, from this stack overflow post
Unfortunately, Safari doesn't output anything helpful in the console when the requests fail. This is the only console output: Here are a couple resources I found: |
I think you're right that it's TLS related, specifically self signed certs. |
@groob should I assign you and @marpaia to this issue (and remove me and @kyleknighted)? |
Sounds good |
Ok, I've done a bit more testing and identified that safari will only establish a Even after running something like
imports the certificate with custom trust settings and the user must explicitly select "Always Trust" in Safari This does not always cause a problem with Chrome, but it might in the future. Self signed certs are always a bad idea(difficult to manage) and we should find ways to discourage users from using them in their setups. One suggestion I have is to improve the documentation for obtaining Let's Encrypt certificates, which are free, easy to obtain and work great. For now, I'm going to add a documentation comment about safari, and also echo a warning about using safari in the @terracatta I think it's important you're aware of this quirk with Safari and self signed certs, especially if you end up doing a local demo for someone remotely. |
@zwass Can you repro this Safari situation and see if your SocksJS fallbacks kick in when Safari cannot establish a WS connection due to security reasons (and not network communication issues, which is the use case we are currently using it for) ? |
It does look like Safari will fallback to XHR when websockets fail for this reason. An error is printed to the console, which would probably be hard to avoid. |
@zwass excellent we will add to your sockjs PR that this resolves this issue IMO. |
Use the [SockJS Protocol](https://github.com/sockjs/sockjs-protocol) to handle bidirectional communication instead of plain websockets. This allows distributed queries to function in situations in which they previously failed (Load balancers not supporting websockets, issues with Safari and self-signed certs, etc.). Also includes fixes to the JS message handling logic where slightly different message delivery semantics (when using XHR) were exposing bugs. Fixes #1241, #1327.
As reported in osquery slack, when running a distributed query in Safari, the timer stays at 0 and the query never runs.
The text was updated successfully, but these errors were encountered: