Skip to content
This repository has been archived by the owner on Dec 15, 2020. It is now read-only.

Safari disallows websocket communication when using self-signed certificates #1241

Closed
marpaia opened this issue Feb 16, 2017 · 8 comments · Fixed by #1255
Closed

Safari disallows websocket communication when using self-signed certificates #1241

marpaia opened this issue Feb 16, 2017 · 8 comments · Fixed by #1255
Assignees
@zwass
Labels
Backlog Component: Documentation Component: Security

Comments

@marpaia
Copy link
Contributor

marpaia commented Feb 16, 2017

As reported in osquery slack, when running a distributed query in Safari, the timer stays at 0 and the query never runs.

screen shot 2017-02-15 at 10 06 02 pm
@marpaia marpaia added the Bug label Feb 16, 2017
@mikestone14
Copy link
Contributor

I've looked around and it seems it could be related to our certificate. Specifically, from this stack overflow post

setting OpenSSL to SSLv3 by default kills Safari, but letting it pick its own SSL version (all) works fine

Unfortunately, Safari doesn't output anything helpful in the console when the requests fail. This is the only console output: WebSocket network error: OSStatus Error -9807: d

Here are a couple resources I found:

reddit-archive/reddit-plugin-liveupdate#100

http://stackoverflow.com/questions/4014055/how-to-debug-safari-silently-failing-to-connect-to-a-secure-websocket

mrjoes/tornadio2#59

@groob
Copy link
Contributor

groob commented Feb 16, 2017

I think you're right that it's TLS related, specifically self signed certs.
Safari seems to be working for me with a Let's Encrypt cert we use, but fails with self signed ones.

@mikestone14
Copy link
Contributor

mikestone14 commented Feb 16, 2017
edited

@groob should I assign you and @marpaia to this issue (and remove me and @kyleknighted)?

@groob
Copy link
Contributor

groob commented Feb 16, 2017

Sounds good

@mikestone14 mikestone14 assigned marpaia and groob and unassigned kyleknighted and mikestone14 Feb 16, 2017
@groob
Copy link
Contributor

groob commented Feb 17, 2017
edited

Ok, I've done a bit more testing and identified that safari will only establish a wss:// connection if the certificate is explicitly trusted.

Even after running something like

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" server.crt

imports the certificate with custom trust settings and the user must explicitly select "Always Trust" in Safari

This does not always cause a problem with Chrome, but it might in the future. Self signed certs are always a bad idea(difficult to manage) and we should find ways to discourage users from using them in their setups. One suggestion I have is to improve the documentation for obtaining Let's Encrypt certificates, which are free, easy to obtain and work great.

For now, I'm going to add a documentation comment about safari, and also echo a warning about using safari in the quickstart script.

@terracatta I think it's important you're aware of this quirk with Safari and self signed certs, especially if you end up doing a local demo for someone remotely.

@marpaia marpaia changed the title Distributed query doesn't work in Safari Safari disallows websocket communication when using self-signed certificates Feb 17, 2017
@terracatta
Copy link
Contributor

@zwass Can you repro this Safari situation and see if your SocksJS fallbacks kick in when Safari cannot establish a WS connection due to security reasons (and not network communication issues, which is the use case we are currently using it for) ?

@terracatta terracatta added this to the 1.0.2 milestone Feb 24, 2017
@zwass
Copy link
Contributor

zwass commented Feb 24, 2017

It does look like Safari will fallback to XHR when websockets fail for this reason. An error is printed to the console, which would probably be hard to avoid.

@terracatta
Copy link
Contributor

@zwass excellent we will add to your sockjs PR that this resolves this issue IMO.

@zwass zwass mentioned this issue Mar 1, 2017
Merged
zwass added a commit that referenced this issue Mar 1, 2017
@zwass
Use sockjs to gracefully degrade websockets (#1255)
3d6ca7d 
Use the [SockJS Protocol](https://github.com/sockjs/sockjs-protocol) to handle
bidirectional communication instead of plain websockets. This allows
distributed queries to function in situations in which they previously failed
(Load balancers not supporting websockets, issues with Safari and self-signed
certs, etc.).

Also includes fixes to the JS message handling logic where slightly different
message delivery semantics (when using XHR) were exposing bugs.

Fixes #1241, #1327.
@jafudi jafudi mentioned this issue Aug 5, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zwass zwass

Labels
Backlog Component: Documentation Component: Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use sockjs to gracefully degrade websockets
6 participants
@kyleknighted @terracatta @zwass @marpaia @groob @mikestone14