New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Encryption not working on iPad 2 #124

Closed
astrand opened this Issue Feb 1, 2012 · 14 comments

Comments

Projects
None yet
5 participants
@astrand
Collaborator

astrand commented Feb 1, 2012

Is TLS/wss supposed to work in iPad 2? It doesn't for me, all I get is "Server disconnected". Tried adding "?logging=debug", gave nothing. Works from Firefox 9 on Windows XP. Output from launch script:

$ ./launch.sh --vnc localhost:5901
Starting webserver and WebSockets proxy on port 6080
WebSocket server settings:

  • Listen on :6080
  • Flash security policy server
  • Web server. Web root: /home/astrand/tmp/noVNC
  • SSL/TLS support
  • proxying from :6080 to localhost:5901

Navigate to this URL:

http://xxx.homeip.net:6080/vnc.html?host=xxx.homeip.net&port=6080

Press Ctrl-C to exit

I'm using the latest git version. iOS 5.0.1.

@kanaka

This comment has been minimized.

Show comment
Hide comment
@kanaka

kanaka Feb 2, 2012

Member

Please post the output you see from the proxy/launch.sh when you try and connect.

Also, what error do you get from Safari (you'll need to activate debug in Safari settings)?

It's possible you are running into the certificate not accepted issue. See the top section on this page: https://github.com/kanaka/noVNC/wiki/Troubleshooting

Member

kanaka commented Feb 2, 2012

Please post the output you see from the proxy/launch.sh when you try and connect.

Also, what error do you get from Safari (you'll need to activate debug in Safari settings)?

It's possible you are running into the certificate not accepted issue. See the top section on this page: https://github.com/kanaka/noVNC/wiki/Troubleshooting

@astrand

This comment has been minimized.

Show comment
Hide comment
@astrand

astrand Feb 3, 2012

Collaborator

Please post the output you see from the proxy/launch.sh when you try and connect.

That's the strange part - no output was produced.

It's possible you are running into the certificate not accepted issue. See the top section on this page: https://github.com/kanaka/noVNC/wiki/Troubleshooting

I loaded the vnc.html via TLS and accepted the cert by then. Will double check though.

Also, what error do you get from Safari (you'll need to activate debug in Safari settings)?

Will check!

Collaborator

astrand commented Feb 3, 2012

Please post the output you see from the proxy/launch.sh when you try and connect.

That's the strange part - no output was produced.

It's possible you are running into the certificate not accepted issue. See the top section on this page: https://github.com/kanaka/noVNC/wiki/Troubleshooting

I loaded the vnc.html via TLS and accepted the cert by then. Will double check though.

Also, what error do you get from Safari (you'll need to activate debug in Safari settings)?

Will check!

@mightypenguin

This comment has been minimized.

Show comment
Hide comment
@mightypenguin

mightypenguin Feb 8, 2012

I noticed this same issue myself but since encrypted noVNC has hiccups on 1 or 2 other desktop browsers as well I just gave up and run unencrypted. At least with self-signed certs. Haven't tried a fancy paid cert.

mightypenguin commented Feb 8, 2012

I noticed this same issue myself but since encrypted noVNC has hiccups on 1 or 2 other desktop browsers as well I just gave up and run unencrypted. At least with self-signed certs. Haven't tried a fancy paid cert.

@kanaka

This comment has been minimized.

Show comment
Hide comment
@kanaka

kanaka Feb 9, 2012

Member

@astrand, if you aren't getting any output then that means that there isn't even a socket connection being made from the ipad to websockify. Just to confirm, this works if you make an unencrypted connection from noVNC on the iPad?

One thing to try is changing the initial URL that you use to load the page to "https://".

I have an iPad 2 and I'll give this a try later, but I'm pretty sure I've tried this before and it worked fine.

Member

kanaka commented Feb 9, 2012

@astrand, if you aren't getting any output then that means that there isn't even a socket connection being made from the ipad to websockify. Just to confirm, this works if you make an unencrypted connection from noVNC on the iPad?

One thing to try is changing the initial URL that you use to load the page to "https://".

I have an iPad 2 and I'll give this a try later, but I'm pretty sure I've tried this before and it worked fine.

@astrand

This comment has been minimized.

Show comment
Hide comment
@astrand

astrand Feb 14, 2012

Collaborator

Yes, it works without encryption. I've tried https://, doesn't help.

After enabling the error console, I get 5 errors. The most interesting one is:
The operation couldn't be completed. (OSStatus error -9807.)

A similar problem is described here:
http://groups.google.com/group/asihttprequest/browse_thread/thread/2508546a1f22c998?pli=1

It seems one must set setValidatesSecureCertificate to false. Can this be done from Javascript?

Collaborator

astrand commented Feb 14, 2012

Yes, it works without encryption. I've tried https://, doesn't help.

After enabling the error console, I get 5 errors. The most interesting one is:
The operation couldn't be completed. (OSStatus error -9807.)

A similar problem is described here:
http://groups.google.com/group/asihttprequest/browse_thread/thread/2508546a1f22c998?pli=1

It seems one must set setValidatesSecureCertificate to false. Can this be done from Javascript?

@kanaka

This comment has been minimized.

Show comment
Hide comment
@kanaka

kanaka Feb 20, 2012

Member

So I reproduced the problem on the iPad 2 (and iPhone). One of the problems is that websockify was swallowing EOF errors. I've fixed that and now it's clear that wss WebSocket connections from iPad (and iPhone) are triggering an EOF error on the python side.

It could be related to the self-signed certificates (possibly a bug with iOS+self-signed+websockets). I can make wss connections via websocket.org/echo.html from the iPad, but they certainly are not using self-signed certificates.

Member

kanaka commented Feb 20, 2012

So I reproduced the problem on the iPad 2 (and iPhone). One of the problems is that websockify was swallowing EOF errors. I've fixed that and now it's clear that wss WebSocket connections from iPad (and iPhone) are triggering an EOF error on the python side.

It could be related to the self-signed certificates (possibly a bug with iOS+self-signed+websockets). I can make wss connections via websocket.org/echo.html from the iPad, but they certainly are not using self-signed certificates.

@danielkho

This comment has been minimized.

Show comment
Hide comment
@danielkho

danielkho Nov 19, 2012

Hi kanaka,
Is this fix in the latest release? I have a similar problem as well.

regards, daniel

danielkho commented Nov 19, 2012

Hi kanaka,
Is this fix in the latest release? I have a similar problem as well.

regards, daniel

@astrand

This comment has been minimized.

Show comment
Hide comment
@astrand

astrand Feb 28, 2013

Collaborator

Still a problem, it seems. Using the latest GIT version. Getting:

_ssl.c:490: EOF occurred in violation of protocol

This is from an iPad mini with user agent:

"Mozilla/5.0 (iPad; CPU OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A523 Safari/8536.25"

I found this thread:

https://lists.webkit.org/pipermail/webkit-dev/2011-July/017583.html

As soon as my Apple account is active, I will check the bug report.

Collaborator

astrand commented Feb 28, 2013

Still a problem, it seems. Using the latest GIT version. Getting:

_ssl.c:490: EOF occurred in violation of protocol

This is from an iPad mini with user agent:

"Mozilla/5.0 (iPad; CPU OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A523 Safari/8536.25"

I found this thread:

https://lists.webkit.org/pipermail/webkit-dev/2011-July/017583.html

As soon as my Apple account is active, I will check the bug report.

@astrand

This comment has been minimized.

Show comment
Hide comment
@astrand

astrand Mar 4, 2013

Collaborator

It turns out that you can only report new bugs to Apple, you cannot view existing bug reports. Thus, I haven't been able to find any details about bug 9697244.

Collaborator

astrand commented Mar 4, 2013

It turns out that you can only report new bugs to Apple, you cannot view existing bug reports. Thus, I haven't been able to find any details about bug 9697244.

@hean01

This comment has been minimized.

Show comment
Hide comment
@hean01

hean01 Mar 21, 2013

Here follows some information regarding self signed cert and iOS / WebSockets.

http://blog.marcon.me/post/24874118286/secure-websockets-safari

hean01 commented Mar 21, 2013

Here follows some information regarding self signed cert and iOS / WebSockets.

http://blog.marcon.me/post/24874118286/secure-websockets-safari

@astrand

This comment has been minimized.

Show comment
Hide comment
@astrand

astrand Apr 3, 2013

Collaborator

Now verified. Works with a valid certificate. A self-signed certificate also works if imported via the mail application. However, the server host name must match.

Collaborator

astrand commented Apr 3, 2013

Now verified. Works with a valid certificate. A self-signed certificate also works if imported via the mail application. However, the server host name must match.

@kanaka

This comment has been minimized.

Show comment
Hide comment
@kanaka

kanaka Apr 4, 2013

Member

@hean01 @astrand I have a request. Could you guys update the a couple of wiki pages to help people that are running into these issues?

https://github.com/kanaka/noVNC/wiki/Troubleshooting
https://github.com/kanaka/websockify/wiki/Encrypted-Connections

In particular, the article that @hean01 linked to doesn't really go into enough detail about hostname mismatches. Also, if one of you knows how to convert from openssl generated self-signed certs, to the .cer format that the mail client will accept, that would be great to document on the websockify encrypted connections wiki page.

Thanks!

Member

kanaka commented Apr 4, 2013

@hean01 @astrand I have a request. Could you guys update the a couple of wiki pages to help people that are running into these issues?

https://github.com/kanaka/noVNC/wiki/Troubleshooting
https://github.com/kanaka/websockify/wiki/Encrypted-Connections

In particular, the article that @hean01 linked to doesn't really go into enough detail about hostname mismatches. Also, if one of you knows how to convert from openssl generated self-signed certs, to the .cer format that the mail client will accept, that would be great to document on the websockify encrypted connections wiki page.

Thanks!

@astrand

This comment has been minimized.

Show comment
Hide comment
@astrand

astrand Apr 16, 2013

Collaborator

I've written some documentation on https://github.com/kanaka/websockify/wiki/Encrypted-Connections now. I didn't include anything about DER certs. At least from the web PEM certs works fine, so my guess is that PEM certs are fine even when importing via the email application (although I haven't verified this).
Perhaps this issue can be closed then?

Collaborator

astrand commented Apr 16, 2013

I've written some documentation on https://github.com/kanaka/websockify/wiki/Encrypted-Connections now. I didn't include anything about DER certs. At least from the web PEM certs works fine, so my guess is that PEM certs are fine even when importing via the email application (although I haven't verified this).
Perhaps this issue can be closed then?

@kanaka

This comment has been minimized.

Show comment
Hide comment
@kanaka

kanaka Apr 23, 2013

Member

Yes, I think this is probably sufficient. Thanks for documenting that. I've linked back to this bug on the wiki page.

Member

kanaka commented Apr 23, 2013

Yes, I think this is probably sufficient. Thanks for documenting that. I've linked back to this bug on the wiki page.

@kanaka kanaka closed this Apr 23, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment