SSL_connect on iOS with http proxy fails when SSL_connect can't connect immediately (with blocking sockets, branched from 6c58228) #18
Comments
|
On 24/10/13 21:47, the mail apparently from shyswork included:
This patch was nicely done with understanding the state machine... -Andy
|
|
Thanks. This patch works well for me with blocking sockets. As I said when I tried to use nonblocking sockets behind http proxy it didn't work. So I ended up using older lib with blocking sockets and this fix. I hope this fix won't break anything for nonblocking sockets anyway I will test and write back if I find another problems. |
|
As promised I have tested this fix with nonblocking sockets and it doesn't work. First off all I get EAGAIN while trying to connect to proxy. I had to add check for it to avoid closing socket prematurely (before this line https://github.com/warmcat/libwebsockets/blob/master/lib/client.c#L81). After that I am able to successfully connect to proxy and start SSL handshake. In handshake I receive (most of the times) SSL_ERROR_WANT_READ and then fall thru to LWS_CONNMODE_WS_CLIENT_WAITING_SSL. After several attempts to SSL_connect() I get SSL_ERROR_SSL which expands to SSL connect error 336031996: error:00000000:lib(0):func(0):reason(0) . I also tried to block ssl with select() by this code (inspired by SSL docs and this question http://stackoverflow.com/questions/6702894/in-openssl-after-ssl-connect-i-am-getting-ssl-error-want-read ): fd_set working_set; if (n == SSL_ERROR_WANT_READ) { so select waits indefinitely until I can read and when I again try to connect I get the same SSL_ERROR_SSL. I would appreciate any ideas why this happens. |
|
Ok. It seems I've figured out what causes this problem. It is because of proxy and incorrect proxy handling with nonblocking sockets. Since __libwebsocket_client_connect_2 is called multiple times and the first time it overrides path to connect. That is why when we come back in __libwebsocket_client_connect_2 second time it tries to connect thru proxy again but with overridden address. That address is a proxy address itself. It connects and of course then it fails to establish SSL connection because proxy doesn't support that. |
|
Please take a look at a new branch I've posted https://github.com/shyswork/libwebsockets/tree/nonblocking_socket_minor_fixes it contains some fixes for iOS. I have also hardcoded my server address and port here ( libwebsockets/lib/client-handshake.c Line 26 in 6c58228 |
|
On 25/10/13 20:29, the mail apparently from shyswork included:
I think I see.... can you take a look at and see if it matches your understanding? -Andy
|
Yep. Thanks. It works. |
|
On 25/10/13 22:00, the mail apparently from shyswork included:
http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/commit/?id=6b5c1af4393413db0666becf41f60dbc810982a7 the patch I mentioned before should fix the peer address / port Thanks for sharing your work. -Andy
|
|
Thanks for writing awesome library :) and quick responses. |
SSL_connect on iOS with http proxy fails when SSL_connect can't connect immediately. The problem is that nonblocking BIO is used so in case SSL_connect() can't finish in one turn wsi->mode doesn't change from LWS_CONNMODE_WS_CLIENT_WAITING_PROXY_REPLY. So the next time we receive something on socket we fail on "HTTP/1.0 200" proxy connect check. I have made a quick fix. Please check here shyswork@b84971a
This is related to blocking sockets as of commit 6c58228. When I tried to use libwebsocket on iOS behind http proxy with nonblocking sockets I couldn't connect as well but I'm not sure if it is related to openssl or to the problem with libwebsockets and nonblocking sockets on iOS.
The text was updated successfully, but these errors were encountered: