Why does my wss:// (WebSockets over SSL/TLS) connection immediately disconnect without giving any errors?

by

After hours of debugging, I eventually found the problem; as I was messing around with the configuration of my XMPP server, I had re-generated the SSL certificates for the XMPPd. Since I was using self-signed certificates, this would cause an SSL error. Because I had visited that same URI over HTTPS before, I’d already manually approved the old self-signed certificate – but obviously that approval was no longer valid after regenerating the SSL certificate.

The key to the problem is this: If your SSL certificate causes a warning of any sort, wss:// WebSocket connections will immediately fail, and there is no canonical way to detect this.

As stated above, there appears to be no standardized way to even detect that this problem is occurring, let alone solve it. The best solution to this problem that I have been able to find, is as follows:

  1. If the WebSocket disconnects prior to having received a login confirmation (XMPP-specific), try to make a plaintext ws:// (without SSL) connection to the non-SSL port.
  2. If the plaintext connection succeeds, this means that the server is up – thus the problem is with the SSL certificate. (If the plaintext connection also fails, the server is simply unavailable.)
  3. Display an error to the user, indicating that there was an SSL problem, and that they should check the certificate, with instructions on how to manually approve it.
  4. Provide a target="_blank" link to the wss:// URL, but replacing the protocol with https://. This might be Prosody-specific, but by visiting that URL you will see the SSL warning page. Prosody will display a text that starts with “It works!” after approving the certificate – if the server-side is a custom application, you should display a message saying that “the problem has been solved, you can close this tab now”.
  5. In the background, in the main application, keep attempting to reconnect over wss:// every few seconds. Once a connection succeeds, this means the user has approved the certificate. Hide/remove the error and continue the normal connection/login process.

It’s far from a smooth process, UX-wise, but it’s the smoothest approach I’ve found. It is not possible to iframe the error page (this was one of my first ideas) – Chrome will refuse to load it at all, Firefox will hide the “Add exception” button, and I’d imagine other browsers exhibit similar behaviour.

More Related Contents:

  1. node.js, socket.io with SSL
  2. WebSocket with SSL
  3. How do you sign a Certificate Signing Request with your Certification Authority?
  4. Is a HTTPS query string secure?
  5. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  6. “The underlying connection was closed: An unexpected error occurred on a send.” With SSL Certificate
  7. php ratchet websocket SSL connect?
  8. Import certificate as PrivateKeyEntry
  9. How to do a https request with bad certificate?
  10. How to Configure SSL for Amazon S3 bucket
  11. Use self signed certificate with cURL?
  12. How to force SSL for Kubernetes Ingress on GKE
  13. Ignore SSL certificate errors in Xamarin.Forms (PCL)
  14. Specifying trust store information in spring boot application.properties
  15. Nginx configuration leads to endless redirect loop
  16. curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  17. Enabling SSL with XAMPP
  18. pip always fails ssl verification
  19. Connecting to a Websphere MQ in Java with SSL/Keystore
  20. How to add subject alernative name to ssl certs?
  21. Insecure content in iframe on secure page
  22. Difference between self-signed CA and self-signed certificate [closed]
  23. SSL errors using MailChimp’s API
  24. Google App Script – MySql 8 – JDBC Connection Failed
  25. SSL Certificate add failed when binding to port
  26. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  27. How to connect to database with SSL in google apps script?
  28. SSLHandshakeException: Received fatal alert: handshake_failure when setting ciphers on tomcat 7 server
  29. What is CA certificate, and why do we need it?
  30. tunneling secure websocket connections with apache

Leave a Comment