WSS (TLS) Implementation for standalone.py

[Zach]

Does anybody have successful experience implementing WSS? The command I'm running on my server is:

sudo python standalone.py -p 443 -t -k certs/server.key -c certs/server.crt -l logs --log-level debug -w WebSocket_Handlers/

1) I've confirmed that the paths are all correct, and the server runs, but I cannot establish a secure connection (it drops any connection attempt: each client runs the OnClose() method immediately). Running the same thing without WSS works successfully (a connection is made and bidirectional communication works between client and server):

sudo python standalone.py -p 80 -w WebSocket_Handlers/

2) I've verified that the key pairs with the certificate correctly by using "openssl x509 -noout -modulus -in server.crt | openssl md5" and "openssl rsa -noout -modulus -in server.key | openssl md5" (Source: https://kb.wisc.edu/middleware/page.php?id=4064)

3) I'm not behind any corporate firewalls that would cause any lack of transparency.

4) I'm going to get and post a WireShark capture tonight to give you guys more of an idea of what exactly is happening, I'm just posting this now to see if there are any ideas floating in your minds before I get the capture, as I'm stumped.

Thanks!

[Takashi Toyoshima]

Hi Zach,

I suspect you use self-signed cert for WSS. If you use Chrome as a web browser, you can not connect a self-signed cert WSS server directly. This is because Chrome policy doesn't allow show up a UI to accept invalid cert in background network connections like WebSocket, XHR, iframe, and so on.

Here is some workaround for testing.

- Use --ignore-certificate-errors flag on launching Chrome

- Provide JavaScript hosting HTML on the same secure server. Invalid cert which is accepted by a user for HTTPS will be accepted also in WSS.

Also chrome://net-internals/#events will be helpful to resolve this kind of issue.

Thanks,

--
 
---
You received this message because you are subscribed to the Google Groups "pywebsocket" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pywebsocket...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Zach]

Thank you so much! We weren't using a self-signed cert, but it was the same issue: the certificate did not match the URL because I told the background connection to be made directly via an ip address rather than a hostname (which caused Chrome to default-reject it). Considering the certificate was good for a *.com, and not an IP, it did not like it.

Thanks again!