I am using Ratchet WebSocket in a Windows-based server project that is entirely working in an insecure environment. That is to say that when I navigate my browser to http://www.example.com and connect to the websocket server using ws:// on port 8686 everything works spectacularly.
The server doesn't run through IIS - but instead is executed via php.exe in command prompt like this.
php wsocket-server.php [...parameters...]
However, if run the Ratchet Server and try to connect from https://www.example.com using wss:// the browser simply will not connect to the websocket server, despite the fact that the server starts up fine and the insecure site and connect via ws://
Now, I realize I need to utilize some additional code to include my SSL documentation. This is the relevant code I have in place:
use Ratchet\Server\IoServer;
use Ratchet\Http\HttpServer;
use Ratchet\WebSocket\WsServer;
$websocket_server = new WsServer();
if ($site_secure){
//RUN WSS (SECURE) SERVER
$options = [
'local_cert' => 'c:\inetpub\ssl\2c6fa1928847451c.crt',
'local_pk' => 'c:\inetpub\ssl\2c6fa1928847451c.key',
'allow_self_signed' => true,
'verify_peer' => false
];
$loop = React\EventLoop\Factory::create();
$websocket_server->enableKeepAlive($loop);
$app = new HttpServer($websocket_server);
$insecure_websockets = new \React\Socket\Server('0.0.0.0:'.$port, $loop);
$secure_websockets = new \React\Socket\SecureServer($insecure_websockets , $loop, $options);
$secure_websockets_server = new \Ratchet\Server\IoServer($app, $secure_websockets, $loop);
$secure_websockets_server->run();
}else{
//RUN WS (INSECURE) SERVER
$http_server = new HttpServer($websocket_server);
$server = IoServer::factory($http_server, $port);
$websocket->log ("Initializing ".(($site_secure) ? "Secure " : "Insecure ")."Server ($port)");
$server->run();
}
What I have tried
I have ensured the correct ports are all open in the windows firewall.
I have ensured nothing else is listening on the port using netstat
I have tried using nginx, on a minimal level. I'd prefer to NOT use this method if possible, and was having some initial problems with it starting up so I did not dedicate 100% to it at this time. Ideally, I'd like to use Ratchet's native abilities.
I have searched other similar posts both here and elsewhere, such as this.
I have tried a number of different ports, even the same 8686 as I use in the insecure connection
I am hoping someone can lend me an assist with an issue that has been driving me crazy for 2 weeks. At this point I feel like I'm just trying things to try them and I may be coding myself in circles.
Thank you in advance.
A browser is never going to connect to anything running on port 465. Especially not a WebSocket.
Establishing a WebSocket connection is specified in terms of the Fetch standard. As such, the specific exclusion of this port is found within the latter:
A port is a bad port if it is listed in the first column of the following table.
Port
Typical service
…
…
465
submission
…
…
Now, why are some ports blacklisted? This is a protection against cross-protocol scripting attacks, as once demonstrated (warning: NSFW links) against Firefox and against Safari. Port 465 has been (and still sometimes is) used for SMTP over (pure) TLS, so in this case, an XPS attack might trick a browser into sending mail on the user’s behalf. Blocking those ports is meant to prevent it. Of course, all bets are off when a service runs on a non-standard port.
To make the service available in a browser, all you need to do is change the port number.
Related
I am prototyping a message queue solution developed using CodeIgniter. The code is hosted on a GoDaddy basic shared hosting plan and connects to a trial instance of RabbitMQ on CloudAMQP. I use the videlalvaro/php-amqplib library.
The solution worked fine for a few days and yesterday I started getting a connection refused error. No changes to the code, in fact the same code running on my local machine works fine and connects to CloudAMQP.
This leads me to believe that the problem could be with GoDaddy hosting. Have spent about 48 hours trying to work around this and my project is now stalled.
Does anyone have any ideas? My only option now is to move to a different hosting service and try but that's a major step and I wanted to be sure I'm not missing something small.
The relevant part of the code below:
$url = parse_url("amqp://yyyyyyyy:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx#moose.rmq.cloudamqp.com/yyyyyyyy");
//Masking the user name and password for here
$conn = new AMQPStreamConnection(
$url['host'], //host - CloudAMQP_URL
5672, //port - port number of the service, 5672 is the default
$url['user'], //user - username to connect to server
$url['pass'], //password - password to connect to the server
substr($url['path'], 1) //vhost
);
For those who may face a similar problem, this could have been because of hosting on GoDaddy (could apply to any hosting service) where presumably access to post 5672 is not allowed. I moved to AWS and everything is working fine.
This question can be closed (not sure how that happens).
Thank you zaq178miami, your inputs helped.
According to this site: http://search.cpan.org/~mramberg/Catalyst-Plugin-RequireSSL-0.07/lib/Catalyst/Plugin/RequireSSL.pm
It's as easy as this:
# in MyApp.pm
use Catalyst qw/
RequireSSL
/;
__PACKAGE__->config(
require_ssl => {
remain_in_ssl => 0,
no_cache => 0,
detach_on_redirect => 1,
},
);
__PACKAGE__->setup;
# in any controller methods that should be secured
$c->require_ssl;
However, I am running the app using the built in MyApp_server.pl . And when I follow those instructions I get an SSL connection error Error code: ERR_SSL_PROTOCOL_ERROR
I'm guessing that the MyApp_server.pl doesn't support SSL, or there is more that I need to do to configure it.
Can I set up an SSL connection using nginx? I can find now instructions on how to do this. Can this be done with Apache?
Frankly, I was really hoping to be able to deploy this app with the built in server, but SSL encryption is required for all of my pages.
Thanks for any help that you can provide!
PS This app is running on my personal computer (OSX) behind a firewall, but the intention is to deploy it on a linux server behind a firewall.
I have dowloaded latest version of genymotion with proxy server 2.2.2 and while connecting i am getting invalid reply from server (do you use a proxy?). I am not using proxy for sure. Any ideas?
Answer, its all about the http proxy server on the genymotion settings just UNCHECK on the genymotion setting or remover the http proxy server by UN-ticking the ability to enter HTTP PROXY and PORT let it be blank by unckecking hence login your credentials, if it doesn't work try confirming you email with genymotion.
In my case I went to Settings > Network > I checked "Use HTTP Proxy" and I filled the Http Proxy and port fields (with company proxy valid values).
After that I connect smoothly as silk.
I had the same problem in ubuntu and after some struggle when i was almost giving up i stop the docker (had one instance running in port 3337 in my PC) and for my surprise it's finally work.
I had a similar issue (invalid reply from server without Proxy, on a highly customized and quite broken ubuntu 16.04). nothing of the above helped. (seemingly)
Then I visited this site:
http://qaru.site/questions/835901/genymotion-stuck-on-splash-screen
(well, you have to let google translate it, if you are not russian)
the error described there is completely different. (computer crash resulting in different networking issues)
but it had one thing in common with my case:
everything worked fine, and then suddenly: SOME NETWORKING ERROR - without reason
well, for me, the solution was the same as described on the russian page:
removing a (corrupted?!) conf file.
the conf file was at (my home folder)/.config/Genymobile/Genymotion.conf
i deleted it (i had to do it with root, because the file was owned by root, but this might have been the case because i messed a bit with genymotion...)
Then, i restarted genymotion and logged in again and it worked like a charm.
I had to allow Genymtion.exe in windows firewall. I'm using v3
Had the same problem, managed it using a VPN.
I am trying to monitor https traffic with Fiddler, using current newest version:2.4.4.5
I've successfully set up https, certificates and I can see the full https encrypted traffic for example browsing my bank's web site.
...however...
When I trying to monitor an other server I got this error message in the response window:
"Failed to secure existing connection for 77.87.178.160. A call to SSPI failed, see inner exception. InnerException: System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"
For full Fiddler window see:
The client is not a in this case browser, but a custom client program, which communicates with its own server.
My question: Is this exception misleading and in reality some other error prevents the secure channel to set up?
...or...
We have still chance to monitor this https communication?
Thx in advance
What is the client program?
This error typically indicates that that client application is only offering certain HTTPS ciphers, and those ciphers are not supported by Fiddler.
However, in this case, the specific problem here is almost certainly this: http://blogs.msdn.com/b/ieinternals/archive/2009/12/08/aes-is-not-a-valid-cipher-for-sslv3.aspx
The client is trying to use AES with SSLv3, but that isn't one of the valid ciphers for SSL3. As a consequence, the connection fails.
You might be able to workaround this by clicking Rules > Customize Rules. Scroll down to the Main() function and add the following line within the function:
CONFIG.oAcceptedServerHTTPSProtocols =
System.Security.Authentication.SslProtocols.Ssl3;
Please let me know if this works.
NOTE Current versions of Fiddler offer a UI link for this: Look at the lis of enabled protocols on the HTTPS tab.
Unbelievably this issue is still present some 6 years later.
Just installed the latest version of Fiddle (v5.0.20194.41348), and sure enough on Win7 using Chrome or IE it keeps failing with the dreaded error:
"fiddler.network.https> HTTPS handshake to google.com (for #1) failed. System.ComponentModel.Win32Exception The client and server cannot communicate, because they do not possess a common algorithm"
After some hours of testing, I found a middle ground solution which seems to work with virtually all websites. The aim was to get the highest possible security with no errors in the log. Without needing to add any code, simply changing this line under Tools > Options > HTTPS > Protocols is what worked for me (just copy and paste it):
<client>;ssl3;tls1.1;tls1.2
Basically removed the ssl2 and tls1.0 protocols which leaves us with some pretty decent security and no errors so far. Having spent hours of frustration with this error, hope someone out there might find this useful, and a big thanks to EricLaw who discovered the root of the problem.
Yes I too have seen this error when working outside of fiddler and it was connected with AuthenticateAsServer but only went wrong when using IE10 and not Chrome as the browser.
Odd thing is that it did not break all the time for IE10 using SslProtocols.Tls for the protocol so I will add a bit of code to switch the protocol if one fails
The protocol that can be used also seems to change on if you are using a proxy server like Fiddler or using an invisible server by hijacking the DNS via the hosts file to divert traffic to the server
I'm doing my dev work on a Window 7 x64 machine, deploying to a Windows 2008 x32 server. At the moment I'm adding WCF services to some internal apps so that we can build smaller clients using net.tcp bindings that report to the user what the server is doing without running multiple instances of the server. To cut back on how much administration the apps will require, I tried enabling port sharing on my first server app. I'm using the app to self-host the WCF service so they can be easily moved from one server to another if necessary. Here's the code starting the server:
Dim _service_host As ServiceHost
Dim active_server_address As Uri = New UriBuilder("net.tcp", "localhost", CInt(My.Settings.ServerPort)).Uri
_service_host = New ServiceHost(GetType(UpdateServiceOps), active_server_address)
_service_host.AddServiceEndpoint(GetType(IUpdateService), New NetTcpBinding With {.Name = "endpoint_tcp"}, "MiddlewareEndpoint")
_service_host.Description.Behaviors.Add(New ServiceMetadataBehavior)
_service_host.AddServiceEndpoint(GetType(IMetadataExchange), MetadataExchangeBindings.CreateMexTcpBinding, "mex")
_service_host.Open()
That works great. When I change it to what's below, however, I get an error. Here's the code:
Dim _service_host As ServiceHost
Dim active_server_address As Uri = New UriBuilder("net.tcp", "localhost", CInt(My.Settings.ServerPort)).Uri
_service_host = New ServiceHost(GetType(UpdateServiceOps), active_server_address)
_service_host.AddServiceEndpoint(GetType(IUpdateService), New NetTcpBinding With {.Name = "endpoint_tcp", .PortSharingEnabled = True}, "MiddlewareEndpoint")
_service_host.Description.Behaviors.Add(New ServiceMetadataBehavior)
_service_host.AddServiceEndpoint(GetType(IMetadataExchange), MetadataExchangeBindings.CreateMexTcpBinding, "mex")
_service_host.Open()
I get the following error when I put a breakpoint at the last line: Unable to automatically step into the server. Connecting to the server machine 'nettcpportsharing' failed. The requested name is valid, but no data of the requested type was found. The Try...Catch block housing that code says the exception type is AddressAlreadyInUseException...but when I run netstat I don't see anything else listening on that address. There's no occurrence of 'nettcpportsharing' anywhere in my solution. I've checked to make sure that the Net.Tcp Port Sharing service is started. Any ideas?
I think this may be a permissions issue. Please see the associated article which explains how to configure the port sharing service to support self-hosted services.
(For production purposes I would strongly recommend using IIS Hosting with WAS anyway - it makes management of the services much cleaner and you get dynamic startup/shutdown for free.)