1. 首页
  2. 问答
  3. SSL WebSocket连接不适用于webkit浏览器?

SSL WebSocket连接不适用于webkit浏览器?

2017-05-06 125 views
1

我已经为我的Web服务器(Apache)和WebSocket服务器(PHPWS)安装了Let's Encypt(https://letsencrypt.org/)证书。 问题是SSL WebSocket在Firefox中工作正常,但无法与Chrome,Chromium和Opera一起使用。 我已经尝试过使用自签名证书,并且安全的WebSocket正在使用Chrome和Chromium。SSL WebSocket连接不适用于webkit浏览器?

我的网页位于https://warsoftheheroes.eu

登录:zosia和密码:zaqwsx

这是你应该在Chrome中看到的JavaScript,当您登录控制台:

WebSocket connection to 'wss://warsoftheheroes.eu:1025/chat' failed: WebSocket opening handshake was canceled websocket.js?v=20170506:4 
WebSocket connection to 'wss://warsoftheheroes.eu:1025/main' failed: WebSocket opening handshake was canceled websocket.js?v=20170506:5

这是什么我在WebSocket(PHPWS)服务器日志中看到:

PHP Warning: stream_socket_accept(): Failed to enable crypto in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126 

Warning: stream_socket_accept(): Failed to enable crypto in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126 

PHP Warning: stream_socket_accept(): accept failed: Success in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126 

Warning: stream_socket_accept(): accept failed: Success in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126

[某些路径]由我添加而不是真实路径

什么可能是错误的?证书通过HTTPS与Apache协同工作,但无法通过WSS使用WebSocket。

- =编辑= -

这是我的Apache SSL配置:

的SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH + AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:RC4:A零位:eNUL L:EXPORT:DES:3DES:MD5:!!!!!PSK

- = EDIT 2 = -

有OpenSSL的更新后的nmap输出:

nmap --script ssl-enum-ciphers -p 443 warsoftheheroes.eu 

Starting Nmap 7.40 (https://nmap.org) at 2017-05-10 18:44 CEST 
Nmap scan report for warsoftheheroes.eu (81.163.204.80) 
Host is up (0.013s latency). 
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl 
PORT STATE SERVICE 
443/tcp open https 
| ssl-enum-ciphers: 
| TLSv1.0: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.1: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.2: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
|_ least strength: A 


nmap --script ssl-enum-ciphers -p 1025 warsoftheheroes.eu 

Starting Nmap 7.40 (https://nmap.org) at 2017-05-10 19:07 CEST 
Nmap scan report for warsoftheheroes.eu (81.163.204.80) 
Host is up (0.015s latency). 
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl 
PORT  STATE SERVICE 
1025/tcp open NFS-or-IIS 
| ssl-enum-ciphers: 
| TLSv1.0: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
| TLSv1.1: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
| TLSv1.2: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
|_ least strength: A

来源

2017-05-06 Bartosz Krzeszewski

回答

1

好吧,我找到了解决我的问题。这个PHP SSL上下文选项“verify_peer”默认为“true”,我认为这使服务器请求客户端提供客户端证书。所以我将它设置为“false”,现在Chrome/Chromium/Opera正在与WSS合作。

来源

2017-05-11 11:33:03

+1

好啊,我认为[这](https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html)是相关的,很有趣 –

1

如果检查Chrome Internals并开始记录而插座正在尝试连接,你会看到以下内容:

net-internals

ERR_SSL_CLIENT_AUTH_CERT_NEEDED非常明确,并告诉我们您的证书存在问题。

看着它,我们可以看到你正在使用RSA,这是一个过时的密钥交换。相反,您应该使用DHE_RSAECDHE_RSA。即使你对https没有问题,这可能是建立一个安全的websocket连接的问题,确保你使用强大的密码和密钥交换机制。

你的phpws过程还有一些非常基本的问题,没有读取证书/ pem文件的访问权限,证书过期了。所以你可能要仔细检查一下,以防万一。

来源

2017-05-10 06:22:59

+0

我在我的Apache SSL配置中有DHE_RSA和ECDHE_RSA,l编辑了我的帖子并添加了我的SSLCipherSuite –

+0

p.s.我认为如果它是读取访问或过期证书的问题比Firefox中的WSS无法工作。 –

+0

是的你是对的。关于密码套件,它看起来不错,但我认为这是一个不够强大的密钥交换,而webkit因此而失败。你可以尝试使用'ECDHE_RSA'吗? –

相关问题

 相关问题