I have not been able to connect to a secure wss:// websocket servers using either Safari 5 or the WebKit nightly. I have tried the following server implementations: em-websocket (http://github.com/igrigorik/em-websocket) and pywebsocket (http://code.google.com/p/pywebsocket/). For both servers I used a self signed certificate, which I also added as a trusted certificate to my keychain (which made no difference). Both of these server implementations work with Chrome (tested with version 6.0.447.0 dev). It appears that there is an error establishing an SSL connection. The stacktrace from pywebsocket (instructions to replicate below) looks like this. [2010-06-30 17:24:10,655] [ERROR] root: Exception in processing request from: ('127.0.0.1', 59399) Traceback (most recent call last): File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/SocketServer.py", line 558, in process_request_thread self.finish_request(request, client_address) File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/SocketServer.py", line 320, in finish_request self.RequestHandlerClass(request, client_address, self) File "standalone.py", line 237, in __init__ self, *args, **keywords) File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/SocketServer.py", line 615, in __init__ self.handle() File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/BaseHTTPServer.py", line 329, in handle self.handle_one_request() File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/BaseHTTPServer.py", line 312, in handle_one_request self.raw_requestline = self.rfile.readline() File "/Library/Python/2.6/site-packages/mod_pywebsocket/memorizingfile.py", line 71, in readline line = self._file.readline() File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/socket.py", line 395, in readline data = recv(1) Error: [('SSL routines', 'SSL23_READ', 'ssl handshake failure')] I also tried using stunnel in front of a patched em-websocket server (operating in non ssl mode, but returning the correct wss handshake). This worked in Chrome, but for the WebKit case the connection was terminated in stunnel with the following debug log: 2010.06.30 17:20:47 LOG7[31326:140735074479136]: wss accepted FD=11 from 127.0.0.1:59205 2010.06.30 17:20:47 LOG7[31326:4297367552]: wss started 2010.06.30 17:20:47 LOG7[31326:4297367552]: FD 11 in non-blocking mode 2010.06.30 17:20:47 LOG7[31326:4297367552]: Waiting for a libwrap process 2010.06.30 17:20:47 LOG7[31326:4297367552]: Acquired libwrap process #0 2010.06.30 17:20:47 LOG7[31326:4297367552]: Releasing libwrap process #0 2010.06.30 17:20:47 LOG7[31326:4297367552]: Released libwrap process #0 2010.06.30 17:20:47 LOG7[31326:4297367552]: wss permitted by libwrap from 127.0.0.1:59205 2010.06.30 17:20:47 LOG5[31326:4297367552]: wss accepted connection from 127.0.0.1:59205 2010.06.30 17:20:47 LOG7[31326:4297367552]: SSL state (accept): before/accept initialization 2010.06.30 17:20:47 LOG7[31326:4297367552]: SSL state (accept): SSLv3 read client hello A 2010.06.30 17:20:47 LOG7[31326:4297367552]: SSL state (accept): SSLv3 write server hello A 2010.06.30 17:20:47 LOG7[31326:4297367552]: SSL state (accept): SSLv3 write certificate A 2010.06.30 17:20:47 LOG7[31326:4297367552]: SSL state (accept): SSLv3 write server done A 2010.06.30 17:20:47 LOG7[31326:4297367552]: SSL state (accept): SSLv3 flush data 2010.06.30 17:20:47 LOG3[31326:4297367552]: SSL_accept: Peer suddenly disconnected 2010.06.30 17:20:47 LOG5[31326:4297367552]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2010.06.30 17:20:47 LOG7[31326:4297367552]: wss finished (0 left) Nothing is logged in Safari or to Console.app, so I'm slightly at a loss how to debug further. Replicating with pywebsocket: * Download from http://code.google.com/p/pywebsocket/ * Install (see README) * Run standalone server ** cd `src/mod_pywebsocket` ** `sudo python standalone.py -t -p 443 -k keyfile -c certfile --allow-draft75` * Connect from WebKit
What happens if you try to connect to the same host via HTTP (i.e., by entering an http:// address in address bar)? Is there an SSL certificate error displayed? WebSocket spec says: 4. If /secure/ is true, perform a TLS handshake over the connection. If this fails (e.g. the server's certificate could not be verified), then fail the WebSocket connection and abort these steps.
> entering an http:// address I meant https://, sorry.
Alexey, You're absolutely correct. The self signed certificate was not trusted by Safari and after changing the setting to always trust this certificate the WebSocket connection worked. So thanks! I wonder though whether it would be possible to make this more user friendly? Bringing up the same certificate warning message that Safari uses for https would seem to be ideal, but if that's not possible at least logging the failure reason somewhere would be really useful.
Logging is absolutely what we should do. I'm not convinced that a warning sheet is a good idea - providing an easy way to bypass security equals to having no security at all, and we can avoid that for WebSocket, that would be good. We might eventually have to show the warning sheet due to pressure from other browsers (I'm told Chrome does that).
<rdar://problem/17898486>