1. 首頁
  2. 問答
  3. SSL WebSocket連接不適用於webkit瀏覽器?

SSL WebSocket連接不適用於webkit瀏覽器?

2017-05-06 72 views
1

我已經爲我的Web服務器(Apache)和WebSocket服務器(PHPWS)安裝了Let's Encypt(https://letsencrypt.org/)證書。 問題是SSL WebSocket在Firefox中工作正常,但無法與Chrome,Chromium和Opera一起使用。 我已經嘗試過使用自簽名證書,並且安全的WebSocket正在使用Chrome和Chromium。SSL WebSocket連接不適用於webkit瀏覽器?

我的網頁位於https://warsoftheheroes.eu

登錄:zosia和密碼:zaqwsx

這是你應該在Chrome中看到的JavaScript,當您登錄控制檯:

WebSocket connection to 'wss://warsoftheheroes.eu:1025/chat' failed: WebSocket opening handshake was canceled websocket.js?v=20170506:4 
WebSocket connection to 'wss://warsoftheheroes.eu:1025/main' failed: WebSocket opening handshake was canceled websocket.js?v=20170506:5

這是什麼我在WebSocket(PHPWS)服務器日誌中看到:

PHP Warning: stream_socket_accept(): Failed to enable crypto in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126 

Warning: stream_socket_accept(): Failed to enable crypto in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126 

PHP Warning: stream_socket_accept(): accept failed: Success in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126 

Warning: stream_socket_accept(): accept failed: Success in [some path].../vendor/devristo/phpws/src/Devristo/Phpws/Server/WebSocketServer.php on line 126

[某些路徑]由我添加而不是真實路徑

什麼可能是錯誤的?證書通過HTTPS與Apache協同工作,但無法通過WSS使用WebSocket。

- =編輯= -

這是我的Apache SSL配置:

的SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH + AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:RC4:A零位:eNUL L:EXPORT:DES:3DES:MD5:!!!!!PSK

- = EDIT 2 = -

有OpenSSL的更新後的nmap輸出:

nmap --script ssl-enum-ciphers -p 443 warsoftheheroes.eu 

Starting Nmap 7.40 (https://nmap.org) at 2017-05-10 18:44 CEST 
Nmap scan report for warsoftheheroes.eu (81.163.204.80) 
Host is up (0.013s latency). 
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl 
PORT STATE SERVICE 
443/tcp open https 
| ssl-enum-ciphers: 
| TLSv1.0: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.1: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
| TLSv1.2: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A 
|  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: server 
|_ least strength: A 


nmap --script ssl-enum-ciphers -p 1025 warsoftheheroes.eu 

Starting Nmap 7.40 (https://nmap.org) at 2017-05-10 19:07 CEST 
Nmap scan report for warsoftheheroes.eu (81.163.204.80) 
Host is up (0.015s latency). 
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl 
PORT  STATE SERVICE 
1025/tcp open NFS-or-IIS 
| ssl-enum-ciphers: 
| TLSv1.0: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
| TLSv1.1: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
| TLSv1.2: 
|  ciphers: 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A 
|  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A 
|  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A 
|  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A 
|  compressors: 
|  NULL 
|  cipher preference: client 
|_ least strength: A

來源

2017-05-06 Bartosz Krzeszewski

回答

1

好吧,我找到了解決我的問題。這個PHP SSL上下文選項「verify_peer」默認爲「true」,我認爲這使服務器請求客戶端提供客戶端證書。所以我將它設置爲「false」,現在Chrome/Chromium/Opera正在與WSS合作。

來源

2017-05-11 11:33:03

+1

好啊,我認爲[這](https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html)是相關的,很有趣 –

1

如果檢查Chrome Internals並開始記錄而插座正在嘗試連接,你會看到以下內容:

net-internals

ERR_SSL_CLIENT_AUTH_CERT_NEEDED非常明確,並告訴我們您的證書存在問題。

看着它,我們可以看到你正在使用RSA,這是一個過時的密鑰交換。相反,您應該使用DHE_RSAECDHE_RSA。即使你對https沒有問題,這可能是建立一個安全的websocket連接的問題,確保你使用強大的密碼和密鑰交換機制。

你的phpws過程還有一些非常基本的問題,沒有讀取證書/ pem文件的訪問權限,證書過期了。所以你可能要仔細檢查一下,以防萬一。

來源

2017-05-10 06:22:59

+0

我在我的Apache SSL配置中有DHE_RSA和ECDHE_RSA,l編輯了我的帖子並添加了我的SSLCipherSuite –

+0

p.s.我認爲如果它是讀取訪問或過期證書的問題比Firefox中的WSS無法工作。 –

+0

是的你是對的。關於密碼套件,它看起來不錯,但我認爲這是一個不夠強大的密鑰交換,而webkit因此而失敗。你可以嘗試使用'ECDHE_RSA'嗎? –

相關問題

 相關問題