autobahn-js
autobahn-js copied to clipboard
crossbario
Support TLS client config NodeJS: TLS client certificates etc
Hello I'm using autobahn in my enterprise application which all communications use a two way hand shaking. So we have certificates in the Server and In the Client as well.
I was having some problems when using HTTPS/WSS with autobahn as we could not tell it to use the certificates for the websockets.
So I looked at the code and realized that in the https://github.com/crossbario/autobahn-js/blob/master/package/lib/transport/websocket.js#L80 in the instantiation of the WebSocket only the protocols as the parameter are used and there's no way to use other options along with it.
If the options in the transports were passed through the WebSocket itself this would solve this problem and provide more customization to the transports.
Usage Example:
let conn = new autobahn.Connection({
realm: theREALM,
transports : [{
type: 'websocket',
url: 'wss://localhost:1339',
options: {
key: THE_KEY,
cert: THE_CERT,
rejectUnauthorized: true,
requestCert: ...
...
}
}]
});
What do you think? I've a patch with this change that I can contribute if it's relevant.
Best Regards.
I can see your problem.
However, allowing to pass arbitrary options has 2 problems:
- it's not a proper API, but exposes implementation details (the specific WS lib used by Autobahn on Node)
- it doesn't allow to transparently move code from browser to Node and vice versa any longer
rgd 1.: what if we switch from "ws" (https://github.com/einaros/ws) to something else? Could break AutobahnJS user code, because that would assume the "ws" options avail.
- is an awesome feature in my view, and we want to preserve that.
Now, of course browsers won't let you do such TLS things (like choosing client cert) from JS (for good reasons).
So there is a stretch between these goals, I admit. Mmh.
Sidenote: curious, what WAMP router are you using?
@oberstet I completely agree with you regarding the Behaviour of the NodeJs vs Browser code, I thought about that as well and said in the pull request I sent.
So I was thinking in a way to preserve both functionalities.
Can we enable the possibility to registry your own custom Transport ? For this we only need to defined the interface for what should be a Transport.
autobahn.transports.add("my-transport-x",YOUR_TRANSPORT);
let conn = new autobahn.Connection({
realm: theREALM,
transports : [{
type: 'my-transport-x',
options: {
url: THE_URL,
key: THE_KEY,
cert: THE_CERT,
...
}
}]
});
In this case the options would be related to your own transport not affecting the overall lib. I like the idea of registering your own transport better, this way you don't change the way to use/expect usage from the Connection .
About the router: I'm using a spinoff of "Wamp-rt / Wamp-router".It's a simple router but it gives you liberty to use your own server/configurations which is enough for my case.
Looking at the code this seems already possible with autobahn.Transports.register. But I must say that implement another Transport is a lot of work for only using it's options. Hmm.
I had this issue too. As ws is using nodejs https as agent for secure connections, you can solve this by overriding https.globalAgent before openning the autobahn connection.
We have the same problem here trying to enable self-signed certificates. @cantidio did you manage to find a workaround? @fredigato can you elaborate more on you comment? Do you have an open source implementation where we can have a look and study you workaround?
We are getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH from Chrome and SSL_ERROR_NO_CYPHER_OVERLAP in FireFox trying to use self-signed certificates. We do not use NodeJs. Could this be related to this?
@BrainFeeder nope, this means your WAMP router doesn't have any cipher that would be acceptable by Chrome/FF.
What WAMP router?
Try openssl s_client -port 443 -host localhost to check what OpenSSL negotiates ..
I'm trying to connect to a server set up with React/Ratchet php.
Results openssl s_client > Protocol TLS 1.2, used cipher: ECDHE-RSA-AES256-GCM-SHA384 But our websocket is using port 8080, and if we run the same on port 8080 it results in some error..
CONNECTED(00000003) 140009730094920:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 247 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
Protocol TLS 1.2, used cipher: ECDHE-RSA-AES256-GCM-SHA384
Is that what you want to use? Because the client connects via SSL v3, not TLS 1.2 to begin with.
What WAMP router are you using?
We have ZeroMQ installed in PHP. The server, hosting the application, only supports TLS 1.2. It's the same for all our servers, don't think they want to change that...
@BrainFeeder your server does not talk TLS 1.2, otherwise the OpenSSL client would connect using that. Further, you don't even need AutobahnJS, as you are using ZeroMQ, which is different from WAMP. Anyway, good luck!
@oberstet ZMQ is used with React, React by Ratchet and the Ratchet documentation and examples showed use of AutobahnJS on client side.
If you choose to build your application on the WAMP spec (highly recommended) you will need a JavaScript library to implement the client side. AutobahnJS is a client to interact with WAMP servers and is highly recommended to use with Ratchet.
Could this be a cache problem? We recently upgraded the openssl etc...
- again, ZMQ != WAMP, and WAMP does not build or need ZMQ
- the TLS issues you experience are unrelated to AutobahnJS, as you cannot even connect using OpenSSL client
- Ratchet does not implement WAMP v2 https://github.com/ratchetphp/Ratchet/issues/559#issuecomment-332561236 and AutobahnJS no longer provides WAMP v1, only v2
- if you want to stick with PHP, I'd checkout https://github.com/voryx/Thruway and get help from their IRC channel or GH