websocat icon indicating copy to clipboard operation
websocat copied to clipboard
verified publisher icon vi

TLS1.3 not supported?

Open blind-oracle opened this issue 5 months ago • 4 comments

When connecting to TLS1.3-only endpoint I get:

websocat: WebSocketError: WebSocket SSL error: bad protocol version
websocat: error running

blind-oracle avatar Jul 10 '25 13:07 blind-oracle

This should depend on how Websocat is built. I expect typical builds to support TLS 1.3 (if OpenSSL and system TLS libraries do so by default).

Is there example of some public TLS1.3-only endpoint that can be checked in browser and by other tools?

vi avatar Jul 10 '25 16:07 vi

Thanks for the answer.

I've installed the websocat from brew, so not sure how it was built there. I've tried building it from cargo but the error is the same.

% which websocat
/Users/xxx/.cargo/bin/websocat

% websocat wss://node2.fr2.virtualhive.org
websocat: WebSocketError: WebSocket SSL error: bad protocol version
websocat: error running

Are there plans to switch to rustls instead in the new version?

You can try the above host, it runs TLSv1.3 only, works fine from Chrome, but websocat fails.

blind-oracle avatar Jul 10 '25 19:07 blind-oracle

Tried locally:

$ /opt/websocat -v wss://node2.fr2.virtualhive.org
[INFO  websocat::lints] Auto-inserting the line mode
[INFO  websocat::stdio_threaded_peer] get_stdio_peer (threaded)
[INFO  websocat::ws_client_peer] get_ws_client_peer
[INFO  websocat::net_peer] Connected to TCP [2001:4d78:400:10a:6801:1fff:fe46:4694]:443
websocat: WebSocketError: WebSocketError: Received unexpected status code (404 Not Found)
websocat: error running

$ /opt/websocat4  wss://node2.fr2.virtualhive.org
2025-07-10T20:40:36.293868Z ERROR websocat::scenario_executor::utils1: Upstream server returned status code other than `switching protocols`: 404 Not Found

TLS seems to be connecting (as it gets to HTTP status code).

The following commands also work for me:

  • curl -v https://node2.fr2.virtualhive.org
  • openssl s_client node2.fr2.virtualhive.org:443
  • socat - ssl:node2.fr2.virtualhive.org:443

Do they work for you as well?

If the latter two commands work, they can be combined with Websocat to offload TLS management to a separate tool.

vi avatar Jul 10 '25 20:07 vi

@vi Thanks, yes, all of the commands work fine for me, except websocat, strange. Maybe this is some specific MacOS problem.

% /Users/xxx/.cargo/bin/websocat -v wss://node2.fr2.virtualhive.org
[INFO  websocat::lints] Auto-inserting the line mode
[INFO  websocat::stdio_threaded_peer] get_stdio_peer (threaded)
[INFO  websocat::ws_client_peer] get_ws_client_peer
[INFO  websocat::net_peer] Connected to TCP 62.209.62.115:443
websocat: WebSocketError: WebSocket SSL error: bad protocol version
websocat: error running

Thanks for the hint about offloading - that indeed works fine with socat.

blind-oracle avatar Jul 10 '25 21:07 blind-oracle