Ask Your Question
0

rosbridge websocket ssl connection aborted

asked 2014-12-01 10:28:46 -0600

CalisM gravatar image

Hi all, I can't establish a wss-connection between Firefox 33.1 and roslaunch rosbridge_server rosbridge_websocket.launch. I always get an Alert(21) in Wireshark.

My Setup:
SERVER 192.168.2.199: Ubuntu 12.04 LTS + Hydro + latest rosbridge
CLIENT 192.168.2.33: Windows 7 U. + Firefox 33.1 + roslib R6

My HTML:

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<script type="text/javascript" src="js/eventemitter2.js"></script>
<script type="text/javascript" src="js/mjpegcanvas.js"></script>
<script type="text/javascript" src="js/roslib.js"></script>
<script type="text/javascript" type="text/javascript">
function init() {

    var ros = new ROSLIB.Ros({url : 'wss://192.168.2.199:9090'});

    ros.on('connection', function() {
        console.log('Connected to websocket server.');
    });

    ros.on('error', function(error) {
        console.log('Error connecting to websocket server: ', error);
    });

    ros.on('close', function() {
        console.log('Connection to websocket server closed.');
    });
}
</script>
</head>
    <body onload="init()">
    <h1>Simple SSL Example</h1>
    <div id="mjpeg"></div>
    </body>
</html>

My OpenSSL:
Key:
openssl genrsa -out server_key.pem 2048

Certificate Signing Request:
openssl req -new -key server_key.pem -out server_csr.pem

Certificate:
openssl x509 -req -days 1825 -in server_csr.pem -signkey server_key.pem -out server_cert.pem

My launch-file-arguments:

  <arg name="port" default="9090" />
  <arg name="address" default="" />
  <arg name="ssl" default="true" />
  <arg name="certfile" default="/home/user/ssl/server_cert.pem" />
  <arg name="keyfile" default="/home/user/ssl/server_key.pem" />
  <arg name="authenticate" default="false" />

In Wireshark after TCP-Handshake my client inits TLSv1.2 "Client Hello" and server responds "Server Hello". Server sends "Certificate". Client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message". Immediately after the above packet the client sends an "Encrypted Alert" followed by "FIN,ACK"-packet which finishes transaction. I've even imported the server_cert.pem into Firefox, nothing changed. What is wrong?

edit retag flag offensive close merge delete

Comments

How are you loading the web page? Via a web server or from a file URL?

rtoris288 gravatar imagertoris288 ( 2014-12-01 11:15:30 -0600 )edit

File URL like: double-click on ssl_test.html. No web servers running. Only websocket server.

CalisM gravatar imageCalisM ( 2014-12-01 11:25:43 -0600 )edit

I'm pretty sure you need to be loading the file across a web server for browsers to run it correctly. I believe it is a security problem to connect to a WSS server from a file URL that modern web browsers don't allow. Just a thought.

rtoris288 gravatar imagertoris288 ( 2014-12-01 13:03:03 -0600 )edit

I just tried with nginx. Firefox is sending SSL "Client Hello", so I think it shouldn't be a browser issue. I'm stuck. Do you know a working tutorial somewhere? Thanks for your help.

CalisM gravatar imageCalisM ( 2014-12-01 14:33:49 -0600 )edit

My only other guess is it denying the self-signed certificate. We are using signed certificates for our projects with an example similar to yours and things seem to be working as intended.

rtoris288 gravatar imagertoris288 ( 2014-12-01 15:07:33 -0600 )edit

I've tried following:

sudo ssldump -a -A -H -i lo
openssl s_client -connect 127.0.0.1:9090

Nothing but connected(00003). No Handshake, no ciphers... means the server on port 9090 does not respond. I checked same certificates with a complete setup SSL-nginx-server and it works.

CalisM gravatar imageCalisM ( 2014-12-01 16:40:40 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-12-03 12:09:40 -0600

CalisM gravatar image

I figured out a solution for working with self-signed certificates. For those running into the same problem just open the URL:PORT of your secure websocket-server in the browser like:

https://127.0.0.1:9090

or from a remote machine:

https://10.3.10.199:9090

A security warning will appear, asking you to confirm or decline the self-signed certificate. Accept it and your done.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-12-01 10:28:46 -0600

Seen: 2,216 times

Last updated: Dec 03 '14