websocket closed right after being opened

Question

websocket closed right after being opened

Piero01 opened this issue a month ago · comments

Hello,

In case where permessage-deflate and ssl are activated, the websocket is closed right after being opened and the following error is written in the log:

GOAWAY: last sid 0, error 0x00000009, string 'Framer error: 24 (HPACK_TRUNCAT'

It seems the problem occurs since version v4.3.0-311-g24c37d1e (compiled with -DLWS_WITHOUT_EXTENSIONS=OFF)
To reproduce, modify minimal-ws-server-pmd example to use ssl:

	info.port = 443;
	info.options = LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE
                     | LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;

and add

	info.ssl_cert_filepath
	info.ssl_private_key_filepath

Andy Green · Answer 1 · Mon May 27 2024 23:55:07 GMT+0800 (China Standard Time)

If lws is the server, what's the client?

hpack is an h2 thing, as is GOAWAY. It seems the client doesn't like what we sent? You can use -DLWS_TLS_LOG_PLAINTEXT_TX=1 (and / or _RX=1) to see unencrypted packet contents even with SSL.

Everything is fine without om-deflate enabled?

Piero01 · Answer 2 · Tue May 28 2024 17:41:42 GMT+0800 (China Standard Time)

Thanks for the quick response.

The client is Edge or Brave (Chromium).
With firefox it is OK but it seems the request is made with HTTP1.1
If I disable either SSL or pmd-deflate it is working and with v4.3.0-310-g8eb89baf it is ok also.

This is the log of what the server send before receiving the error.

[2024/05/28 11:37:16:8397] N: _lws_lc_tag: ++ [mux|4|default|h2_sid9(wsis [2024/05/28 11:37:16:8401] N: lws_ssl_capable_write: len 13
[2024/05/28 11:37:16:8402] N:
[2024/05/28 11:37:16:8402] N: 0000: 00 00 04 08 00 00 00 00 09 00 04 00 00 [2024/05/28 11:37:16:8402] N:
[2024/05/28 11:37:16:8407] N: lws_ssl_capable_write: len 13
[2024/05/28 11:37:16:8408] N:
[2024/05/28 11:37:16:8408] N: 0000: 00 00 04 08 00 00 00 00 00 00 04 00 00 [2024/05/28 11:37:16:8408] N:
[2024/05/28 11:37:16:8413] N: lws_ssl_capable_write: len 431
[2024/05/28 11:37:16:8414] N:
[2024/05/28 11:37:16:8414] N: 0000: 00 01 A6 01 04 00 00 00 09 00 07 3A 73 74 61 74 [2024/05/28 11:37:16:8415] N: 0010: 75 73 03 32 30 30 00 17 63 6F 6E 74 65 6E 74 2D [2024/05/28 11:37:16:8415] N: 0020: 73 65 63 75 72 69 74 79 2D 70 6F 6C 69 63 79 7F [2024/05/28 11:37:16:8415] N: 0030: 3A 64 65 66 61 75 6C 74 2D 73 72 63 20 27 6E 6F [2024/05/28 11:37:16:8416] N: 0040: 6E 65 27 3B 20 69 6D 67 2D 73 72 63 20 27 73 65 [2024/05/28 11:37:16:8416] N: 0050: 6C 66 27 20 64 61 74 61 3A 20 3B 20 73 63 72 69 [2024/05/28 11:37:16:8417] N: 0060: 70 74 2D 73 72 63 20 27 73 65 6C 66 27 3B 20 66 [2024/05/28 11:37:16:8417] N: 0070: 6F 6E 74 2D 73 72 63 20 27 73 65 6C 66 27 3B 20 [2024/05/28 11:37:16:8417] N: 0080: 73 74 79 6C 65 2D 73 72 63 20 27 73 65 6C 66 27 [2024/05/28 11:37:16:8418] N: 0090: 3B 20 63 6F 6E 6E 65 63 74 2D 73 72 63 20 27 73 [2024/05/28 11:37:16:8418] N: 00A0: 65 6C 66 27 20 77 73 3A 20 77 73 73 3A 3B 20 66 [2024/05/28 11:37:16:8419] N: 00B0: 72 61 6D 65 2D 61 6E 63 65 73 74 6F 72 73 20 27 [2024/05/28 11:37:16:8420] N: 00C0: 6E 6F 6E 65 27 3B 20 62 61 73 65 2D 75 72 69 20 [2024/05/28 11:37:16:8420] N: 00D0: 27 6E 6F 6E 65 27 3B 66 6F 72 6D 2D 61 63 74 69 [2024/05/28 11:37:16:8420] N: 00E0: 6F 6E 20 27 73 65 6C 66 27 3B 00 16 78 2D 63 6F [2024/05/28 11:37:16:8421] N: 00F0: 6E 74 65 6E 74 2D 74 79 70 65 2D 6F 70 74 69 6F [2024/05/28 11:37:16:8421] N: 0100: 6E 73 07 6E 6F 73 6E 69 66 66 00 10 78 2D 78 73 [2024/05/28 11:37:16:8421] N: 0110: 73 2D 70 72 6F 74 65 63 74 69 6F 6E 0D 31 3B 20 [2024/05/28 11:37:16:8422] N: 0120: 6D 6F 64 65 3D 62 6C 6F 63 6B 00 0F 78 2D 66 72 [2024/05/28 11:37:16:8422] N: 0130: 61 6D 65 2D 6F 70 74 69 6F 6E 73 04 64 65 6E 79 [2024/05/28 11:37:16:8422] N: 0140: 00 0F 72 65 66 65 72 72 65 72 2D 70 6F 6C 69 63 [2024/05/28 11:37:16:8423] N: 0150: 79 0B 6E 6F 2D 72 65 66 65 72 72 65 72 00 16 73 [2024/05/28 11:37:16:8423] N: 0160: 65 63 2D 77 65 62 73 6F 63 6B 65 74 2D 70 72 6F [2024/05/28 11:37:16:8423] N: 0170: 74 6F 63 6F 6C 0B 6C 77 73 2D 6D 69 6E 69 6D 61 [2024/05/28 11:37:16:8424] N: 0180: 6C 0D 0A 53 65 63 2D 57 65 62 53 6F 63 6B 65 74 [2024/05/28 11:37:16:8424] N: 0190: 2D 45 78 74 65 6E 73 69 6F 6E 73 3A 20 70 65 72 [2024/05/28 11:37:16:8425] N: 01A0: 6D 65 73 73 61 67 65 2D 64 65 66 6C 61 74 65 [2024/05/28 11:37:16:8425] N:
[2024/05/28 11:37:16:8512] N: lws_ssl_capable_read: len 58
[2024/05/28 11:37:16:8513] N:
[2024/05/28 11:37:16:8513] N: 0000: 00 00 31 07 00 00 00 00 00 00 00 00 00 00 00 00 [2024/05/28 11:37:16:8514] N: 0010: 09 46 72 61 6D 65 72 20 65 72 72 6F 72 3A 20 32 [2024/05/28 11:37:16:8514] N: 0020: 34 20 28 48 50 41 43 4B 5F 54 52 55 4E 43 41 54 [2024/05/28 11:37:16:8514] N: 0030: 45 44 5F 42 4C 4F 43 4B 29 2E [2024/05/28 11:37:16:8515] N:
[2024/05/28 11:37:16:8515] N: GOAWAY: last sid 0, error 0x00000009, string rv|0|default)] (1)
.............
.............
...........:stat
us.200..content-
security-policy.
:default-src 'no
ne'; img-src 'se
lf' data: ; scri
pt-src 'self'; f
ont-src 'self';
style-src 'self'
; connect-src 's
elf' ws: wss:; f
rame-ancestors '
none'; base-uri
'none';form-acti
on 'self';..x-co
ntent-type-optio
ns.nosniff..x-xs
s-protection.1;
mode=block..x-fr
ame-options.deny
..referrer-polic
y.no-referrer..s
ec-websocket-pro
tocol.lws-minima
l..Sec-WebSocket
-Extensions: per
message-deflate
..1.............
.Framer error: 2
4 (HPACK_TRUNCAT
ED_BLOCK).
'Framer error: 24 (HPACK_TRUNCAT'

Andy Green · Answer 3 · Tue May 28 2024 17:47:43 GMT+0800 (China Standard Time)

Does it affect it if you remove LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE (to shorten the headers)

Disabling tls is the same as disabling h2.

Chrome seems to work fine, in h2 and ws-over-h2 with https://libwebsockets.org/testserver which is recent lws

Piero01 · Answer 4 · Tue May 28 2024 18:38:50 GMT+0800 (China Standard Time)

I confirm https://libwebsockets.org/testserver is working but lws version is
4.3.0-298-ga62c3a112 and the problem was introduced by version v4.3.0-311-g24c37d1e

Still the same problem without LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE

[2024/05/28 11:50:33:8125] N:
[2024/05/28 11:50:33:8125] N: 0000: 00 00 04 08 00 00 00 00 09 00 04 00 00 .............
[2024/05/28 11:50:33:8125] N:
[2024/05/28 11:50:33:8131] N: lws_ssl_capable_write: len 13
[2024/05/28 11:50:33:8131] N:
[2024/05/28 11:50:33:8132] N: 0000: 00 00 04 08 00 00 00 00 00 00 04 00 00 .............
[2024/05/28 11:50:33:8132] N:
[2024/05/28 11:50:33:8136] N: lws_ssl_capable_write: len 104
[2024/05/28 11:50:33:8136] N:
[2024/05/28 11:50:33:8137] N: 0000: 00 00 5F 01 04 00 00 00 09 00 07 3A 73 74 61 74 .._........:stat
[2024/05/28 11:50:33:8137] N: 0010: 75 73 03 32 30 30 00 16 73 65 63 2D 77 65 62 73 us.200..sec-webs
[2024/05/28 11:50:33:8137] N: 0020: 6F 63 6B 65 74 2D 70 72 6F 74 6F 63 6F 6C 0B 6C ocket-protocol.l
[2024/05/28 11:50:33:8138] N: 0030: 77 73 2D 6D 69 6E 69 6D 61 6C 0D 0A 53 65 63 2D ws-minimal..Sec-
[2024/05/28 11:50:33:8138] N: 0040: 57 65 62 53 6F 63 6B 65 74 2D 45 78 74 65 6E 73 WebSocket-Extens
[2024/05/28 11:50:33:8138] N: 0050: 69 6F 6E 73 3A 20 70 65 72 6D 65 73 73 61 67 65 ions: permessage
[2024/05/28 11:50:33:8139] N: 0060: 2D 64 65 66 6C 61 74 65 -deflate
[2024/05/28 11:50:33:8139] N:
[2024/05/28 11:50:33:8243] N: lws_ssl_capable_read: len 58
[2024/05/28 11:50:33:8244] N:
[2024/05/28 11:50:33:8244] N: 0000: 00 00 31 07 00 00 00 00 00 00 00 00 00 00 00 00 ..1.............
[2024/05/28 11:50:33:8245] N: 0010: 09 46 72 61 6D 65 72 20 65 72 72 6F 72 3A 20 32 .Framer error: 2
[2024/05/28 11:50:33:8245] N: 0020: 34 20 28 48 50 41 43 4B 5F 54 52 55 4E 43 41 54 4 (HPACK_TRUNCAT
[2024/05/28 11:50:33:8245] N: 0030: 45 44 5F 42 4C 4F 43 4B 29 2E ED_BLOCK).
[2024/05/28 11:50:33:8246] N:

Andy Green · Answer 5 · Tue May 28 2024 18:43:16 GMT+0800 (China Standard Time)

It's literally caused by 24c37d1? What happens if you revert that patch?

Piero01 · Answer 6 · Tue May 28 2024 21:09:40 GMT+0800 (China Standard Time)

It is working if I revert the patch but the "Sec-WebSocket-Extensions: permessage-deflate" is not sent by the server

[2024/05/28 14:52:13:5954] N:
[2024/05/28 14:52:13:5955] N: 0000: 00 00 31 01 04 00 00 00 09 00 07 3A 73 74 61 74 ..1........:stat
[2024/05/28 14:52:13:5956] N: 0010: 75 73 03 32 30 30 00 16 73 65 63 2D 77 65 62 73 us.200..sec-webs
[2024/05/28 14:52:13:5957] N: 0020: 6F 63 6B 65 74 2D 70 72 6F 74 6F 63 6F 6C 0B 6C ocket-protocol.l
[2024/05/28 14:52:13:5958] N: 0030: 77 73 2D 6D 69 6E 69 6D 61 6C ws-minimal
[2024/05/28 14:52:13:5959] N:

Shouldn't it be "sec-websocket-extensions" in lower case in h2?

Andy Green · Answer 7 · Tue May 28 2024 21:15:08 GMT+0800 (China Standard Time)

Yes it should be lower case for h2...

diff --git a/lib/roles/ws/server-ws.c b/lib/roles/ws/server-ws.c
index 53559c6e..b2005109 100644
--- a/lib/roles/ws/server-ws.c
+++ b/lib/roles/ws/server-ws.c
@@ -176,7 +176,7 @@ lws_extension_server_handshake(struct lws *wsi, char **p, int budget)
                                *(*p)++ = ',';
                        else
                                LWS_CPYAPP(*p,
-                                         "\x0d\x0aSec-WebSocket-Extensions: ");
+                                         "\x0d\x0asec-websocket-extensions: ");
                        *p += lws_snprintf(*p, lws_ptr_diff_size_t(end, *p), "%s", ext_name);
 
                        /*

should be enough to try it.

Andy Green · Answer 8 · Tue May 28 2024 21:17:15 GMT+0800 (China Standard Time)

Oh well.... no actually that can only work for h1... it needs redoing.