Closed Bug 878715 Opened 12 years ago Closed 12 years ago

After authentication with client certificate, the SSL context does not get transferred to websocket connections

Categories

(Core :: Networking: WebSockets, defect)

Product:
Core
Component:
Networking: WebSockets
Version:
21 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: muehlbauer.marc, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release) Build ID: 20130511120803 Steps to reproduce: I set up a simple websocket/webserver (using twisted) that requires clients to authenticate with certificates (x509) running on port :443. The certificates are self-signed because of testing purposes. After authentication with a valid certificate, the client is not able to establish a websocket (wss://) connection. Actual results: When retrieving the page for the first time, the client gets asked for a certificate to authenticate. If the certificate is valid, the page gets displayed. If he then wants to establish a websocket connection from the same source, Firefox cannot do that. No information is send to or received from the server. It seems, that the SSL context of the already happened authentication for the (main) page does not get transferred to subresources like websockets. Hence, Firefox seems to block the attempt to open the connection because no authentication for that is present. The connection is only possible if the cache for the active connections is deleted, a new attempt to open the socket is made and a new authentication dialog for certificates has come up. Expected results: The expected behaviour should be, that Firefox uses the SSL authentication context for all subresources on that page after the authentication is successfully made for the page. I did a small test with other subresources like images. After a small delay, subresources like images can be loaded silently in the background and successfully using the same authentication. However, websockets seem to behave different.
I slightly adjusted the source code of my webserver and found out that setting a session id for the ssl context works. contextFactory = twisted.internet.ssl.DefaultOpenSSLContextFactory('keys/server.key', 'keys/server.crt') ctx = contextFactory.getContext() ctx.set_verify( OpenSSL.SSL.VERIFY_PEER | OpenSSL.SSL.VERIFY_CLIENT_ONCE, verifyCallback ) ## Since we have self-signed certs we have to explicitly ## tell the server to trust them. ctx.load_verify_locations("keys/ca.crt") ctx.set_session_id("id")
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.