xpra icon
Bug tracker and wiki

Opened 7 months ago

Closed 4 months ago

Last modified 2 months ago

#1504 closed defect (fixed)

delay SSL socket wrapping

Reported by: Antoine Martin Owned by: J. Max Mena
Priority: critical Milestone: 2.2
Component: server Version: trunk
Keywords: Cc:

Description

This would allow us to peek at the packet data and decide how to handle the client connection better, partially solving ticket:1213#comment:5.

We would then know if we're dealing with a browser / websocket request or with a plain SSL + TCP client connection.

The ssl=MODE option could then be used for bind-ssl sockets.

The difficulty with this is to ensure that we always eventually wrap the socket with an SSL layer if the user selected bind-ssl and not allow plain TCP / HTTP.

Attachments (2)

ssl-late-wrap.patch (24.8 KB) - added by Antoine Martin 4 months ago.
work in progress patch - also adds bind-ws and bind-wss options
ssl-late-wrap-v2.patch (39.3 KB) - added by Antoine Martin 4 months ago.
better patch - works in almost all cases (just not wss connect to upgradable tcp)

Download all attachments as: .zip

Change History (7)

comment:1 Changed 5 months ago by Antoine Martin

Priority: majorcritical
Status: newassigned

Having to choose which client protocols will be able to handle SSL is annoying. Raising.

Changed 4 months ago by Antoine Martin

Attachment: ssl-late-wrap.patch added

work in progress patch - also adds bind-ws and bind-wss options

Changed 4 months ago by Antoine Martin

Attachment: ssl-late-wrap-v2.patch added

better patch - works in almost all cases (just not wss connect to upgradable tcp)

comment:2 Changed 4 months ago by Antoine Martin

Merged in r16599. Starting a server with:

xpra start --ssl=auto --ssl-cert=self.pem -d network,http \
    --html=on
    --bind-tcp=0.0.0.0:10000 \
    --bind-ssl=0.0.0.0:10001 \
    --bind-ws=0.0.0.0:10002 \
    --bind-wss=0.0.0.0:10003

Then connecting to each port with all the possible connection strings (ie: tcp:localhost:10000, ssl:localhost:10001, ...)

  • OK means the connection succeeded
  • ERROR OK means the connection failed, as expected (wrong protocol)
Target Server Port
Client Connection TCP SSL WS WSS
TCP OK ERROR OK ERROR OK ERROR OK
SSL OK (upgraded) OK ERROR OK ERROR OK
WS OK (upgraded) ERROR OK OK ERROR OK
WSS error: upgraded to SSL but not http / websocket error: not upgraded to http / websocket OK (upgraded) OK

With html=off, it becomes impossible to connect to TCP sockets using WS.
With ssl=www, it becomes possible to connect to SSL ports using WSS.
With ssl=www and html=on, it becomes possible to connect to TCP sockets using WSS. (socket is upgraded to SSL and then websockets)

The problem with WSS connections not being upgraded to http / websocket is that the socket peek data we get before wrapping the socket with SSL doesn't have any distinguishable HTTP header data in it. (and we still cannot peak at SSL sockets - silly python API limitation)

Maybe we could workaround that: read from the ssl socket before constructing the protocol object, inspect it then wrap it and re-inject the data. (would mean wrapping the whole ssl socket object since we can't override socket.recv)
It might be easier to modify websockify's recv_frames (re-submit the split-out patches and check for method support at runtime), or just override that method completely.

Last edited 4 months ago by Antoine Martin (previous) (diff)

comment:3 Changed 4 months ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena
Status: assignednew

Helped by the information from Subclassing and built-in methods in Python, r16607 overrides the recv socket method to inject peek support. This allows us to detect HTTP headers in SSL packets, which means that the two error cases from comment:2 are now fixed:

  • we can connect using WSS to plain TCP sockets: they get upgraded twice, first to SSL then to websocket
  • we can connect using WSS to SSL sockets: they get upgraded to websocket

There is a small cost associated with the extra socket.recv call we intercept, but since this is on an IO function I don't think this matters.

@maxmylin: something to be aware of, feel free to just close.

comment:4 Changed 4 months ago by J. Max Mena

Resolution: fixed
Status: newclosed

Noted and closing.

(btw it's maxmylyn with two ys. Not sure what my dad was thinking but he sure did come up with a creative spelling.)

comment:5 Changed 2 months ago by Antoine Martin

See also #1636.

Note: See TracTickets for help on using tickets.