In version 4.0.0, when the certificate trust is validated with the entire URL, it fails with the following reason:
Error Domain=NSOSStatusErrorDomain Code=-67602 "“*.<redacted>.io” certificate name does not match input" UserInfo={NSLocalizedDescription=“*.<redacted>.io” certificate name does not match input, NSUnderlyingError=0x600002698f60 {Error Domain=NSOSStatusErrorDomain Code=-67602 "Certificate 0 “*.sensiapi.io” has errors: SSL hostname does not match name(s) in certificate;" UserInfo={NSLocalizedDescription=Certificate 0 “*.<redacted>.io” has errors: SSL hostname does not match name(s) in certificate;}}}
However, validation with just the host is successful.
Could this be related to having connect params appended to the URL, for example, when appended by https://github.com/socketio/socket.io-client-swift
+1
This fixes for me also the following issue:
[BoringSSL] boringssl_context_handle_fatal_alert(1872) [C71.1:1][0x7f9456801f00] write alert, level: fatal, description: certificate unknown
[BoringSSL] boringssl_context_error_print(1862) boringssl ctx 0x60000087c4e0: 140275040177352:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/handshake.cc:369:
[BoringSSL] boringssl_session_handshake_error_print(111) [C71.1:1][0x7f9456801f00] 140275040177352:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/handshake.cc:369:
[BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C71.1:1][0x7f9456801f00] handshake failed at state 12288
Hey guys, i'm getting accept header doesn't match errors now. Before i start doing a deep dive into this RFC, any clues why after upgrading i'm getting this validation failure? Perhaps it was a long standing configuration issue that is just exposed now? I'm not even sure which layer to debug, would this nginx/lb configuration error?
I'm going to start investigating now, but if you have any hints let me know.
public func validate(headers: [String: String], key: String) -> Error? {
if let acceptKey = headers[HTTPWSHeader.acceptName] {
let sha = "\(key)258EAFA5-E914-47DA-95CA-C5AB0DC85B11".sha1Base64()
if sha != acceptKey {
return WSError(type: .securityError, message: "accept header doesn't match", code: SecurityErrorCode.acceptFailed.rawValue)
}
}
return nil
}
Oh wow, figured it out. Looks like socket.connect() was being called twice (user error), creating a race condition causing key mismatch on the instance.
I have two AWS tokens that I'm trying to pass to our server when connecting, but I keep getting errors;
2020-01-09 14:23:07.730431+0000 teckro[50896:1386042] [BoringSSL] boringssl_context_handle_fatal_alert(1872) [C2.1:1][0x7fe07743ef00] write alert, level: fatal, description: certificate unknown
2020-01-09 14:23:07.730807+0000 teckro[50896:1386042] [BoringSSL] boringssl_context_error_print(1862) boringssl ctx 0x6000024d59d0: 140602052398248:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/handshake.cc:369:
2020-01-09 14:23:07.733026+0000 teckro[50896:1386042] [BoringSSL] boringssl_session_handshake_error_print(111) [C2.1:1][0x7fe07743ef00] 140602052398248:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/boringssl-283.60.3/ssl/handshake.cc:369:
2020-01-09 14:23:07.733228+0000 teckro[50896:1386042] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C2.1:1][0x7fe07743ef00] handshake failed at state 12288
websocket encountered an error: The operation couldn’t be completed. (Network.NWError error 2.)
func connectSocket() {
var request = URLRequest(url: URL(string: webSocketURL)!)
request.addValue(NetworkManager.shared.accessToken, forHTTPHeaderField: "AccessToken")
request.addValue(NetworkManager.shared.idToken, forHTTPHeaderField: "IdToken")
socket = WebSocket(request: request)
socket?.delegate = self
socket?.connect()
}
The two tokens are from AWS Cognito, and do work fine when using them with HTTPS calls etc.
What am I missing?
Thanks
Jörgen
Xcode 11.3 on Catalina
Build target 12.4
@JorgenTeckro Did this error happen when using the fork mentioned in #721 ?
@patmalt I am just using Starscream via SPM from github.com/daltoniam/Starscream.git (currently 4.0.0 no branch specified).
@JorgenTeckro this issue is about a fix for that issue (including a pull request with the fix). Please try again with the mentioned fork (as the pull request is not merged yet).
@JorgenTeckro this issue is about a fix for that issue (including a pull request with the fix). Please try again with the mentioned fork (as the pull request is not merged yet).
@tfonfara How is that done with SPM? I have only just started using it.
@JorgenTeckro I'm not a SPM pro, but instead of this repo url use the one of the fork (https://github.com/emersonsoftware/Starscream) and instead of a version number I guess you could use .revision to specify the git commit
@JorgenTeckro I'm not a SPM pro, but instead of this repo url use the one of the fork (https://github.com/emersonsoftware/Starscream) and instead of a version number I guess you could use .revision to specify the git commit
@tfonfara Thanks. That solved it. I'm now connecting happily. There is a field in SPM where you can set the commit. Hopefully they will merge it in soon.
@tfonfara Hey, probably not the right place, but I have another question.
When my server timeout the socket connection, I don't seem to get any notification. There is no WebSocketEvent. It's the same with my own socket.
@JorgenTeckro Please open a different issue for what you are experiencing
Fixed in #721
Most helpful comment
Oh wow, figured it out. Looks like
socket.connect()was being called twice (user error), creating a race condition causing key mismatch on the instance.