Configuring Secure Websockets with Tomcat - HTTPS fails with Chrome but works with Firefox

I’m working with apache and tomcat server in ubuntu server with a web app made of web pages and websockets.
Web pages are served from Apache HTTPD and tomcat serves websockets. Both use the same L.E. SSL certificate.
Apache well works with HTTPS but I found a problem with websockets.

If I use Chrome the websocket secure connection fails with this log:
WebSocket connection to 'wss://my.website.com:8443/pv' failed: WebSocket opening handshake was canceled
this log is produced in this code line:
new WebSocket(myWsUrl);
I have no further logs,

If I use Chrome switching to http and non-secure webservice connection (ws://), it works!
If I use Firefox, it works perfectly with both secure (wss://) and not secure (wss://)!

Can you tell me why Chrome complains about this secure connection?

Could you please mention the actual domain instead of “my.website.com”?

If the site is “offline” or you are just overly paranoid (but then you probably shouldn’t have your server on the Internet), you could try showing the output of:
openssl s_client -connect my.website.com:8443 -servername my.website.com

My domain is demo.cinebot.it the websockets starts after login so you can only see the certificate provided by Tomcat from this url:
https://demo.cinebot.it:8443/ as HTTPS not as WSS, but the certificate is the same.

Seems like you don’t offer the certificate chain, just the leaf certificate. Try to point your Apache to fullchain.pem or include the Lets Encrypt intermediate in your certificate.

I confirm that tomcat was using only cert.pem and not the full chain. I changed my server.xml configuration adding SSLCertificateChainFile with chain.pem file.
Now this is the output of openssl command:

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=demo.cinebot.it
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDzCCA/egAwIBAgISA1MvRi8iL6l4Eo2Pw+P1Jw/qMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjAwMzMwMDBaFw0x
NzEyMTkwMzMwMDBaMBoxGDAWBgNVBAMTD2RlbW8uY2luZWJvdC5pdDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALvFecKXn97u05/4NpLdm9Tk8E5KF/Wa
tXIXOcDKammtjLRy+fiN535szlVuOowOQDvCTrqWOsgFEo/p8oKUeFvwa46SRNY3
wfVtskD+ytGg9dw5WAAFp9ILYHT4IKN8RgK/ni23r9m9pjC5XVQ4p0E0ji3nf8RZ
LgITUzKhq0k6OqiIkeS/dJyYjRXae97FFWSZL7z/Phs7U/tZN99QxZfBmBreTOlG
3G4xB6krfkm0UE4E0meTXWRnmf+1Z0sN1+9cgJbw0PctXjXZd8RNB8mM/oZEsB2M
oCB04u8CE0S0MlMZvvSMGVVRuG68+eMTcflQDygtTDD+DzEd7o/gsZsCAwEAAaOC
Ah0wggIZMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUXsQLNEGegyjv/6OjSf3QZI7v
GI8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAoBgNVHREEITAfgg9kZW1vLmNpbmVib3QuaXSCDGRlbW8ubWRzLnNybDCB
/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYB
BQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCB
ngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkg
UmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUg
Q2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQu
b3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAPgOy3qJ9sgQ2tqMnH
O/8XPMEMSq6HK7ABHajunQar4Fe5AAImx7J+D1zwvo8r4jXb5fSmBwWfij2qUlEH
pDV4hUMOP4JRwvhmHrBnf7wi8RvFE1GhXU3H+2/PIa9qsHc4iUH0xft0o0yXEU5T
aQQWSqkVe+o6D5K16J0uHYYiwexugxY8ODqe2FlN1etn3dDh+cYxfcnIRfwmXAUZ
jaMLJsq3ZI8Vv7HeoaHXPrb30/3x0wbCyPn1JN9eIkeHLPClzBQsagchf6oNPl2V
Y0PDWd4S1UouGvyrprEYb1SiW0NFGX3r5d7kFerPkfxhFgK2q54HhjAnaKwNGCEs
P5O/
-----END CERTIFICATE-----
subject=/CN=demo.cinebot.it
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3209 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D04D2367E24D5E1CE3C3298D0935AB8A87D71F84E957B4C411DF5CEB7ED4BDC2
    Session-ID-ctx: 
    Master-Key: 5545400EFD2B469E1238230DA078CF076C8841C4F920CB6285AC42A6696144352E15679E62CB05E1F61CDE17EA164A6C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 73 f6 d1 d8 ae 33 3c 58-19 87 c5 a1 c6 63 1b bb   s....3<X.....c..
    0010 - eb bb 49 8b d9 b2 7b 29-25 63 9b 44 0d 59 d8 d8   ..I...{)%c.D.Y..
    0020 - 9f 7c a6 aa b3 3d 28 1e-de 6e b6 ce bf 53 e4 23   .|...=(..n...S.#
    0030 - 45 f3 b9 ad 06 8b e3 1b-32 d9 60 87 26 dc 5d f6   E.......2.`.&.].
    0040 - 68 6c 99 3c a4 4c eb 41-de b6 7b 10 ab d0 6a f7   hl.<.L.A..{...j.
    0050 - 5a 22 4b 34 79 6c 10 d0-41 ad 3c 37 f1 5d 87 5a   Z"K4yl..A.<7.].Z
    0060 - ae ba 1b 99 12 ad 7a 3c-70 d6 43 97 5d 1c 24 64   ......z<p.C.].$d
    0070 - f9 8a 9e 60 66 c8 b7 e4-43 8d cd 52 6d 68 f3 5e   ...`f...C..Rmh.^
    0080 - 30 dc 11 83 91 94 3f a8-a6 5f 57 1f 7b 78 45 00   0.....?.._W.{xE.
    0090 - fb 2c ed ee 8d 98 10 01-0b b2 b5 1e 0f ba 35 b9   .,............5.
    00a0 - 15 52 3e 26 ee ce cc eb-1f 8e 56 b4 05 45 e5 00   .R>&......V..E..
    00b0 - 15 72 92 4a 4f ed 90 bc-f8 2a 01 e7 b0 d9 a4 21   .r.JO....*.....!

    Start Time: 1509030652
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Issue is still here with Chrome.

Not sure if it is part of the problem, but I found these lines to be of Interest:

1. Server Temp Key: DH, 1024 bits

Using 1024 bits is considered insecure. Increase DH prime size or remove DHE ciphers.

2. Client Certificate Types: RSA sign, DSA sign, ECDSA sign
   Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

DSA… was this implemented properly?
And why is ECDHE last by order?

How could you find this details?
Unfortunartely I cannot understand what your talking about, but this is my tomcat configuration:

<Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/etc/certs/cert.pem"
           SSLCertificateChainFile="/etc/certs/chain.pem"
           SSLCertificateKeyFile="/etc/certs/privkey.pem"
           SSLVerifyClient="optional"
           SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />

Is your remark related to tomcat configuration?

Yes, it seem to missing:
SSLHonorCipherOrder
SSLCipherSuite
But I’m not sure about their proper syntax for Tomcat.
Maybe a quick search can find those answers.
Try: https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

this has been discussed before

Andrei

I tried to add these entries coping their values from Apache configuration, but the problem is still here.

Please be clear about exactly what/where you have added and specific details about problem(s) experienced.

This is my new tomcat config:

    <Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/etc/cert/cert.pem"
	   SSLCertificateChainFile="/etc/cert/chain.pem"
           SSLCertificateKeyFile="/etc/cert/privkey.pem"
           SSLVerifyClient="optional"
	   SSLProtocol="all -SSLv2 -SSLv3"
     SSLDisableCompression="true"
	   SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
	   SSLHonorCipherOrder="true"

     />

The problem is the same of the main post, I have only this log from chrome:

WebSocket connection to 'wss://demo.cinebot.it:8443/' failed: WebSocket opening handshake was canceled

The same code works in Firefox.

I am not sure why you aren’t following the documents

i would suggest spending time going through and understanding why your approach is most likely not working

i think it’s more how you are coding/configuring

https://tomcat.apache.org/tomcat-8.0-doc/web-socket-howto.html

good luck

Andrei

As a test, try adding “:!DHE” to the SSLCipherSuite.

Andrei, this is not an application issue, this application already implements websockets, my issue is something related to L.E. certificate, maybe the container configuration and Chrome because if I switch to HTTP it works, if I use a self-signed certificate it works, if I use firefox it works.
By the way your example application uses WS and not secure WSS.

You may also want to disable compression (https://nvd.nist.gov/vuln/detail/CVE-2012-4929):

demo.cinebot.it.gzip.jpg623×525 68.6 KB

And perhaps since the sites requests a certificate, your system is failing because it is not providing any cert or maybe not providing an allowed cert. Ensure you have not checked the “Remember this decision” for a bad decision - LOL

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.