6

I have a node.js https server using non-self-signed certificates. I believe they are from godaddy, not sure though. My employer only provided me with key and cert files.

Server:

var fs = require('fs') , server = require('https').createServer({ key: fs.readFileSync( __dirname + "/key.pem" ), cert: fs.readFileSync(__dirname + "/cert.pem" ) }) , WebSocketServer = require('ws').Server , webSocketServer = new WebSocketServer({ server: server, }) , port = 8080; server.listen(port, function(){ console.log('Listening on ' + server.address().port) });

Client:

var webSocket = new WebSocket('wss://my.website.com:8080');

This code works as expected on desktop chrome, safari, and firefox. The client is able to connect to the the secure websocket. However, trying it on iOS 9.3.1 Safari gives me the following error:

The operation couldn't be completed.(OSStatus error -9807.)

OSStatus showed me that this is caused by an invalid certificate chain. Unfortunately, here is where my knowledge of SSL begins to fade. After some additional googling, I tried multiple combinations of the following options accepted by https.createServer():

secureProtocol: "SSLv3_method", rejectUnauthorized: false, ciphers: 'ECDHE-RSA-AES256-SHA:AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM', honorCipherOrder: true, requestCert: false

None of them have worked thus far. I have also seen the ca option (certificate authority) but not only do I not know where I would find this file, all examples online suggest that this is only used with self-signed certs?

Any help is greatly appreciated, thanks!

Improve this question
3
  • iOS 9 only accepts certificates signed with a SHA-256 hash. So, the problem most likely is with the cert file given to you by your employer. Ask them to generate a new certificate using SHA-256 instead of SHA-1 and serve the new certificate instead. Commented Apr 19, 2016 at 18:54
  • Checked the cert in chrome: *.website.com is under Go Daddy Secure Certificate Authority - G2 which is under Go Daddy Root Certificate Authority - G2. All three of these list SHA-256 with RSA Encryption under Issuer Name > Signature Algorithm and RSA Encryption under Public Key Info > Algorithm. I should also mention that this same cert is used for a completely separate rails server that serves the client code that then tries to connect to the websocket. The page loads fine, but the connection to the websocket fails. Commented Apr 19, 2016 at 19:27
  • Ok - I don't have any other suggestions other than to check out this similar question and answer and see if the suggestions there help at all: stackoverflow.com/questions/4014055/… From the other thread - make sure that you are connecting using the exact same host and domain that the cert is signed for (i.e. make sure the cert is signed for my.website.com, and not just website.com) Commented Apr 19, 2016 at 19:53

2 Answers 2

Reset to default
5

Somehow putting nginx in front of the node app seemed to fix the issue. I was able to get the following configuration working pretty quickly (taken from this tutorial): 

server { listen 443; server_name *.website.com; ssl on; ssl_certificate /etc/ssl/cert.pem; ssl_certificate_key /etc/ssl/key.pem; location / { proxy_pass https://pr.iv.ate.ip:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }

Still a big ¯\_(ツ)_/¯ as to why it doesn't work with just node, but then again my knowledge of ssl (and sometimes server configuration in general) is still somewhat limited.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I have this issue, too. Node https + express + socket.io, my web page is working fine on desktop safari, but not on mobile safari.

After stop grabbing and trying, I found the problem is "certificate chain". https://stackoverflow.com/a/20444809/6939828

I'm using TWCA's ssl certification, after inject "ca: chain.cer" into options to https.createServer, same page same code just works on mobile safari. Hurray!

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.