sycli fails to connect over wss

Question

sycli fails to connect over wss

markpash opened this issue 5 years ago · 7 comments

I've been unable to connect to a synapse instance with sycli over wss, whereas ws works fine. @Luminarys can you reproduce this?

If it means anything, receptor works fine.
Though if the synapse instance is listening on ws, then the cors policy in firefox prevents receptor from working. So I have the issue of not being able to use both. This is with current master.

Luminarys commented 5 years ago

Fixed.

Answer 1 · 2020-01-04T01:17:57.000Z

Hmm, this seems unusual assuming your certificate etc is correct.
A brief test on my end doesn't seem to indicate any issues, is there anything special about how you're running things, e.g. proxying via nginx etc?

Answer 2 · 2020-01-04T08:52:40.000Z

Nothing special really. The synapse lies behind a NAT, the default port 8412 is forwarded to it directly with nothing in between. The domain that points to the server matches the cert name. Cert is valid. In firefox I can visit https://domain.com:8412 and inspect a totally valid cert. Receptor connects perfectly fine to wss://domain.com:8412 but sycli -s wss://domain.com:8412 -p hackme list fails.

Answer 3 · 2020-01-05T23:42:10.000Z

Is any specific error given by sycli?
If possible I'd recommend inserting some println's around here to see if you can track down in more detail what's going on.

Answer 4 · 2020-01-06T07:51:13.000Z

Yeah I'll take a dive into the code and track down the issue. If this isn't reproducible then feel free to close the issue.

Answer 5 · 2020-01-10T02:03:08.000Z

Turns out the error was on my part. Some checking with openssl confirmed a suspicion I had since the code for sycli and synapse RPC checked out. openssl was telling me that while it was receiving the certificate, and it was a valid one, the full chain wasn't being sent by synapse since I had given it the wrong file. The reason this was difficult to diagnose is due to Firefox fetching the chain for you when it doesn't receive it from the server, so Firefox allowed for receptor to connect and work fine.

Despite myself being to blame, perhaps there is a way to get a more detailed error out of the tungstenite connect function? Knowing that it is indeed a TLS error, and perhaps what kind of TLS error would have been helpful.

Thanks for taking the time to test it.

Answer 6 · 2020-01-12T00:09:38.000Z

Cool, I'll leave this open until I add some better diagnostics, thanks,