How should i configure web socket client in order to connect to a secure web socket server ?

Question

How should i configure web socket client in order to connect to a secure web socket server ?

1 Answer

Lukas Matyska · Answer 1 · 2023-02-13T08:55:42+0000

answered Feb 13, 2023 by Lukas Matyska (72.7k points)

To handle client certificate requests, please use the WebSocketClient.Settings.SslClientCertificateRequestHandler property.

It can look like this:

// initialize new web socket client instance
var client = new WebSocketClient();

// implement your own ICertificateRequestHandler or use one of predefined
client.Settings.SslClientCertificateRequestHandler =
                    CertificateRequestHandler.StoreSearch;

// connect to desired server
client.Connect("wss://example.com");

For more examples, please visit Client certificate authentication.

commented Feb 14, 2023 by chrisg (130 points)

commented Feb 14, 2023 by Lukas Matyska (72.7k points)

commented Feb 14, 2023 by chrisg (130 points)

commented Feb 14, 2023 by Lukas Matyska (72.7k points)

The PEM file can contain many things. It can contain certificate(s), private key(s), both of that or something else. Please, open your PEM file in a text editor and locate all lines starting with: -----BEGIN

After the BEGIN, you will see a label (labels are defined in https://www.rfc-editor.org/rfc/rfc7468#section-4). This way, you can see what your PEM file actually contains.

Now to your questions:
1) Certificate.LoadPfx() can be used only to load files in PFX format. For PEM format use LoadDer() or LoadDerWithKey().

2) If you have private key in a separate file, use the Certificate.LoadDerWithKey(certPem, keyPem, string.Empty). If the key does not have password, I suggest to specify string.Empty. It will work for both cases no-password and empty-password.

If you do not have the private key stored on disk, it is still possible to associate it with the loaded certificate using the Certificate.Associate(privateKey) method (for details see https://www.rebex.net/doc/api/Rebex.Security.Certificates.Certificate.Associate.html).

commented Feb 14, 2023 by chrisg (130 points)
edited Feb 14, 2023 by chrisg

Thanks for your answer,
Procceeding the way you advised , using the following code :
var path = Path.Combine(_locator.GetPlatformSpecificService().getFolder(), "signedCertificate.pem");
                // stream reading the file
                FileStream fs = new FileStream(path, FileMode.Open, FileAccess.Read);
                MemoryStream ms = new MemoryStream();
                fs.CopyTo(ms);
                //
                String signedCertificate = _secureStorageService.GetSignedCertificate().Result;
                byte[] byteArray = Encoding.ASCII.GetBytes(signedCertificate);
                MemoryStream keystream = new MemoryStream(byteArray);
                client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(Certificate.LoadDerWithKey(ms, keystream, null));

i get **Rebex.Security.Certificates.CertificateException:** 'Unexpected certificate format.'
How should I solve this issue?

** my pem certificate starts with
-----BEGIN CERTIFICATE-----
....AnKJAnsmIIsdKLJLEORImM......
-----END CERTIFICATE-----

commented Feb 14, 2023 by Lukas Matyska (72.7k points)

commented Feb 14, 2023 by chrisg (130 points)
edited Feb 14, 2023 by chrisg

Thanks again,
I ve updated my code as follows ,
String signedCertificate = _secureStorageService.GetSignedCertificate().Result;
                var privateKeyInfoRetrieved = _secureStorageService.getPrivateKeyInfo().Result;
                byte[] byteArray1 = Encoding.UTF8.GetBytes(privateKeyInfoRetrieved);
                byte[] byteArray = Encoding.UTF8.GetBytes(signedCertificate);
                var password = _secureStorageService.getPrivateKeyInfoPassword().Result;

                using (MemoryStream certstream = new MemoryStream(byteArray))
                {
                    using (MemoryStream keystream = new MemoryStream(byteArray1))
                    {
                        try
                        {
                            client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(Certificate.LoadDerWithKey(certstream, keystream, password));
                        }
                        catch (Exception ex)
                        {
                            System.Diagnostics.Debug.Write(ex.Message);
                        }
                    }
                }

my private key is :

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGVMFEGCSqGSIb3DQEFDTBEMCMGCSqGSIb3DQEFDDAWBBDQ72PvQc0ploZDAL2L
unifAgIIADAdBglghkgBZQMEASoEELnlPGjG6qAwCzI00W88Z0YEQH54Agf3Gy7q
7DXnlKBmRnMLJyXaZoZZK99SfHK8xHUbBKVI09+rR/HLMb205qLkqr5SGD1iQN6X
dru/IcIf+Xk=
-----END ENCRYPTED PRIVATE KEY-----

and my pem certificate is as
-----BEGIN CERTIFICATE-----
....AnKJAnsmIIsdKLJLEORImM......
-----END CERTIFICATE-----

Finally I get an error when executing
                            client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(Certificate.LoadDerWithKey(certstream, keystream, password));

System.Security.Cryptography.CryptographicException
  Message=`MonoBtlsPkcs12.Import` failed.

As I observerd, https://stackoverflow.com/questions/72966449/unable-to-create-a-x509certificate2-from-raw-byte-array-in-xamarin-on-android-10, there seem to be a dependency issue with the different cryptography libraries used simultaneously in the project.
(We also use SshNet.Security.Cryptography related to renci software)
How could we overcome this issue ?

commented Feb 14, 2023 by Lukas Matyska (72.7k points)

commented Feb 15, 2023 by chrisg (130 points)

commented Feb 15, 2023 by Lukas Matyska (72.7k points)

commented Feb 16, 2023 by chrisg (130 points)

Followed your advice for the client connect function and set it up like
   await client.ConnectAsync("wss://" + _socketServerIp + ":" + port, CancellationToken.None);
After executing it logged some errors :
----websocket log----2023-02-16 08:16:58.046 Opening log file.
2023-02-16 08:16:58.051 INFO FileLogWriter(1)[11] Info: Assembly: Rebex.Common R6.10 for .NET Standard 2.1
2023-02-16 08:16:58.055 INFO FileLogWriter(1)[11] Info: Platform: Android (Unix 4.14.116.0) 64-bit ARM; CLR: Mono 6.12.0 (2020-02/a96bde9730e)
2023-02-16 08:16:58.056 DEBUG FileLogWriter(1)[11] Info: Culture: en; Windows-1252
2023-02-16 08:16:58.098 INFO WebSocketClient(1)[11] WebSocket: Connecting to 'wss://192.168.0.1:28441/'...
2023-02-16 08:16:58.099 INFO WebSocketClient(1)[11] Info: Assembly: Rebex.WebSocket R6.10 for .NET Standard 2.1
2023-02-16 08:16:58.099 INFO WebSocketClient(1)[11] Info: Platform: Android (Unix 4.14.116.0) 64-bit ARM; CLR: Mono 6.12.0 (2020-02/a96bde9730e)
2023-02-16 08:16:58.099 DEBUG WebSocketClient(1)[11] Info: Culture: en; Windows-1252
2023-02-16 08:16:58.136 INFO WebSocketClient(1)[93] HTTP: Connecting to 'https://192.168.0.1:28441'...
2023-02-16 08:16:58.170 DEBUG WebSocketClient(1)[93] Proxy: Connecting to 192.168.0.1:28441 (no proxy).
2023-02-16 08:16:58.281 DEBUG WebSocketClient(1)[93] Proxy: Connection established.
2023-02-16 08:16:58.373 DEBUG WebSocketClient(1)[93] TLS: Using classic TLS core.
2023-02-16 08:16:58.382 DEBUG WebSocketClient(1)[93] TLS: Enabled cipher suites: 0x000F3DF7EBE00640.
2023-02-16 08:16:58.387 DEBUG WebSocketClient(1)[93] TLS: Applicable cipher suites: 0x00003C002BE00640.
2023-02-16 08:16:58.399 VERBOSE WebSocketClient(1)[93] TLS: Sent TLS packet:
0000 |16-03-03-00-77-01-00-00 73-03-03-63-ED-CA-5A-B5| ....w...s..c..Z.
0010 |42-C3-0B-F5-03-02-FA-DC 8F-44-7F-53-70-B8-2C-FB| B........D.Sp.,.
0020 |5B-57-14-3F-BB-0B-81-A8 22-C9-5F-00-00-1E-00-9F| [W.?...."._.....
0030 |00-9E-00-6B-00-67-00-9D 00-9C-00-3D-00-3C-00-33| ...k.g.....=.<.3
0040 |00-39-00-2F-00-35-00-16 00-0A-00-FF-01-00-00-2C| .9./.5.........,
0050 |00-00-00-10-00-0E-00-00 0B-31-39-32-2E-31-36-38| .........192.168
0060 |2E-30-2E-31-00-0D-00-14 00-12-04-01-04-03-05-01| .0.1............
0070 |05-03-06-01-06-03-02-01 02-03-02-02            | ............
2023-02-16 08:16:58.400 DEBUG WebSocketClient(1)[93] TLS: HandshakeMessage:ClientHello was sent.
2023-02-16 08:16:58.617 VERBOSE WebSocketClient(1)[93] TLS: Received TLS packet:
0000 |15-03-03-00-02-02-46                           | ......F
2023-02-16 08:16:58.619 INFO WebSocketClient(1)[93] TLS: Fatal Alert:ProtocolVersion was received.
2023-02-16 08:16:58.627 DEBUG WebSocketClient(1)[93] TLS: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end.
  at zbfys.kmzch.gcbov (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00085] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.xpfij (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00065] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000f2] in <92378deb221948dfa4cafbbc95220b36>:0
2023-02-16 08:16:58.632 ERROR WebSocketClient(1)[93] HTTP: Error while sending request: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end. ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end.
  at zbfys.kmzch.gcbov (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00085] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.xpfij (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00065] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000f2] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.sbkup.cumxx () [0x00163] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.kknju () [0x00071] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.uwdop () [0x00056] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.pfonj () [0x00000] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.ovayl () [0x00006] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.Negotiate () [0x00014] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.eaxpd (Rebex.Net.ISocket p0, Rebex.Net.TlsCipher& p1) [0x00032] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.lzmdw () [0x0003e] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.jednq () [0x000c9] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.amhvz (System.Boolean p0) [0x000f5] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.iehix () [0x001b9] in <92378deb221948dfa4cafbbc95220b36>:0
2023-02-16 08:16:58.832 ERROR WebSocketClient(1)[93] WebSocket: Error occurred: Rebex.Net.WebSocketException: An error occurred while opening the WebSocket. ---> zbfys.hvzit: Fatal error 'ProtocolVersion' has been reported by the remote connection end. ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end. ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end.
  at zbfys.kmzch.gcbov (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00085] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.xpfij (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00065] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000f2] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.sbkup.cumxx () [0x00163] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.kknju () [0x00071] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.uwdop () [0x00056] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.pfonj () [0x00000] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.ovayl () [0x00006] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.Negotiate () [0x00014] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.eaxpd (Rebex.Net.ISocket p0, Rebex.Net.TlsCipher& p1) [0x00032] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.lzmdw () [0x0003e] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.jednq () [0x000c9] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.amhvz (System.Boolean p0) [0x000f5] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.iehix () [0x001b9] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.lmtsl.iehix () [0x0046a] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.vwomv+ooawi.qhosc () [0x00000] in <1385f88e458e4471a15609b64d8a7800>:0
  at System.Threading.Tasks.Task`1[TResult].InnerInvoke () [0x0000f] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corert/src/System.Private.CoreLib/src/System/Threading/Tasks/Future.cs:534
  at System.Threading.Tasks.Task.Execute () [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corert/src/System.Private.CoreLib/src/System/Threading/Tasks/Task.cs:2319
--- End of stack trace from previous location where exception was thrown ---

  at zbfys.vwomv.dbzip (System.Uri p0, zbfys.dwzou p1, Rebex.Net.ISocketFactory p2, Rebex.Net.WebSocketClientSettings p3, Rebex.Net.WebSocketClientOptions p4, Rebex.Net.TlsParameters p5, System.Threading.CancellationToken p6) [0x00380] in <1385f88e458e4471a15609b64d8a7800>:0
   --- End of inner exception stack trace ---
  at zbfys.vwomv.dbzip (System.Uri p0, zbfys.dwzou p1, Rebex.Net.ISocketFactory p2, Rebex.Net.WebSocketClientSettings p3, Rebex.Net.WebSocketClientOptions p4, Rebex.Net.TlsParameters p5, System.Threading.CancellationToken p6) [0x00399] in <1385f88e458e4471a15609b64d8a7800>:0
  at Rebex.Net.WebSocketClient.ConnectAsync (System.Uri uri, System.Threading.CancellationToken cancellationToken) [0x001f4] in <1385f88e458e4471a15609b64d8a7800>:0

Is this log enough to reveal the cause ?

commented Feb 16, 2023 by Lukas Matyska (72.7k points)

commented Feb 16, 2023 by chrisg (130 points)
edited Feb 16, 2023 by chrisg

TLS is enabled along with the following :

SSLv3
TLSv1
TLSv1.2
TLSv1.3
but when trying to connect I get
2023-02-16 12:12:47.326 DEBUG WebSocketClient(1)[27] TLS: HandshakeMessage:ClientHello was sent.
2023-02-16 12:12:47.752 VERBOSE WebSocketClient(1)[27] TLS: Received TLS packet:
0000 |15-03-03-00-02-02-46                           | ......F
2023-02-16 12:12:47.754 INFO WebSocketClient(1)[27] TLS: Fatal Alert:ProtocolVersion was received.
2023-02-16 12:12:47.761 DEBUG WebSocketClient(1)[27] TLS: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end.
  at zbfys.kmzch.gcbov (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00085] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.xpfij (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00065] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000f2] in <92378deb221948dfa4cafbbc95220b36>:0
2023-02-16 12:12:47.766 ERROR WebSocketClient(1)[27] HTTP: Error while sending request: Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end. ---> Rebex.Net.TlsException: Fatal error 'ProtocolVersion' has been reported by the remote connection end.

As for your sencond condition How can I detect server is able to use one of the cipher suites offered by our client ?
Keep in mind that our client is tested using cert and key pem files that were taken from websocket server

commented Feb 16, 2023 by Lukas Matyska (72.7k points)

commented Feb 20, 2023 by chrisg (130 points)

Unfortunatelly , trying test code is not possible right now. Nevertheless did some changes in server part and now I get
2023-02-20 12:31:21.389 DEBUG WebSocketClient(1)[4] TLS: HandshakeMessage:ClientHello was sent.
2023-02-20 12:31:21.595 VERBOSE WebSocketClient(1)[4] TLS: Received TLS packet:
0000 |15-03-03-00-02-02-28 | ......(
2023-02-20 12:31:21.596 INFO WebSocketClient(1)[4] TLS: Fatal Alert:HandshakeFailure was received.
2023-02-20 12:31:21.603 DEBUG WebSocketClient(1)[4] TLS: Rebex.Net.TlsException: Fatal error 'HandshakeFailure' has been reported by the remote connection end.

What could possible mean this error and how different could the cause be than of the previous "tls protocol version error" ?
Thanks again

commented Feb 21, 2023 by Lukas Matyska (72.7k points)

From the client side, I cannot tell you much. You have to look at the server logs.

I can only clarify you, what mean the raw bytes received by the client:
  15- Message is Alert
  03-03- Version is TLS 1.2
  00-02- Length of payload is 2B
  02- Alert severity is Fatal (critical error)
  28 - Reason is `HandshakeFailure`

That is all we can say from the client point of view. However, I guess that the issue is caused by one of two reasons:
1. the client and server does not have common cipher suites.
2. the server uses certificate with Elliptic Curve Cryptography (ECC). Because the client did not offered any elliptic cipher suite, the server can assume that the client will not be able to validate the certificate and closes the connection - or giving another point of view, server is not able to select any valid certificate with signature the client will understand.

You can try two solutions:
1. make sure that the server is able to provide an RSA certificate (instead of ECC certificate).
2. add support for ECC to the client - it can be done using plugins, please visit https://www.rebex.net/kb/simple-elliptic-curve-libraries/

commented Feb 23, 2023 by chrisg (130 points)
edited Feb 23, 2023 by chrisg

commented Feb 23, 2023 by Lukas Pokorny (147k points)

commented Feb 23, 2023 by chrisg (130 points)

commented Feb 23, 2023 by Lukas Pokorny (147k points)

commented Feb 23, 2023 by chrisg (130 points)
edited Feb 23, 2023 by chrisg

calling AsymmetricKeyAlgorithm.Register(castle.create) does not work, How could I set it ?
AsymmetricKeyAlgorithm.Register(EllipticCurveAlgorithm.Create);
is it correct?
When I set to the above Iagain get the error :
2023-02-23 12:56:36.262 DEBUG WebSocketClient(1)[35] Proxy: Connection established.
2023-02-23 12:56:36.343 DEBUG WebSocketClient(1)[35] TLS: Using classic TLS core.
2023-02-23 12:56:36.351 DEBUG WebSocketClient(1)[35] TLS: Enabled cipher suites: 0x000F3DF7EBE00640.
2023-02-23 12:56:36.436 DEBUG WebSocketClient(1)[35] TLS: Applicable cipher suites: 0x000F3DF7EBE00640.
2023-02-23 12:56:36.445 VERBOSE WebSocketClient(1)[35] TLS: Sent TLS packet:
0000 |16-03-03-00-AF-01-00-00 AB-03-03-63-F7-46-64-89| ...........c.Fd.
0010 |60-EE-4D-D8-B9-83-DA-90 FE-27-EA-D8-63-83-80-2C| `.M......'..c..,
0020 |6B-C3-4E-23-81-F3-56-41 66-F9-7B-00-00-3A-C0-23| k.N#..VAf.{..:.#
0030 |C0-24-C0-2B-C0-2C-C0-2F C0-30-C0-27-C0-28-C0-09| .$.+.,./.0.'.(..
0040 |C0-0A-C0-13-C0-14-00-9F 00-9E-00-6B-00-67-00-9D| ...........k.g..
0050 |00-9C-00-3D-00-3C-00-33 00-39-00-2F-00-35-C0-08| ...=.<.3.9./.5..
0060 |C0-12-00-16-00-0A-00-FF 01-00-00-48-00-00-00-10| ...........H....
0070 |00-0E-00-00-0B-31-39-32 2E-31-36-38-2E-30-2E-31| .....192.168.0.1
0080 |00-0A-00-0E-00-0C-00-17 00-18-00-19-00-1A-00-1B| ................
0090 |00-1C-00-0B-00-02-01-00 00-0D-00-14-00-12-04-01| ................
00A0 |04-03-05-01-05-03-06-01 06-03-02-01-02-03-02-02| ................
00B0 |00-17-00-00                                    | ....
2023-02-23 12:56:36.446 DEBUG WebSocketClient(1)[35] TLS: HandshakeMessage:ClientHello was sent.
2023-02-23 12:56:36.785 VERBOSE WebSocketClient(1)[35] TLS: Received TLS packet:
0000 |15-03-03-00-02-02-28                           | ......(
2023-02-23 12:56:36.787 INFO WebSocketClient(1)[35] TLS: Fatal Alert:HandshakeFailure was received.
2023-02-23 12:56:36.794 DEBUG WebSocketClient(1)[35] TLS: Rebex.Net.TlsException: Fatal error 'HandshakeFailure' has been reported by the remote connection end.
  at zbfys.kmzch.gcbov (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00085] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.xpfij (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00065] in <92378deb221948dfa4cafbbc95220b36>:0

commented Feb 23, 2023 by Lukas Pokorny (147k points)

Actually, the log shows that the plugin did work - note the difference in the "Applicable cipher suites" log entry and the increased size of ClientHello message due to additional ciphers listed. So while Lukas Matyska's guess was sensible, enabling additional ciphers apparently did not resolve the problem.

We could continue guessing for a long time - for example, this could be due to the server a) not actually accepting connections at an IP address, b) requiring TLS 1.3, c) The server requiring some yet-unsupported extensions to be enabled, d) using some kind of fingerprinting to only accept connections from whitelisted browsers.

However, I would instead recommend to consult the service provider and simply ask about the requirements the server imposes on clients. Then, we could easily tell whether it's possible to configure Rebex WebSocket client that way, and how to achieve that. Alternatively, the server operator could look into the log and tell you why the server rejected client's attempt to establish a session.

commented Mar 13, 2023 by anonymous

Hi Lukas,
i'm a colleagues from chrisg and was recently also debugging the websocket issue we are having.

The server responded with this:
[Error: 140704529921664:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2284:
] {
  library: 'SSL routines',
  function: 'tls_post_process_client_hello',
  reason: 'no shared cipher',
  code: 'ERR_SSL_NO_SHARED_CIPHER'
}

Available cipher suites on the current (rebex-)client:
        {0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x08} TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
        {0xC0, 0x12} TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        {0x00, 0x16} TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        {0x00, 0x0A} TLS_RSA_WITH_3DES_EDE_CBC_SHA
        {0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Available cipher suites on the server:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA256

Could it be, that just the names of the cipher are different? So that they do not match, even though they are the same:
e.g.
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (rebex)
        ECDHE-ECDSA-AES128-GCM-SHA256 (server)

Just and idea - if you have some other advice, please let me know.

Maybe one more word about our setup:
- we have to connect to a piece of hardware with TLS Client authentication
- client will be a mobile application
- we are currently working with a mock-server (therefore we have access to it - it is a node.js application). The mock is supposed to be according to the specification (you never know, unfortuantely)

We are now concerned, not being able to connect to the hardware, as we are not able to to connect to the mock. Hopefully issues will be resolved soon.

commented Mar 13, 2023 by Lukas Matyska (72.7k points)

Please note that TLS cipher suites are sent as two bytes codes, there is no string comparison. The code is actually present in your listing, see:

{0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

The two hex-values are the two bytes code of the cipher suite.

If your listing of available cipher suites at the server is correct, then we can clearly see that the ERR_SSL_NO_SHARED_CIPHER reported by the server is misleading or incorrect, because there are some shared cipher suites.

However, I have noticed the error log contains a reference to source code: ./deps/openssl/openssl/ssl/statem/statem_srvr.c:2284
and I have found it at https://github.com/openssl/openssl/blob/master/ssl/statem/statem_srvr.c

It was not much helpful, but I have searched for "no shared cipher" string in the repository and I got this interesting hit:
https://github.com/openssl/openssl/commit/b4eee58a5f9dfa493d6cc34b4af871415c67beda

1. It seems that OpenSSL has/had some issues with TLS 1.3 enabled. Please, try to disable TLS 1.3 at the server.
2. If disabling TLS 1.3 does not help, please, upgrade to the latest version of OpenSSL, since it seems we are facing a server side issue.

commented Mar 28, 2023 by anonymous

Hi Lukasz,
sorry to come back to you on this. In the meanwhile we had a chance to test our setup with a real hardware board and not only with the mock we are having.
The message we are receiving is a bit different and it seems, that Rebex throws some exception. I will attach the logfile below.
Besides we did a test with another linux based websocket-client (OpenSSL) and for them the establishment of the connection was successful.
At least this suggests that it is not a major server issue. Do you think it could be helpful, if we provide kind of testproject, that you can see/reproduce it by yourself?

Here is the logfile:

----websocket log----2023-03-20 18:25:29.409 Opening log file.
2023-03-20 18:25:29.410 INFO FileLogWriter(1)[18] Info: Assembly: Rebex.Common R6.10 for .NET Standard 2.1
2023-03-20 18:25:29.410 INFO FileLogWriter(1)[18] Info: Platform: iOS (Unix 22.4.0.0) 64-bit ARM; CLR: Mono 6.12.0 (2020-02/6dd9def57ce)
2023-03-20 18:25:29.410 DEBUG FileLogWriter(1)[18] Info: Culture: en; Windows-1252
2023-03-20 18:25:29.421 INFO WebSocketClient(2)[18] WebSocket: Connecting to 'wss://192.168.0.1:28441/maintenance'...
2023-03-20 18:25:29.421 INFO WebSocketClient(2)[18] Info: Assembly: Rebex.WebSocket R6.10 for .NET Standard 2.1
2023-03-20 18:25:29.421 INFO WebSocketClient(2)[18] Info: Platform: iOS (Unix 22.4.0.0) 64-bit ARM; CLR: Mono 6.12.0 (2020-02/6dd9def57ce)
2023-03-20 18:25:29.421 DEBUG WebSocketClient(2)[18] Info: Culture: en; Windows-1252
2023-03-20 18:25:29.421 INFO WebSocketClient(2)[21] HTTP: Connecting to 'https://192.168.0.1:28441'...
2023-03-20 18:25:29.422 DEBUG WebSocketClient(2)[21] Proxy: Connecting to 192.168.0.1:28441 (no proxy).
2023-03-20 18:25:29.430 DEBUG WebSocketClient(2)[21] Proxy: Connection established.
2023-03-20 18:25:29.464 DEBUG WebSocketClient(2)[21] TLS: Using classic TLS core.
2023-03-20 18:25:29.465 DEBUG WebSocketClient(2)[21] TLS: Enabled cipher suites: 0x0001000000000000.
2023-03-20 18:25:29.491 DEBUG WebSocketClient(2)[21] TLS: Applicable cipher suites: 0x0001000000000000.
2023-03-20 18:25:29.493 VERBOSE WebSocketClient(2)[21] TLS: Sent TLS packet:
0000 |16-03-03-00-79-01-00-00 75-03-03-64-18-97-09-B8| ....y...u..d....
0010 |F8-53-AA-C3-0F-53-1A-1A D5-31-A1-F6-2E-42-77-73| .S...S...1...Bws
0020 |56-83-F0-18-98-10-A8-ED 9A-E4-C1-00-00-04-C0-2B| V..............+
0030 |00-FF-01-00-00-48-00-00 00-10-00-0E-00-00-0B-31| .....H.........1
0040 |39-32-2E-31-36-38-2E-30 2E-31-00-0A-00-0E-00-0C| 92.168.0.1......
0050 |00-17-00-18-00-19-00-1A 00-1B-00-1C-00-0B-00-02| ................
0060 |01-00-00-0D-00-14-00-12 04-01-04-03-05-01-05-03| ................
0070 |06-01-06-03-02-01-02-03 02-02-00-17-00-00      | ..............
2023-03-20 18:25:29.493 DEBUG WebSocketClient(2)[21] TLS: HandshakeMessage:ClientHello was sent.
2023-03-20 18:25:29.728 VERBOSE WebSocketClient(2)[21] TLS: Received TLS packet:
0000 |16-03-03-00-55-02-00-00 51-03-03-A1-F8-5F-D0-85| ....U...Q...._..
0010 |3D-11-56-69-B7-3F-4A-63 22-CF-65-05-6B-07-47-74| =.Vi.?Jc".e.k.Gt
0020 |42-5F-78-31-00-32-04-3F 82-3F-FE-20-A5-0A-EE-BC| B_x1.2.?.?. ....
0030 |D5-9F-25-5C-1A-F1-87-0D 2F-5E-B3-19-97-DA-D8-82| ..%\..../^......
0040 |9A-84-8D-DA-3A-B3-F8-74 06-D1-DE-32-00-00-00-00| ....:..t...2....
0050 |09-FF-01-00-01-00-00-17 00-00                  | ..........
2023-03-20 18:25:29.734 DEBUG WebSocketClient(2)[21] TLS: Error while processing TLS packet: System.ArgumentException: Unsupported cipher suite.
Parameter name: suite
  at Rebex.Net.TlsCipher.ziunq (Rebex.Net.TlsCipherSuiteId p0, System.Int32 p1) [0x007a2] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.ofgkm..ctor (System.Byte[] buffer, System.Int32 offset, System.Int32 length) [0x00139] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.pvrbt.wrmvi (System.Byte[] p0, System.Int32 p1, System.Int32 p2, Rebex.Net.TlsProtocol p3, Rebex.Net.TlsCipher p4) [0x0006d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.kmzch.dxcxl (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00026] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.wunjd (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x0007d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000ce] in <92378deb221948dfa4cafbbc95220b36>:0
2023-03-20 18:25:29.735 INFO WebSocketClient(2)[21] TLS: Fatal Alert:InternalError was sent.
2023-03-20 18:25:29.735 VERBOSE WebSocketClient(2)[21] TLS: Sent TLS packet:
0000 |15-03-03-00-02-02-50                           | ......P
2023-03-20 18:25:29.740 ERROR WebSocketClient(2)[21] HTTP: Error while sending request: Rebex.Net.TlsException: Unsupported cipher suite.
Parameter name: suite ---> System.ArgumentException: Unsupported cipher suite.
Parameter name: suite
  at Rebex.Net.TlsCipher.ziunq (Rebex.Net.TlsCipherSuiteId p0, System.Int32 p1) [0x007a2] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.ofgkm..ctor (System.Byte[] buffer, System.Int32 offset, System.Int32 length) [0x00139] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.pvrbt.wrmvi (System.Byte[] p0, System.Int32 p1, System.Int32 p2, Rebex.Net.TlsProtocol p3, Rebex.Net.TlsCipher p4) [0x0006d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.kmzch.dxcxl (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00026] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.wunjd (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x0007d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000ce] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.sbkup.cumxx () [0x00163] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.kknju () [0x00071] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.uwdop () [0x00056] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.pfonj () [0x00000] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.ovayl () [0x00006] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.Negotiate () [0x00014] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.eaxpd (Rebex.Net.ISocket p0, Rebex.Net.TlsCipher& p1) [0x00032] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.lzmdw () [0x0003e] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.jednq () [0x000c9] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.amhvz (System.Boolean p0) [0x000f5] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.iehix () [0x001b9] in <92378deb221948dfa4cafbbc95220b36>:0
2023-03-20 18:25:29.746 ERROR WebSocketClient(2)[21] WebSocket: Error occurred: Rebex.Net.WebSocketException: An error occurred while opening the WebSocket. ---> zbfys.hvzit: Unsupported cipher suite.
Parameter name: suite ---> Rebex.Net.TlsException: Unsupported cipher suite.
Parameter name: suite ---> System.ArgumentException: Unsupported cipher suite.
Parameter name: suite
  at Rebex.Net.TlsCipher.ziunq (Rebex.Net.TlsCipherSuiteId p0, System.Int32 p1) [0x007a2] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.ofgkm..ctor (System.Byte[] buffer, System.Int32 offset, System.Int32 length) [0x00139] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.pvrbt.wrmvi (System.Byte[] p0, System.Int32 p1, System.Int32 p2, Rebex.Net.TlsProtocol p3, Rebex.Net.TlsCipher p4) [0x0006d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.kmzch.dxcxl (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00026] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.wunjd (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x0007d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000ce] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.sbkup.cumxx () [0x00163] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.kknju () [0x00071] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.uwdop () [0x00056] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.pfonj () [0x00000] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.ovayl () [0x00006] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.Negotiate () [0x00014] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.eaxpd (Rebex.Net.ISocket p0, Rebex.Net.TlsCipher& p1) [0x00032] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.lzmdw () [0x0003e] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.jednq () [0x000c9] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.amhvz (System.Boolean p0) [0x000f5] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.iehix () [0x001b9] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.lmtsl.iehix () [0x0046a] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.vwomv+ooawi.qhosc () [0x00000] in <1385f88e458e4471a15609b64d8a7800>:0
  at System.Threading.Tasks.Task`1[TResult].InnerInvoke () [0x0000f] in <a397f8ddf5cc4340b1b7367e6ca02e39>:0
  at System.Threading.Tasks.Task.Execute () [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/external/corert/src/System.Private.CoreLib/src/System/Threading/Tasks/Task.cs:2319
--- End of stack trace from previous location where exception was thrown ---

  at zbfys.vwomv.dbzip (System.Uri p0, zbfys.dwzou p1, Rebex.Net.ISocketFactory p2, Rebex.Net.WebSocketClientSettings p3, Rebex.Net.WebSocketClientOptions p4, Rebex.Net.TlsParameters p5, System.Threading.CancellationToken p6) [0x00380] in <1385f88e458e4471a15609b64d8a7800>:0
   --- End of inner exception stack trace ---
  at zbfys.vwomv.dbzip (System.Uri p0, zbfys.dwzou p1, Rebex.Net.ISocketFactory p2, Rebex.Net.WebSocketClientSettings p3, Rebex.Net.WebSocketClientOptions p4, Rebex.Net.TlsParameters p5, System.Threading.CancellationToken p6) [0x00399] in <1385f88e458e4471a15609b64d8a7800>:0
  at Rebex.Net.WebSocketClient.ConnectAsync (System.Uri uri, System.Threading.CancellationToken cancellationToken) [0x001f4] in <1385f88e458e4471a15609b64d8a7800>:0

commented Mar 28, 2023 by Lukas Matyska (72.7k points)

The "TlsException: Unsupported cipher suite." was raised because the server did not select any cipher suite in your case. The cipher_suite value in the ServerHello message was 0x00 - see https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.3 for details:

   cipher_suite
      The single cipher suite selected by the server from the list in ClientHello.cipher_suites.

I see in the log that you enabled only one single cipher: ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(see log entry: "Enabled cipher suites: 0x0001000000000000.")

It seems that the server does not support ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. The OpenSSL websocket-client was able to establish connection because you probably did not limit allowed cipher suites to just this single cipher.

Please try to enable more ciphers at the client. It can be done like this:

    var client = new WebSocketClient();
    client.Settings.SslAllowedSuites = TlsCipherSuite.Secure;

commented Mar 29, 2023 by anonymous

Hi Lukas,

i tried again. With different settings. Once with
client.Settings.SslAllowedSuites = TlsCipherSuite.Secure;

another time even with
client.Settings.SslAllowedSuites = TlsCipherSuite.All;

In both cases same result, but with different ciphers selected:
TlsCipherSuite.Secure;
2023-03-29 10:01:35.407 DEBUG WebSocketClient(2)[6] TLS: Enabled cipher suites: 0x0C1F3CC32B000000.
2023-03-29 10:01:35.436 DEBUG WebSocketClient(2)[6] TLS: Applicable cipher suites: 0x0C1F3CC32B000000.

TlsCipherSuite.All;
2023-03-29 09:56:11.207 DEBUG WebSocketClient(2)[21] TLS: Enabled cipher suites: 0x0C1FFFFFFFF4F666.
2023-03-29 09:56:11.228 DEBUG WebSocketClient(2)[21] TLS: Applicable cipher suites: 0x0C1FFFFFFFF4F666.

(Full log find below)

Do you have some still some idea, what could go wrong here?
Is there a way to debug rebex in more detail?
Can it be, that something is not as exepected in Rebex?

We really have some project-related issue with this.

Full log:
----websocket log----2023-03-29 10:01:35.352 Opening log file.
2023-03-29 10:01:35.353 INFO FileLogWriter(1)[19] Info: Assembly: Rebex.Common R6.10 for .NET Standard 2.1
2023-03-29 10:01:35.353 INFO FileLogWriter(1)[19] Info: Platform: iOS (Unix 22.4.0.0) 64-bit ARM; CLR: Mono 6.12.0 (2020-02/6dd9def57ce)
2023-03-29 10:01:35.353 DEBUG FileLogWriter(1)[19] Info: Culture: en; Windows-1252
2023-03-29 10:01:35.364 INFO WebSocketClient(2)[19] WebSocket: Connecting to 'wss://192.168.0.1:28441/maintenance'...
2023-03-29 10:01:35.364 INFO WebSocketClient(2)[19] Info: Assembly: Rebex.WebSocket R6.10 for .NET Standard 2.1
2023-03-29 10:01:35.364 INFO WebSocketClient(2)[19] Info: Platform: iOS (Unix 22.4.0.0) 64-bit ARM; CLR: Mono 6.12.0 (2020-02/6dd9def57ce)
2023-03-29 10:01:35.364 DEBUG WebSocketClient(2)[19] Info: Culture: en; Windows-1252
2023-03-29 10:01:35.364 INFO WebSocketClient(2)[6] HTTP: Connecting to 'https://192.168.0.1:28441'...
2023-03-29 10:01:35.364 DEBUG WebSocketClient(2)[6] Proxy: Connecting to 192.168.0.1:28441 (no proxy).
2023-03-29 10:01:35.367 DEBUG WebSocketClient(2)[6] Proxy: Connection established.
2023-03-29 10:01:35.406 DEBUG WebSocketClient(2)[6] TLS: Using classic TLS core.
2023-03-29 10:01:35.407 DEBUG WebSocketClient(2)[6] TLS: Enabled cipher suites: 0x0C1F3CC32B000000.
2023-03-29 10:01:35.436 DEBUG WebSocketClient(2)[6] TLS: Applicable cipher suites: 0x0C1F3CC32B000000.
2023-03-29 10:01:35.439 VERBOSE WebSocketClient(2)[6] TLS: Sent TLS packet:
0000 |16-03-03-00-9D-01-00-00 99-03-03-64-23-F0-5F-D5| ...........d#._.
0010 |43-05-42-33-F0-22-E2-32 8B-53-D2-FC-B6-E5-44-3C| C.B3.".2.S....D<
0020 |D3-C2-94-F6-D5-22-7F-63 D2-B9-71-00-00-28-C0-23| .....".c..q..(.#
0030 |C0-24-C0-2B-C0-2C-C0-2F C0-30-C0-27-C0-28-00-9F| .$.+.,./.0.'.(..
0040 |00-9E-00-6B-00-67-00-9D 00-9C-00-3D-00-3C-CC-A8| ...k.g.....=.<..
0050 |CC-A9-CC-AA-00-FF-01-00 00-48-00-00-00-10-00-0E| .........H......
0060 |00-00-0B-31-39-32-2E-31 36-38-2E-30-2E-31-00-0A| ...192.168.0.1..
0070 |00-0E-00-0C-00-17-00-18 00-19-00-1A-00-1B-00-1C| ................
0080 |00-0B-00-02-01-00-00-0D 00-14-00-12-04-01-04-03| ................
0090 |05-01-05-03-06-01-06-03 02-01-02-03-02-02-00-17| ................
00A0 |00-00                                          | ..
2023-03-29 10:01:35.439 DEBUG WebSocketClient(2)[6] TLS: HandshakeMessage:ClientHello was sent.
2023-03-29 10:01:35.758 VERBOSE WebSocketClient(2)[6] TLS: Received TLS packet:
0000 |16-03-03-00-55-02-00-00 51-03-03-31-09-4F-79-7E| ....U...Q..1.Oy~
0010 |E6-76-2A-BA-FC-8B-42-4E C5-49-24-CD-F3-4B-12-78| .v*...BN.I$..K.x
0020 |23-8A-A6-0E-0C-83-3C-D8 E2-1B-0A-20-EB-E9-12-31| #.....<.... ...1
0030 |57-6E-52-B6-F5-06-39-D6 C8-2F-E6-D1-9B-17-95-E1| WnR...9../......
0040 |51-6B-FF-52-01-9D-AB-19 A7-7B-44-41-00-00-00-00| Qk.R.....{DA....
0050 |09-FF-01-00-01-00-00-17 00-00                  | ..........
2023-03-29 10:01:35.765 DEBUG WebSocketClient(2)[6] TLS: Error while processing TLS packet: System.ArgumentException: Unsupported cipher suite.
Parameter name: suite
  at Rebex.Net.TlsCipher.ziunq (Rebex.Net.TlsCipherSuiteId p0, System.Int32 p1) [0x007a2] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.ofgkm..ctor (System.Byte[] buffer, System.Int32 offset, System.Int32 length) [0x00139] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.pvrbt.wrmvi (System.Byte[] p0, System.Int32 p1, System.Int32 p2, Rebex.Net.TlsProtocol p3, Rebex.Net.TlsCipher p4) [0x0006d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.kmzch.dxcxl (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00026] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.wunjd (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x0007d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000ce] in <92378deb221948dfa4cafbbc95220b36>:0
2023-03-29 10:01:35.766 INFO WebSocketClient(2)[6] TLS: Fatal Alert:InternalError was sent.
2023-03-29 10:01:35.766 VERBOSE WebSocketClient(2)[6] TLS: Sent TLS packet:
0000 |15-03-03-00-02-02-50                           | ......P
2023-03-29 10:01:35.770 ERROR WebSocketClient(2)[6] HTTP: Error while sending request: Rebex.Net.TlsException: Unsupported cipher suite.
Parameter name: suite ---> System.ArgumentException: Unsupported cipher suite.
Parameter name: suite
  at Rebex.Net.TlsCipher.ziunq (Rebex.Net.TlsCipherSuiteId p0, System.Int32 p1) [0x007a2] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.ofgkm..ctor (System.Byte[] buffer, System.Int32 offset, System.Int32 length) [0x00139] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.pvrbt.wrmvi (System.Byte[] p0, System.Int32 p1, System.Int32 p2, Rebex.Net.TlsProtocol p3, Rebex.Net.TlsCipher p4) [0x0006d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.kmzch.dxcxl (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00026] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.wunjd (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x0007d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000ce] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.sbkup.cumxx () [0x00163] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.kknju () [0x00071] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.uwdop () [0x00056] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.pfonj () [0x00000] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.ovayl () [0x00006] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.Negotiate () [0x00014] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.eaxpd (Rebex.Net.ISocket p0, Rebex.Net.TlsCipher& p1) [0x00032] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.lzmdw () [0x0003e] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.jednq () [0x000c9] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.amhvz (System.Boolean p0) [0x000f5] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.iehix () [0x001b9] in <92378deb221948dfa4cafbbc95220b36>:0
2023-03-29 10:01:35.777 ERROR WebSocketClient(2)[6] WebSocket: Error occurred: Rebex.Net.WebSocketException: An error occurred while opening the WebSocket. ---> zbfys.hvzit: Unsupported cipher suite.
Parameter name: suite ---> Rebex.Net.TlsException: Unsupported cipher suite.
Parameter name: suite ---> System.ArgumentException: Unsupported cipher suite.
Parameter name: suite
  at Rebex.Net.TlsCipher.ziunq (Rebex.Net.TlsCipherSuiteId p0, System.Int32 p1) [0x007a2] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.ofgkm..ctor (System.Byte[] buffer, System.Int32 offset, System.Int32 length) [0x00139] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.pvrbt.wrmvi (System.Byte[] p0, System.Int32 p1, System.Int32 p2, Rebex.Net.TlsProtocol p3, Rebex.Net.TlsCipher p4) [0x0006d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.kmzch.dxcxl (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x00026] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.wunjd (System.Byte[] p0, System.Int32 p1, System.Int32 p2) [0x0007d] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.cumxx () [0x000ce] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.sbkup.cumxx () [0x00163] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.sbkup.kknju () [0x00071] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.uwdop () [0x00056] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.isvgr.pfonj () [0x00000] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.ovayl () [0x00006] in <92378deb221948dfa4cafbbc95220b36>:0
  at Rebex.Net.TlsSocket.Negotiate () [0x00014] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.eaxpd (Rebex.Net.ISocket p0, Rebex.Net.TlsCipher& p1) [0x00032] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.gjell.lzmdw () [0x0003e] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.jednq () [0x000c9] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.amhvz (System.Boolean p0) [0x000f5] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.lmtsl.iehix () [0x001b9] in <92378deb221948dfa4cafbbc95220b36>:0
   --- End of inner exception stack trace ---
  at zbfys.lmtsl.iehix () [0x0046a] in <92378deb221948dfa4cafbbc95220b36>:0
  at zbfys.vwomv+ooawi.qhosc () [0x00000] in <1385f88e458e4471a15609b64d8a7800>:0
  at System.Threading.Tasks.Task`1[TResult].InnerInvoke () [0x0000f] in <a397f8ddf5cc4340b1b7367e6ca02e39>:0
  at System.Threading.Tasks.Task.Execute () [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/external/corert/src/System.Private.CoreLib/src/System/Threading/Tasks/Task.cs:2319
--- End of stack trace from previous location where exception was thrown ---

  at zbfys.vwomv.dbzip (System.Uri p0, zbfys.dwzou p1, Rebex.Net.ISocketFactory p2, Rebex.Net.WebSocketClientSettings p3, Rebex.Net.WebSocketClientOptions p4, Rebex.Net.TlsParameters p5, System.Threading.CancellationToken p6) [0x00380] in <1385f88e458e4471a15609b64d8a7800>:0
   --- End of inner exception stack trace ---
  at zbfys.vwomv.dbzip (System.Uri p0, zbfys.dwzou p1, Rebex.Net.ISocketFactory p2, Rebex.Net.WebSocketClientSettings p3, Rebex.Net.WebSocketClientOptions p4, Rebex.Net.TlsParameters p5, System.Threading.CancellationToken p6) [0x00399] in <1385f88e458e4471a15609b64d8a7800>:0
  at Rebex.Net.WebSocketClient.ConnectAsync (System.Uri uri, System.Threading.CancellationToken cancellationToken) [0x001f4] in <1385f88e458e4471a15609b64d8a7800>:0

commented Mar 29, 2023 by Lukas Pokorny (147k points)

> Do you have some still some idea, what could go wrong here?
> Is there a way to debug rebex in more detail?
> Can it be, that something is not as exepected in Rebex?

The error should have been a TlsException instead of ArgumentException, but the reason is clearly apparent in the content of server's ServerHello message:
0000 |16-03-03-00-55-02-00-00 51-03-03-31-09-4F-79-7E| ....U...Q..1.Oy~
0010 |E6-76-2A-BA-FC-8B-42-4E C5-49-24-CD-F3-4B-12-78| .v*...BN.I$..K.x
0020 |23-8A-A6-0E-0C-83-3C-D8 E2-1B-0A-20-EB-E9-12-31| #.....<.... ...1
0030 |57-6E-52-B6-F5-06-39-D6 C8-2F-E6-D1-9B-17-95-E1| WnR...9../......
0040 |51-6B-FF-52-01-9D-AB-19 A7-7B-44-41-00-00-00-00| Qk.R.....{DA....
0050 |09-FF-01-00-01-00-00-17 00-00 | ..........

This is structured according to RFC 5246, with section 7.4.1.3 describing the content of ServerHello message data - see https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.3 for details.

This is the meaning of those bytes:

16 = TLS handshake message
03 03 = protocol version (TLS 1.2) / 4,5
00 55 = packet payload length
02 = ServerHello
00 00 51 = ServerHello length

03 03 = server_version (TLS 1.2)

31 09 4F 79 7E E6 76 2A = random value
BA FC 8B 42 4E C5 49 24
CD F3 4B 12 78 23 8A A6
0E 0C 83 3C D8 E2 1B 0A

20 = session ID length
EB E9 12 31 57 6E 52 B6 = session ID
F5 06 39 D6 C8 2F E6 D1
9B 17 95 E1 51 6B FF 52
01 9D AB 19 A7 7B 44 41

00 00 = cipher_site
00 = compression_method (=none)
00 09 FF 01 00 01 00 00 17 00 00 = extensions

As you can see, the server returned "cipher_suite" of "00 00" (two zero bytes) which represents the TLS_NULL_WITH_NULL_NULL cipher. This cipher offers no protection, it has not been announced as supported by the client.

However, the TLS specification states that this value represents "the single cipher suite selected by the server from the list in ClientHello.cipher_suites." This means that your server apparently violated the TLS protocol by responding with a cipher that has not been announced by the client. Additionally, the client does not even support this cipher, which means it can never announce it, and it should never occur in server's ServerHello message. Therefore, our ServerHello parser simply failed - the error is slightly wrong (at should have been TlsException instead of ArgumentException), but it's actually spot-on.

So there actually is a server issue - the server's response does not conform to TLS 1.2 specification.

> We did a test with another linux based websocket-client (OpenSSL) and for them the establishment of the connection was successful.

It's quite likely that the wrong server response only occurs when some specific conditions are met. For example, the server might respond this way if it doesn't like something in the client's ClientHello message. For example, the server might require Curve25519 elliptic curve support, and fail in this strange way if the client doesn't announce it. It looks like you have not registered Rebex.Curve25519.dll plugin, so your client doesn't support this popular curve, while OpenSSL definitely does. So that's one possible difference, and it might be useful to try enabling this.

Another thing to try is to enable TLS 1.3 at the client. Again, OpenSSL does support this, so perhaps the server requires it and only sends the wrong response when the client doesn't.

But of course, I'm just guessing here, just like I was on February 23. But if you can't seem to find out what the server doesn't like from the server log, there is another way that might help to determine what's missing (or what's superfluous) in the ClientHello message: run a test with a client that works (such as the Linux-based websocket-client) and capture it's communication using a network packet analyzer (such as tcpdump or Wireshark). Then, we could configure Rebex WebSocket client to send a similar ClientHello, which would hopefully make it work.

Alternatively, set up one of those servers to allow access from our IP address, and let us determine settings that work.

commented Mar 30, 2023 by anonymous

Hi Lukas,

oh dear...indeed, after playing too long around with the code, i forget what was mentioned initially about importing the support for Curve25519 and Ed25519.

And btw. thanks a lot for the enlightening comment you gave!! :-)

Now the response looks much better - But still with some trouble:

2023-03-29 21:31:14.725 DEBUG WebSocketClient(1)[5] TLS: HandshakeMessage:Certificate was received.
2023-03-29 21:31:14.731 DEBUG WebSocketClient(1)[5] TLS: Rebex.Net.TlsException: Received unsuitable server certificate.

I guess it has nothing to do with the certificate validation, as i already played around with disabling it. Could you again help me out here, what could be the issue here?
How can i get hold of the server certificate for getting more details on it?

Full log:
----websocket log----

2023-03-29 21:31:14.227 DEBUG WebSocketClient(1)[5] TLS: Enabled cipher suites: 0x0C1F3CC32B000000.
2023-03-29 21:31:14.234 DEBUG WebSocketClient(1)[5] TLS: Applicable cipher suites: 0x0C1F3CC32B000000.
2023-03-29 21:31:14.239 VERBOSE WebSocketClient(1)[5] TLS: Sent TLS packet:
0000 |16-03-03-00-9B-01-00-00 97-03-03-64-24-92-02-B9| ...........d$...
0010 |DC-A1-80-9E-3F-6C-D0-E0 C3-B6-C5-06-FB-08-31-1A| ....?l........1.
0020 |25-5C-06-06-CF-7E-62-C0 67-82-55-00-00-28-C0-23| %\...~b.g.U..(.#
0030 |C0-24-C0-2B-C0-2C-C0-2F C0-30-C0-27-C0-28-00-9F| .$.+.,./.0.'.(..
0040 |00-9E-00-6B-00-67-00-9D 00-9C-00-3D-00-3C-CC-A8| ...k.g.....=.<..
0050 |CC-A9-CC-AA-00-FF-01-00 00-46-00-00-00-12-00-10| .........F......
0060 |00-00-0D-31-39-32-2E-31 36-38-2E-32-31-37-2E-32| ...192.168.217.2
0070 |00-0A-00-0A-00-08-00-17 00-18-00-19-00-1D-00-0B| ................
0080 |00-02-01-00-00-0D-00-14 00-12-04-01-04-03-05-01| ................
0090 |05-03-06-01-06-03-02-01 02-03-02-02-00-17-00-00| ................
2023-03-29 21:31:14.240 DEBUG WebSocketClient(1)[5] TLS: HandshakeMessage:ClientHello was sent.
2023-03-29 21:31:14.715 VERBOSE WebSocketClient(1)[5] TLS: Received TLS packet:
0000 |16-03-03-00-5B-02-00-00 57-03-03-E8-DB-1E-7D-4F| ....[...W.....}O
0010 |3E-DA-DC-FF-AE-72-2B-20 82-AB-D3-5B-D8-82-41-6E| >....r+ ...[..An
0020 |8F-6E-60-A7-03-10-2B-00 50-CA-00-20-3F-3E-BB-11| .n`...+.P.. ?>..
0030 |B0-B2-BC-78-37-20-2B-38 24-C1-0F-BE-EF-75-AD-74| ...x7 +8$....u.t
0040 |49-EF-9B-20-C3-5F-CE-08 AE-CB-4E-72-CC-A9-00-00| I.. ._....Nr....
0050 |0F-00-0B-00-02-01-00-FF 01-00-01-00-00-17-00-00| ................
2023-03-29 21:31:14.721 DEBUG WebSocketClient(1)[5] TLS: HandshakeMessage:ServerHello was received.
2023-03-29 21:31:14.722 INFO WebSocketClient(1)[5] TLS: Negotiating TLS 1.2, ECDSA with ephemeral ECDH, Chacha20Poly1305 with 256-bit key, AEAD.
2023-03-29 21:31:14.723 DEBUG WebSocketClient(1)[5] TLS: The server supports secure renegotiation.
2023-03-29 21:31:14.724 DEBUG WebSocketClient(1)[5] TLS: Extended master secret is enabled.
2023-03-29 21:31:14.724 VERBOSE WebSocketClient(1)[5] TLS: Received TLS packet:
0000 |16-03-03-05-F8-0B-00-05 F4-00-05-F1-00-02-C2-30| ...............0
0010 |82-02-BE-30-82-02-70-A0 03-02-01-02-02-10-5B-80| ...0..p.......[.
0020 |09-DE-78-28-E0-08-87-B2 33-37-CF-FF-8A-B0-30-05| ..x(....37....0.
0030 |06-03-2B-65-70-30-5C-31 0B-30-09-06-03-55-04-06| ..+ep0\1.0...U..
0040 |13-02-44-45-31-1A-30-18 06-03-55-04-0A-13-11-48| ..DE1.0...U....H
0050 |6F-6D-65-20-43-6F-6E-6E 65-63-74-20-47-6D-62-48| ome Connect GmbH
0060 |31-19-30-17-06-03-55-04 0B-13-10-50-72-6F-64-75| 1.0...U....Produ
0070 |63-74-20-53-65-63-75-72 69-74-79-31-16-30-14-06| ct Security1.0..
0080 |03-55-04-03-13-0D-44-45 56-20-53-4D-4D-20-43-41| .U....DEV SMM CA
0090 |20-41-36-30-1E-17-0D-32 30-31-31-31-32-30-38-34| A60...201112084
00A0 |38-35-39-5A-17-0D-32-33 31-31-31-32-30-38-34-38| 859Z..2311120848
00B0 |35-39-5A-30-4C-31-26-30 24-06-03-55-04-03-13-1D| 59Z0L1&0$..U....
00C0 |38-30-30-31-31-38-33-39 34-32-30-30-30-30-34-34| 8001183942000044
00D0 |30-33-33-35-30-30-30-30 30-30-30-36-35-31-22-30| 03350000000651"0
00E0 |20-06-03-55-04-0D-13-19 31-2E-33-2E-36-2E-31-2E| ..U....1.3.6.1.
00F0 |34-2E-31-2E-32-30-32-31 39-2E-34-2E-32-2E-31-2E| 4.1.20219.4.2.1.
0100 |32-30-2A-30-05-06-03-2B 65-70-03-21-00-BF-34-B5| 20*0...+ep.!..4.
0110 |E9-E5-38-14-DA-E7-FC-B1 14-D1-9A-E2-39-62-03-DD| ..8.........9b..
0120 |D5-B1-2A-6C-B6-40-C9-3B 0C-FE-AA-DE-F5-A3-82-01| ..*l.@.;........
0130 |56-30-82-01-52-30-1D-06 03-55-1D-25-04-16-30-14| V0..R0...U.%..0.
0140 |06-08-2B-06-01-05-05-07 03-02-06-08-2B-06-01-05| ..+.........+...
0150 |05-07-03-01-30-11-06-03 55-1D-0E-04-0A-04-08-44| ....0...U......D
0160 |63-70-E7-E7-B8-B2-54-30 4C-06-03-55-1D-20-04-45| cp....T0L..U. .E
0170 |30-43-30-41-06-0B-2B-06 01-04-01-81-9D-7B-04-01| 0C0A..+......{..
0180 |01-30-32-30-30-06-08-2B 06-01-05-05-07-02-01-16| .0200..+........
0190 |24-68-74-74-70-73-3A-2F 2F-77-77-77-2E-62-73-68| $https://www.bsh
01A0 |2D-67-72-6F-75-70-2E-63 6F-6D-2F-64-69-67-69-74| -group.com/digit
01B0 |61-6C-2D-69-64-30-1F-06 03-55-1D-23-04-18-30-16| al-id0...U.#..0.
01C0 |80-14-32-A6-11-B5-D9-2E 53-A1-46-51-79-23-DA-FB| ..2.....S.FQy#..
01D0 |C5-2E-05-42-FC-AE-30-81 9E-06-08-2B-06-01-05-05| ...B..0....+....
01E0 |07-01-01-04-81-91-30-81 8E-30-2E-06-08-2B-06-01| ......0..0...+..
01F0 |05-05-07-30-01-86-22-68 74-74-70-3A-2F-2F-6F-63| ...0.."http://oc
0200 |73-70-2E-33-2E-71-61-2E 67-6F-2E-6E-65-78-75-73| sp.3.qa.go.nexus
0210 |67-72-6F-75-70-2E-63-6F 6D-30-5C-06-08-2B-06-01| group.com0\..+..
0220 |05-05-07-30-02-86-50-68 74-74-70-3A-2F-2F-70-67| ...0..Phttp://pg
0230 |77-2E-33-2E-71-61-2E-67 6F-2E-6E-65-78-75-73-67| w.3.qa.go.nexusg
0240 |72-6F-75-70-2E-63-6F-6D 2F-64-70-2F-63-61-2F-35| roup.com/dp/ca/5
0250 |62-66-37-33-34-37-61-36 35-36-39-31-39-38-64-38| bf7347a6569198d8
0260 |35-61-34-31-37-66-37-32 63-37-63-66-63-39-65-31| 5a417f72c7cfc9e1
0270 |33-32-32-30-62-39-39-30 0E-06-03-55-1D-0F-01-01| 3220b990...U....
0280 |FF-04-04-03-02-07-80-30 05-06-03-2B-65-70-03-41| .......0...+ep.A
0290 |00-0F-BC-1D-0B-0C-D3-A2 34-0A-46-DB-5F-D5-63-DC| ........4.F._.c.
02A0 |B0-78-37-CB-B7-AB-3F-CE 51-4F-AF-89-49-84-9C-86| .x7...?.QO..I...
02B0 |2A-D7-A1-31-71-5A-18-1C D9-6E-EB-0A-CF-73-EC-70| *..1qZ...n...s.p
02C0 |19-39-03-26-0F-2E-FE-9F 7C-99-4B-3D-DA-A6-DF-2F| .9.&....|.K=.../
02D0 |02-00-03-29-30-82-03-25 30-82-02-D7-A0-03-02-01| ...)0..%0.......
02E0 |02-02-10-59-F0-7A-5B-D7 4F-4D-36-59-E1-60-83-69| ...Y.z[.OM6Y.`.i
02F0 |7C-69-29-30-05-06-03-2B 65-70-30-64-31-0B-30-09| |i)0...+ep0d1.0.
0300 |06-03-55-04-06-13-02-44 45-31-1D-30-1B-06-03-55| ..U....DE1.0...U
0310 |04-0A-13-14-42-53-48-20 48-61-75-73-67-65-72-61| ....BSH Hausgera
0320 |65-74-65-20-47-6D-62-48 31-19-30-17-06-03-55-04| ete GmbH1.0...U.
0330 |0B-13-10-50-72-6F-64-75 63-74-20-53-65-63-75-72| ...Product Secur
0340 |69-74-79-31-1B-30-19-06 03-55-04-03-13-12-44-45| ity1.0...U....DE
0350 |56-20-41-70-70-6C-69-61 6E-63-65-20-43-41-20-31| V Appliance CA 1
0360 |30-1E-17-0D-32-30-30-39 31-30-31-33-30-35-33-34| 0...200910130534
0370 |5A-17-0D-32-35-30-39-31 30-31-33-30-35-33-34-5A| Z..250910130534Z
0380 |30-5C-31-0B-30-09-06-03 55-04-06-13-02-44-45-31| 0\1.0...U....DE1
0390 |1A-30-18-06-03-55-04-0A 13-11-48-6F-6D-65-20-43| .0...U....Home C
03A0 |6F-6E-6E-65-63-74-20-47 6D-62-48-31-19-30-17-06| onnect GmbH1.0..
03B0 |03-55-04-0B-13-10-50-72 6F-64-75-63-74-20-53-65| .U....Product Se
03C0 |63-75-72-69-74-79-31-16 30-14-06-03-55-04-03-13| curity1.0...U...
03D0 |0D-44-45-56-20-53-4D-4D 20-43-41-20-41-36-30-2A| .DEV SMM CA A60*
03E0 |30-05-06-03-2B-65-70-03 21-00-CD-82-E1-F2-8C-5D| 0...+ep.!......]
03F0 |86-97-37-EA-15-56-AE-41 0C-E6-0E-FB-92-54-50-00| ..7..V.A.....TP.
0400 |17-6C-14-30-91-2D-BA-70 9A-4A-A3-82-01-A5-30-82| .l.0.-.p.J....0.
0410 |01-A1-30-12-06-03-55-1D 13-01-01-FF-04-08-30-06| ..0...U.......0.
0420 |01-01-FF-02-01-00-30-1D 06-03-55-1D-0E-04-16-04| ......0...U.....
0430 |14-32-A6-11-B5-D9-2E-53 A1-46-51-79-23-DA-FB-C5| .2.....S.FQy#...
0440 |2E-05-42-FC-AE-30-4C-06 03-55-1D-20-04-45-30-43| ..B..0L..U. .E0C
0450 |30-41-06-0B-2B-06-01-04 01-81-9D-7B-04-01-02-30| 0A..+......{...0
0460 |32-30-30-06-08-2B-06-01 05-05-07-02-01-16-24-68| 200..+........$h
0470 |74-74-70-73-3A-2F-2F-77 77-77-2E-62-73-68-2D-67| ttps://www.bsh-g
0480 |72-6F-75-70-2E-63-6F-6D 2F-64-69-67-69-74-61-6C| roup.com/digital
0490 |2D-69-64-30-1F-06-03-55 1D-23-04-18-30-16-80-14| -id0...U.#..0...
04A0 |7D-21-10-D3-5F-DA-84-E8 CB-60-6C-CA-63-54-56-A4| }!.._....`l.cTV.
04B0 |A1-C0-EF-CB-30-0E-06-03 55-1D-0F-01-01-FF-04-04| ....0...U.......
04C0 |03-02-01-06-30-81-95-06 08-2B-06-01-05-05-07-01| ....0....+......
04D0 |01-04-81-88-30-81-85-30 4F-06-08-2B-06-01-05-05| ....0..0O..+....
04E0 |07-30-02-86-43-68-74-74 70-3A-2F-2F-70-6B-69-2D| .0..Chttp://pki-
04F0 |63-61-2D-64-65-76-2E-68 6F-6D-65-2D-63-6F-6E-6E| ca-dev.home-conn
0500 |65-63-74-2E-63-6F-6D-2F 33-37-33-31-38-33-36-30| ect.com/37318360
0510 |39-63-32-39-31-34-39-64 36-66-64-35-65-62-63-32| 9c29149d6fd5ebc2
0520 |31-62-32-38-66-62-38-35 30-32-06-08-2B-06-01-05| 1b28fb8502..+...
0530 |05-07-30-01-86-26-68-74 74-70-3A-2F-2F-70-6B-69| ..0..&http://pki
0540 |2D-6F-63-73-70-31-35-2D 64-65-76-2E-68-6F-6D-65| -ocsp15-dev.home
0550 |2D-63-6F-6E-6E-65-63-74 2E-63-6F-6D-30-55-06-03| -connect.com0U..
0560 |55-1D-1F-04-4E-30-4C-30 4A-A0-48-A0-46-86-44-68| U...N0L0J.H.F.Dh
0570 |74-74-70-3A-2F-2F-70-6B 69-2D-63-72-6C-2D-64-65| ttp://pki-crl-de
0580 |76-2E-68-6F-6D-65-2D-63 6F-6E-6E-65-63-74-2E-63| v.home-connect.c
0590 |6F-6D-2F-64-65-31-66-66 39-62-32-32-62-38-63-66| om/de1ff9b22b8cf
05A0 |65-30-62-62-64-36-62-32 32-36-39-32-30-34-62-34| e0bbd6b2269204b4
05B0 |37-39-62-30-05-06-03-2B 65-70-03-41-00-50-2F-DF| 79b0...+ep.A.P/.
05C0 |D3-40-63-A7-A7-FC-0A-2C B5-72-FA-30-AD-7B-1F-0E| .@c....,.r.0.{..
05D0 |F8-57-66-E3-12-35-2E-EF 3E-64-00-5F-50-9D-73-FC| .Wf..5..>d._P.s.
05E0 |17-F9-96-73-9B-7D-E1-43 44-65-BE-B7-28-98-8D-DC| ...s.}.CDe..(...
05F0 |F2-E0-40-4B-EB-FE-E3-E3 8B-B7-B4-6B-09         | ..@K.......k.
2023-03-29 21:31:14.725 DEBUG WebSocketClient(1)[5] TLS: HandshakeMessage:Certificate was received.
2023-03-29 21:31:14.731 DEBUG WebSocketClient(1)[5] TLS: Rebex.Net.TlsException: Received unsuitable server certificate.
   at ocowd.rrnhi.qjnft(Byte[] p0, Int32 p1, Int32 p2, tpcwu p3)
   at ocowd.rrnhi.cuufh(Byte[] p0, Int32 p1, Int32 p2)
   at ocowd.rlvgh.gvejn(Byte[] p0, Int32 p1, Int32 p2)
   at ocowd.rlvgh.kiwgm()
2023-03-29 21:31:14.732 INFO WebSocketClient(1)[5] TLS: Fatal Alert:UnexpectedMessage was sent.
2023-03-29 21:31:14.732 VERBOSE WebSocketClient(1)[5] TLS: Sent TLS packet:
0000 |15-03-03-00-02-02-0A                           | .......
2023-03-29 21:31:14.733 ERROR WebSocketClient(1)[5] HTTP: Error while sending request: Rebex.Net.TlsException: Received unsuitable server certificate.
---> Rebex.Net.TlsException: Received unsuitable server certificate.
   at ocowd.rrnhi.qjnft(Byte[] p0, Int32 p1, Int32 p2, tpcwu p3)
   at ocowd.rrnhi.cuufh(Byte[] p0, Int32 p1, Int32 p2)
   at ocowd.rlvgh.gvejn(Byte[] p0, Int32 p1, Int32 p2)
   at ocowd.rlvgh.kiwgm()
   --- End of inner exception stack trace ---
   at ocowd.rlvgh.kiwgm()
   at ocowd.rlvgh.bhoig()
   at ocowd.fmgwa.mlixy()
   at ocowd.fmgwa.egdtv()
   at Rebex.Net.TlsSocket.qnhsx()
   at Rebex.Net.TlsSocket.Negotiate()
   at ocowd.hbesd.bbgrz(ISocket p0, TlsCipher& p1)
   at ocowd.hbesd.xmpcv()
   at ocowd.fiwcw.lrocz()
   at ocowd.fiwcw.nwvdi(Boolean p0)
   at ocowd.fiwcw.hhvth()

commented Mar 30, 2023 by Lukas Pokorny (147k points)

> I guess it has nothing to do with the certificate validation, as i already played around with disabling it. Could you again help me out here, what could be the issue here?

Yes, this error occurred while processing the message with server's certificate, where it was found that the certificate was not suitable to be used with the selected TLS cipher, because the certificate's public key algorithm did not match the cipher's key algorithm. That again is against the relevant TLS specifications.

According to the ServerHello message, the server selected the following TLS cipher:

CC A9 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

That means ECDH key exchange with ECDSA certificate, SHA-256 hash algorithm and ChaCha20/Poly1305 symmetric encryption.

> How can i get hold of the server certificate for getting more details on it?

The check that failed occurs before certificate validation (the certificate is unacceptable, so there is no need to validate it), and unfortunately our API doesn't make it possible to get hold of the certificate in this case.
But with knowledge of the TLS message structure, I was able to parse it out of the verbose log using the following code:

string hex = @"16-03-03-05-F8-0B-00-05 F4-00-05-F1-00-02-C2-30
82-02-BE-30-82-02-70-A0 03-02-01-02-02-10-5B-80
09-DE-78-28-E0-08-87-B2 33-37-CF-FF-8A-B0-30-05
(...)
D3-40-63-A7-A7-FC-0A-2C B5-72-FA-30-AD-7B-1F-0E
17-F9-96-73-9B-7D-E1-43 44-65-BE-B7-28-98-8D-DC
F2-E0-40-4B-EB-FE-E3-E3 8B-B7-B4-6B-09";

hex = hex.Replace("\r", "");
using (var output = File.OpenWrite("cert.der"))
{
    for (int i = 15 * 3; i < 721 * 3; i += 3)
    {
        int v = Convert.ToInt32(hex.Substring(i, 2), 16);
        output.WriteByte((byte)v);
    }
}

And it turns out that the error message was right - the certificate is using "1.3.101.112" signature algorithm, which indicates Ed25519.

However, Ed25519 is an EdDSA algorithm, not an ECDSA algorithm, so it's indeed not suitable to be used with TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 cipher. Additionally, the ClientHello message did not indicate support for Ed25519 signature scheme, which means the server violated the TLS protocol twice in this single case.

Interestingly, a bit of searching revealed that there are indeed some TLS implementations that allow Ed25519 certificates to be used with TLS_ECDHE_ECDSA ciphers. But we would argue this is very wrong - it's really an EDDSA cipher, not an ECDSA cipher. We are not aware of any draft specification (let alone RFC) that would allow this. Yet there is actually a draft specification that adds Ed25519 support to TLS 1.2, but that involves addition of TLS_ECDHE_EDDSA ciphers such as TLS_ECDHE_EDDSA_WITH_CHACHA20_POLY1305: https://datatracker.ietf.org/doc/html/draft-josefsson-tls-eddsa-01

But this draft has been expired for more than 7 years. We don't support it, and it seems likely that the server doesn't support it either.

So where do we go from here? These are the possible options:

1) Use TLS 1.3 instead of TLS 1.2. TLS 1.3 already includes support for Ed25519, and our TLS 1.3 implementation already supports it. So if the server supports it as well, this should be the preferred solution.

2) Change the server certificate to one that uses ECDSA instead of EDDSA. This is another simple and correct solution.

3) Allow Ed25519 to be used with ECDSA ciphers in our TLS implementations. It looks like this would be quite simple, but would require us to add an opotion for it. And it's not right, despite some existing implementations allowing this combo.

4) Add support for TLS_ECDHE_EDDSA ciphers to our TLS implementation, and fix the server's TLS implementation to use this. This would be a correct solution, but it involves updating not only our TLS library, but also the servers's, which makes it problematic.

Also, it's worth noting that solutions (2), (3) and (4) have one major drawback - Windows and .NET don't support validation of Ed25519 certificates yet. That means that you would have to use a custom certificate validator instead of the operating system's.

commented Mar 30, 2023 by anonymous

commented Mar 30, 2023 by Lukas Pokorny (147k points)

> We came to the conclusion that 3.) would be the most suitable for us.
> Especially considering that OpenSSL and wolfSSL both are supporting it as well.

We did some testing and I can confirm that OpenSSL does indeed seem to support it. We already had a test server with OpenSSL for testing Ed25519 with TLS 1.3, and when we enabled TLS 1.2 as well, we were able to reproduce the "Received unsuitable server certificate" error, while OpenSSL client worked fine.

Further investigation revealed that OpenSSL actually uses Ed25519 signature scheme IDs defined by TLS 1.3 specification:
https://www.rfc-editor.org/rfc/rfc8446#page-42

I have been unable to find any RFC or draft specification that would allow this to be used in TLS 1.2 (even though TLS 1.3 does actually specify RSASSA-PSS for TLS 1.2, this does not apply to Ed25519). OpenSSL and wolfSSL are both quite common, so it looks like it does make sense to add this feature as an option, even though it seems to be a custom extension.

> What would be now the next steps for 3.)? Does somebody has to file in some CR? Can you help us with moving this forward?

We already added this into the list of possible enhancements for the forthcoming R7 release, but we'll first have to look into it a bit more thorougly to make sure enabling this is indeed as simple as it seems.

> Do you even have some clue, about what time-frame we are talking about? It would be interesting to get a rough idea in order to adapt our timeline and planning.

R7 is nearly finished and a preview build (supported in production) might be available in about two weeks. If enabling Ed25519 in TLS 1.2 turns out to be to be simple, we might have a build ready for testing in several days. The tasks left on R7 mostly concern TLS anyway (mostly new features for TLS 1.3 and some tweaks in TLS 1.2 to make it up-to-date), so this acually fits quite nicely into our plans. I'll let post an udpate on this on Monday or Tuesday!

commented Apr 4, 2023 by Lukas Pokorny (147k points)

commented Apr 14, 2023 by david.fehr (210 points)

commented Apr 14, 2023 by Lukas Pokorny (147k points)

commented Apr 17, 2023 by david.fehr (210 points)

Hi Lukas,

we tried the preview build. Again one step further :-)
But still not where we want to be.

Now it seems to be some issue with the server-certificate, where i'm not sure what to do next.
Could you support again? Here is the log-output:

[...]
2023-04-16 13:16:44.101 DEBUG WebSocketClient(1)[8] TLS: HandshakeMessage:ServerKeyExchange was received.
2023-04-16 13:16:44.101 VERBOSE WebSocketClient(1)[8] TLS: Received TLS packet:
0000 |16-03-03-00-28-0D-00-00 24-01-40-00-1E-06-03-05| ....(...$.@.....
0010 |03-04-03-02-03-08-07-08 06-08-0B-08-05-08-0A-08| ................
0020 |04-08-09-06-01-05-01-04 01-02-01-00-00         | .............
2023-04-16 13:16:44.101 DEBUG WebSocketClient(1)[8] TLS: HandshakeMessage:CertificateRequest was received.
2023-04-16 13:16:44.101 VERBOSE WebSocketClient(1)[8] TLS: Received TLS packet:
0000 |16-03-03-00-04-0E-00-00 00                     | .........
2023-04-16 13:16:44.101 DEBUG WebSocketClient(1)[8] TLS: HandshakeMessage:ServerHelloDone was received.
2023-04-16 13:16:44.104 DEBUG WebSocketClient(1)[8] TLS: Verifying server certificate ('Description=1.3.6.1.4.1.20219.4.2.1.2, CN=80011839420000440335000000065').
2023-04-16 13:16:44.105 DEBUG WebSocketClient(1)[8] TLS: Certificate verification result: Accept
2023-04-16 13:16:44.105 DEBUG WebSocketClient(1)[8] TLS: Verifying server key exchange signature.
2023-04-16 13:16:44.119 DEBUG WebSocketClient(1)[8] TLS: Using ephemeral ECDH public key exchange with Curve 25519.
2023-04-16 13:16:44.126 DEBUG WebSocketClient(1)[8] TLS: Client certificate authentication was requested.
2023-04-16 13:16:44.126 DEBUG WebSocketClient(1)[8] TLS: Suitable client certificate is available ('Description=1.3.6.1.4.1.20219.4.2.4.1, CN=bsh.com, O=BSH').
2023-04-16 13:16:44.130 VERBOSE WebSocketClient(1)[8] TLS: Sent TLS packet:
0000 |16-03-03-03-49-0B-00-03 45-00-03-42-00-03-3F-30| ....I...E..B..?0
0010 |82-03-3B-30-82-02-ED-A0 03-02-01-02-02-10-46-97| ..;0..........F.
0020 |AE-D0-E3-2C-A8-7A-50-77 E0-E2-EB-91-2E-8C-30-05| ...,.zPw......0.
0030 |06-03-2B-65-70-30-69-31 0B-30-09-06-03-55-04-06| ..+ep0i1.0...U..
0040 |13-02-44-45-31-1D-30-1B 06-03-55-04-0A-13-14-42| ..DE1.0...U....B
0050 |53-48-20-48-61-75-73-67 65-72-61-65-74-65-20-47| SH Hausgeraete G
0060 |6D-62-48-31-19-30-17-06 03-55-04-0B-13-10-50-72| mbH1.0...U....Pr
0070 |6F-64-75-63-74-20-53-65 63-75-72-69-74-79-31-20| oduct Security1
0080 |30-1E-06-03-55-04-03-13 17-44-45-56-20-53-65-72| 0...U....DEV Ser
0090 |76-69-63-65-20-41-63-63 65-73-73-20-43-41-20-31| vice Access CA 1
00A0 |30-1E-17-0D-32-33-30-33 32-39-31-30-33-32-35-33| 0...230329103253
00B0 |5A-17-0D-32-33-30-34-32 39-31-30-33-32-35-33-5A| Z..230429103253Z
00C0 |30-44-31-0C-30-0A-06-03 55-04-0A-13-03-42-53-48| 0D1.0...U....BSH
00D0 |31-10-30-0E-06-03-55-04 03-13-07-62-73-68-2E-63| 1.0...U....bsh.c
00E0 |6F-6D-31-22-30-20-06-03 55-04-0D-13-19-31-2E-33| om1"0 ..U....1.3
00F0 |2E-36-2E-31-2E-34-2E-31 2E-32-30-32-31-39-2E-34| .6.1.4.1.20219.4
0100 |2E-32-2E-34-2E-31-30-2A 30-05-06-03-2B-65-70-03| .2.4.10*0...+ep.
0110 |21-00-3A-90-07-96-92-02 46-DE-6C-15-8B-E0-E1-AE| !.:.....F.l.....
0120 |E4-4F-F7-07-56-E0-E7-87 B2-A6-66-94-29-1F-90-98| .O..V.....f.)...
0130 |99-C2-A3-82-01-CE-30-82 01-CA-30-13-06-03-55-1D| ......0...0...U.
0140 |25-04-0C-30-0A-06-08-2B 06-01-05-05-07-03-02-30| %..0...+.......0
0150 |11-06-03-55-1D-0E-04-0A 04-08-43-76-FC-06-4D-68| ...U......Cv..Mh
0160 |82-A9-30-4B-06-03-55-1D 20-04-44-30-42-30-40-06| ..0K..U. .D0B0@.
0170 |0B-2B-06-01-04-01-81-9D 7B-04-01-01-30-31-30-2F| .+......{...010/
0180 |06-08-2B-06-01-05-05-07 02-01-16-23-68-74-74-70| ..+........#http
0190 |73-3A-2F-2F-77-77-77-2E 62-73-68-67-72-6F-75-70| s://www.bshgroup
01A0 |2E-63-6F-6D-2F-64-69-67 69-74-61-6C-2D-69-64-30| .com/digital-id0
01B0 |12-06-03-55-1D-11-04-0B 30-09-82-07-62-73-68-2E| ...U....0...bsh.
01C0 |63-6F-6D-30-1F-06-03-55 1D-23-04-18-30-16-80-14| com0...U.#..0...
01D0 |9D-F3-B4-A3-3A-DE-62-0B 36-CC-62-56-EA-44-17-6A| ....:.b.6.bV.D.j
01E0 |B6-75-6B-4F-30-81-BD-06 08-2B-06-01-05-05-07-01| .ukO0....+......
01F0 |01-04-81-B0-30-81-AD-30 32-06-08-2B-06-01-05-05| ....0..02..+....
0200 |07-30-01-86-26-68-74-74 70-3A-2F-2F-70-6B-69-2D| .0..&http://pki-
0210 |6F-63-73-70-32-32-2D-64 65-76-2E-68-6F-6D-65-2D| ocsp22-dev.home-
0220 |63-6F-6E-6E-65-63-74-2E 63-6F-6D-30-77-06-08-2B| connect.com0w..+
0230 |06-01-05-05-07-30-02-86 6B-68-74-74-70-3A-2F-2F| .....0..khttp://
0240 |70-6B-69-2D-6F-63-73-70 32-32-2D-64-65-76-2E-68| pki-ocsp22-dev.h
0250 |6F-6D-65-2D-63-6F-6E-6E 65-63-74-2E-63-6F-6D-68| ome-connect.comh
0260 |74-74-70-3A-2F-2F-70-6B 69-2D-63-61-32-32-2D-64| ttp://pki-ca22-d
0270 |65-76-2E-68-6F-6D-65-2D 63-6F-6E-6E-65-63-74-2E| ev.home-connect.
0280 |63-6F-6D-2F-68-63-61-69 30-6F-78-61-72-33-71-61| com/hcai0oxar3qa
0290 |71-6C-31-36-70-73-31-64 71-63-63-71-7A-73-74-7A| ql16ps1dqccqzstz
02A0 |78-6E-75-37-30-0E-06-03 55-1D-0F-01-01-FF-04-04| xnu70...U.......
02B0 |03-02-07-80-30-4E-06-03 55-1D-1F-04-47-30-45-30| ....0N..U...G0E0
02C0 |43-A0-41-A0-3F-86-3D-68 74-74-70-3A-2F-2F-70-6B| C.A.?.=http://pk
02D0 |69-2D-63-72-6C-32-32-2D 64-65-76-2E-68-6F-6D-65| i-crl22-dev.home
02E0 |2D-63-6F-6E-6E-65-63-74 2E-63-6F-6D-2F-63-72-6C| -connect.com/crl
02F0 |2F-64-65-76-73-65-72-76 69-63-65-61-63-63-65-73| /devserviceacces
0300 |73-63-61-31-30-05-06-03 2B-65-70-03-41-00-62-F2| sca10...+ep.A.b.
0310 |44-5B-95-25-3A-93-95-5A A2-7A-7E-43-0F-D8-FC-EA| D[.%:..Z.z~C....
0320 |FD-73-FE-C2-B6-57-B1-FD 1C-3B-8B-B9-86-1D-00-45| .s...W...;.....E
0330 |DE-0A-B7-64-79-59-1D-45 08-E4-32-1E-00-0A-33-6E| ...dyY.E..2...3n
0340 |DE-6E-3E-A6-0D-E9-23-2D 9A-74-6A-61-52-03      | .n>...#-.tjaR.
2023-04-16 13:16:44.130 DEBUG WebSocketClient(1)[8] TLS: HandshakeMessage:Certificate was sent.
2023-04-16 13:16:44.131 VERBOSE WebSocketClient(1)[8] TLS: Sent TLS packet:
0000 |16-03-03-00-25-10-00-00 21-20-1B-9A-A2-9D-09-1C| ....%...! ......
0010 |0A-06-D7-27-8B-33-0A-13 BD-92-6A-FE-47-90-B6-75| ...'.3....j.G..u
0020 |1D-DA-B5-E5-F7-A3-94-77 2D-04                  | .......w-.
2023-04-16 13:16:44.131 DEBUG WebSocketClient(1)[8] TLS: HandshakeMessage:ClientKeyExchange was sent.
2023-04-16 13:16:44.140 INFO WebSocketClient(1)[8] TLS: Performing client certificate authentication.
2023-04-16 13:16:44.144 DEBUG WebSocketClient(1)[8] TLS: Error while processing TLS packet: System.NotSupportedException: The SignHash method is not supported for this key algorithm. Use SignMessage method instead.
   at Rebex.Security.Certificates.Certificate.SignHash(Byte[] hash, SignatureHashAlgorithm alg, Boolean silent)
   at csbmi.mmqvw.cahrn(Byte[] p0, Int32 p1, Int32 p2, hsjmr p3)
   at csbmi.mmqvw.vulda(Byte[] p0, Int32 p1, Int32 p2)
   at csbmi.lineq.gewas(Byte[] p0, Int32 p1, Int32 p2)
   at csbmi.lineq.vzjni()
2023-04-16 13:16:44.145 INFO WebSocketClient(1)[8] TLS: Fatal Alert:InternalError was sent.
2023-04-16 13:16:44.145 VERBOSE WebSocketClient(1)[8] TLS: Sent TLS packet:
0000 |15-03-03-00-02-02-50                           | ......P
2023-04-16 13:16:44.147 ERROR WebSocketClient(1)[8] HTTP: Error while sending request: Rebex.Net.TlsException: The SignHash method is not supported for this key algorithm. Use SignMessage method instead.
---> System.NotSupportedException: The SignHash method is not supported for this key algorithm. Use SignMessage method instead.
   at Rebex.Security.Certificates.Certificate.SignHash(Byte[] hash, SignatureHashAlgorithm alg, Boolean silent)
   at csbmi.mmqvw.cahrn(Byte[] p0, Int32 p1, Int32 p2, hsjmr p3)
   at csbmi.mmqvw.vulda(Byte[] p0, Int32 p1, Int32 p2)
   at csbmi.lineq.gewas(Byte[] p0, Int32 p1, Int32 p2)
   at csbmi.lineq.vzjni()
   --- End of inner exception stack trace ---
   at csbmi.lineq.vzjni()
   at csbmi.lineq.afqsn()
   at csbmi.jjdof.kzvts()
   at csbmi.jjdof.thgin()
   at Rebex.Net.TlsSocket.qmjat()
   at Rebex.Net.TlsSocket.Negotiate()
   at csbmi.mjxym.wcnrr(ISocket p0, TlsCipher& p1)
   at csbmi.mjxym.utcsv()
   at csbmi.cdedv.kapga()
   at csbmi.cdedv.rxbxt(Boolean p0)
   at csbmi.cdedv.ifuqy()
2023-04-16 13:16:44.152 ERROR WebSocketClient(1)[8] WebSocket: Error occurred: Rebex.Net.WebSocketException: An error occurred while opening the WebSocket.
---> csbmi.clagr: The SignHash method is not supported for this key algorithm. Use SignMessage method instead.
---> Rebex.Net.TlsException: The SignHash method is not supported for this key algorithm. Use SignMessage method instead.
---> System.NotSupportedException: The SignHash method is not supported for this key algorithm. Use SignMessage method instead.
   at Rebex.Security.Certificates.Certificate.SignHash(Byte[] hash, SignatureHashAlgorithm alg, Boolean silent)
   at csbmi.mmqvw.cahrn(Byte[] p0, Int32 p1, Int32 p2, hsjmr p3)
   at csbmi.mmqvw.vulda(Byte[] p0, Int32 p1, Int32 p2)
   at csbmi.lineq.gewas(Byte[] p0, Int32 p1, Int32 p2)
   at csbmi.lineq.vzjni()
   --- End of inner exception stack trace ---
   at csbmi.lineq.vzjni()
   at csbmi.lineq.afqsn()
   at csbmi.jjdof.kzvts()
   at csbmi.jjdof.thgin()
   at Rebex.Net.TlsSocket.qmjat()
   at Rebex.Net.TlsSocket.Negotiate()
   at csbmi.mjxym.wcnrr(ISocket p0, TlsCipher& p1)
   at csbmi.mjxym.utcsv()
   at csbmi.cdedv.kapga()
   at csbmi.cdedv.rxbxt(Boolean p0)
   at csbmi.cdedv.ifuqy()
   --- End of inner exception stack trace ---
   at csbmi.cdedv.ifuqy()
   at csbmi.ehcec.uihka.ajkpn()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at csbmi.ehcec.wlygr(Uri p0, unitj p1, ISocketFactory p2, WebSocketClientSettings p3, WebSocketClientOptions p4, TlsParameters p5, CancellationToken p6)
   --- End of inner exception stack trace ---
   at csbmi.ehcec.wlygr(Uri p0, unitj p1, ISocketFactory p2, WebSocketClientSettings p3, WebSocketClientOptions p4, TlsParameters p5, CancellationToken p6)
   at Rebex.Net.WebSocketClient.ConnectAsync(Uri uri, CancellationToken cancellationToken)

commented Apr 17, 2023 by Lukas Pokorny (147k points)

commented Apr 18, 2023 by david.fehr (210 points)

Here is the result of another test-run. This time it indicates a Unknown CA by the server. Not sure, if this has something to do with Rebex or rather with the server-authentication.

2023-04-18 08:28:47.825 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:ServerKeyExchange was received.
2023-04-18 08:28:47.825 VERBOSE WebSocketClient(1)[7] TLS: Received TLS packet:
0000 |16-03-03-00-28-0D-00-00 24-01-40-00-1E-06-03-05| ....(...$.@.....
0010 |03-04-03-02-03-08-07-08 06-08-0B-08-05-08-0A-08| ................
0020 |04-08-09-06-01-05-01-04 01-02-01-00-00         | .............
2023-04-18 08:28:47.826 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:CertificateRequest was received.
2023-04-18 08:28:47.826 VERBOSE WebSocketClient(1)[7] TLS: Received TLS packet:
0000 |16-03-03-00-04-0E-00-00 00                     | .........
2023-04-18 08:28:47.826 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:ServerHelloDone was received.
2023-04-18 08:28:47.833 DEBUG WebSocketClient(1)[7] TLS: Verifying server certificate ('Description=1.3.6.1.4.1.20219.4.2.1.2, CN=80011839420000440335000000065').
2023-04-18 08:28:47.834 DEBUG WebSocketClient(1)[7] TLS: Certificate verification result: Accept
2023-04-18 08:28:47.835 DEBUG WebSocketClient(1)[7] TLS: Verifying server key exchange signature.
2023-04-18 08:28:47.846 DEBUG WebSocketClient(1)[7] TLS: Using ephemeral ECDH public key exchange with Curve 25519.
2023-04-18 08:28:47.853 DEBUG WebSocketClient(1)[7] TLS: Client certificate authentication was requested.
2023-04-18 08:28:47.854 DEBUG WebSocketClient(1)[7] TLS: Suitable client certificate is available ('Description=1.3.6.1.4.1.20219.4.2.4.1, CN=bsh.com, O=BSH').
2023-04-18 08:28:47.858 VERBOSE WebSocketClient(1)[7] TLS: Sent TLS packet:
0000 |16-03-03-03-49-0B-00-03 45-00-03-42-00-03-3F-30| ....I...E..B..?0
0010 |82-03-3B-30-82-02-ED-A0 03-02-01-02-02-10-46-97| ..;0..........F.
0020 |AE-D0-E3-2C-A8-7A-50-77 E0-E2-EB-91-2E-8C-30-05| ...,.zPw......0.
0030 |06-03-2B-65-70-30-69-31 0B-30-09-06-03-55-04-06| ..+ep0i1.0...U..
0040 |13-02-44-45-31-1D-30-1B 06-03-55-04-0A-13-14-42| ..DE1.0...U....B
0050 |53-48-20-48-61-75-73-67 65-72-61-65-74-65-20-47| SH Hausgeraete G
0060 |6D-62-48-31-19-30-17-06 03-55-04-0B-13-10-50-72| mbH1.0...U....Pr
0070 |6F-64-75-63-74-20-53-65 63-75-72-69-74-79-31-20| oduct Security1
0080 |30-1E-06-03-55-04-03-13 17-44-45-56-20-53-65-72| 0...U....DEV Ser
0090 |76-69-63-65-20-41-63-63 65-73-73-20-43-41-20-31| vice Access CA 1
00A0 |30-1E-17-0D-32-33-30-33 32-39-31-30-33-32-35-33| 0...230329103253
00B0 |5A-17-0D-32-33-30-34-32 39-31-30-33-32-35-33-5A| Z..230429103253Z
00C0 |30-44-31-0C-30-0A-06-03 55-04-0A-13-03-42-53-48| 0D1.0...U....BSH
00D0 |31-10-30-0E-06-03-55-04 03-13-07-62-73-68-2E-63| 1.0...U....bsh.c
00E0 |6F-6D-31-22-30-20-06-03 55-04-0D-13-19-31-2E-33| om1"0 ..U....1.3
00F0 |2E-36-2E-31-2E-34-2E-31 2E-32-30-32-31-39-2E-34| .6.1.4.1.20219.4
0100 |2E-32-2E-34-2E-31-30-2A 30-05-06-03-2B-65-70-03| .2.4.10*0...+ep.
0110 |21-00-3A-90-07-96-92-02 46-DE-6C-15-8B-E0-E1-AE| !.:.....F.l.....
0120 |E4-4F-F7-07-56-E0-E7-87 B2-A6-66-94-29-1F-90-98| .O..V.....f.)...
0130 |99-C2-A3-82-01-CE-30-82 01-CA-30-13-06-03-55-1D| ......0...0...U.
0140 |25-04-0C-30-0A-06-08-2B 06-01-05-05-07-03-02-30| %..0...+.......0
0150 |11-06-03-55-1D-0E-04-0A 04-08-43-76-FC-06-4D-68| ...U......Cv..Mh
0160 |82-A9-30-4B-06-03-55-1D 20-04-44-30-42-30-40-06| ..0K..U. .D0B0@.
0170 |0B-2B-06-01-04-01-81-9D 7B-04-01-01-30-31-30-2F| .+......{...010/
0180 |06-08-2B-06-01-05-05-07 02-01-16-23-68-74-74-70| ..+........#http
0190 |73-3A-2F-2F-77-77-77-2E 62-73-68-67-72-6F-75-70| s://www.bshgroup
01A0 |2E-63-6F-6D-2F-64-69-67 69-74-61-6C-2D-69-64-30| .com/digital-id0
01B0 |12-06-03-55-1D-11-04-0B 30-09-82-07-62-73-68-2E| ...U....0...bsh.
01C0 |63-6F-6D-30-1F-06-03-55 1D-23-04-18-30-16-80-14| com0...U.#..0...
01D0 |9D-F3-B4-A3-3A-DE-62-0B 36-CC-62-56-EA-44-17-6A| ....:.b.6.bV.D.j
01E0 |B6-75-6B-4F-30-81-BD-06 08-2B-06-01-05-05-07-01| .ukO0....+......
01F0 |01-04-81-B0-30-81-AD-30 32-06-08-2B-06-01-05-05| ....0..02..+....
0200 |07-30-01-86-26-68-74-74 70-3A-2F-2F-70-6B-69-2D| .0..&http://pki-
0210 |6F-63-73-70-32-32-2D-64 65-76-2E-68-6F-6D-65-2D| ocsp22-dev.home-
0220 |63-6F-6E-6E-65-63-74-2E 63-6F-6D-30-77-06-08-2B| connect.com0w..+
0230 |06-01-05-05-07-30-02-86 6B-68-74-74-70-3A-2F-2F| .....0..khttp://
0240 |70-6B-69-2D-6F-63-73-70 32-32-2D-64-65-76-2E-68| pki-ocsp22-dev.h
0250 |6F-6D-65-2D-63-6F-6E-6E 65-63-74-2E-63-6F-6D-68| ome-connect.comh
0260 |74-74-70-3A-2F-2F-70-6B 69-2D-63-61-32-32-2D-64| ttp://pki-ca22-d
0270 |65-76-2E-68-6F-6D-65-2D 63-6F-6E-6E-65-63-74-2E| ev.home-connect.
0280 |63-6F-6D-2F-68-63-61-69 30-6F-78-61-72-33-71-61| com/hcai0oxar3qa
0290 |71-6C-31-36-70-73-31-64 71-63-63-71-7A-73-74-7A| ql16ps1dqccqzstz
02A0 |78-6E-75-37-30-0E-06-03 55-1D-0F-01-01-FF-04-04| xnu70...U.......
02B0 |03-02-07-80-30-4E-06-03 55-1D-1F-04-47-30-45-30| ....0N..U...G0E0
02C0 |43-A0-41-A0-3F-86-3D-68 74-74-70-3A-2F-2F-70-6B| C.A.?.=http://pk
02D0 |69-2D-63-72-6C-32-32-2D 64-65-76-2E-68-6F-6D-65| i-crl22-dev.home
02E0 |2D-63-6F-6E-6E-65-63-74 2E-63-6F-6D-2F-63-72-6C| -connect.com/crl
02F0 |2F-64-65-76-73-65-72-76 69-63-65-61-63-63-65-73| /devserviceacces
0300 |73-63-61-31-30-05-06-03 2B-65-70-03-41-00-62-F2| sca10...+ep.A.b.
0310 |44-5B-95-25-3A-93-95-5A A2-7A-7E-43-0F-D8-FC-EA| D[.%:..Z.z~C....
0320 |FD-73-FE-C2-B6-57-B1-FD 1C-3B-8B-B9-86-1D-00-45| .s...W...;.....E
0330 |DE-0A-B7-64-79-59-1D-45 08-E4-32-1E-00-0A-33-6E| ...dyY.E..2...3n
0340 |DE-6E-3E-A6-0D-E9-23-2D 9A-74-6A-61-52-03      | .n>...#-.tjaR.
2023-04-18 08:28:47.858 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:Certificate was sent.
2023-04-18 08:28:47.859 VERBOSE WebSocketClient(1)[7] TLS: Sent TLS packet:
0000 |16-03-03-00-25-10-00-00 21-20-19-D4-41-DE-0E-0C| ....%...! ..A...
0010 |70-BF-9D-31-F9-67-88-9A 0F-6C-1B-87-03-13-13-ED| p..1.g...l......
0020 |46-95-D5-CC-03-9F-26-12 83-05                  | F.....&...
2023-04-18 08:28:47.859 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:ClientKeyExchange was sent.
2023-04-18 08:28:47.867 INFO WebSocketClient(1)[7] TLS: Performing client certificate authentication.
2023-04-18 08:28:47.872 VERBOSE WebSocketClient(1)[7] TLS: Sent TLS packet:
0000 |16-03-03-00-48-0F-00-00 44-08-07-00-40-C2-77-B6| ....H...D...@.w.
0010 |53-7F-C6-BD-CC-58-89-9D DE-65-3E-08-00-7B-33-C8| S....X...e>..{3.
0020 |60-3A-E0-9D-BC-BA-84-26 A7-87-B3-FC-6C-A3-9F-FA| `:.....&....l...
0030 |57-FF-AE-4A-BF-67-FA-4E D2-13-5A-94-09-19-29-23| W..J.g.N..Z...)#
0040 |C8-F4-7B-0C-8C-19-30-07 C9-02-CD-90-0B         | ..{...0......
2023-04-18 08:28:47.872 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:CertificateVerify was sent.
2023-04-18 08:28:47.872 VERBOSE WebSocketClient(1)[7] TLS: Sent TLS packet:
0000 |14-03-03-00-01-01                              | ......
2023-04-18 08:28:47.872 DEBUG WebSocketClient(1)[7] TLS: CipherSpec:ChangeCipherSpec was sent.
2023-04-18 08:28:47.873 DEBUG WebSocketClient(1)[7] TLS: HandshakeMessage:Finished was sent.
2023-04-18 08:28:47.873 VERBOSE WebSocketClient(1)[7] TLS: Sent TLS packet:
0000 |16-03-03-00-10-14-00-00 0C-9E-53-AB-3A-07-E0-05| ..........S.:...
0010 |F7-DA-A4-95-D3                                 | .....
2023-04-18 08:28:47.879 VERBOSE WebSocketClient(1)[7] TLS: Received TLS packet:
0000 |15-03-03-00-02-02-30                           | ......0
2023-04-18 08:28:47.880 INFO WebSocketClient(1)[7] TLS: Fatal Alert:UnknownCa was received.
2023-04-18 08:28:47.885 DEBUG WebSocketClient(1)[7] TLS: Rebex.Net.TlsException: Fatal error 'UnknownCa' has been reported by the remote connection end.
   at jsssn.smwfm.vvpvi(Byte[] p0, Int32 p1, Int32 p2)
   at jsssn.nudyx.kruqh(Byte[] p0, Int32 p1, Int32 p2)
   at jsssn.nudyx.cpoti()
2023-04-18 08:28:47.892 ERROR WebSocketClient(1)[7] HTTP: Error while sending request: Rebex.Net.TlsException: Fatal error 'UnknownCa' has been reported by the remote connection end.
---> Rebex.Net.TlsException: Fatal error 'UnknownCa' has been reported by the remote connection end.
   at jsssn.smwfm.vvpvi(Byte[] p0, Int32 p1, Int32 p2)
   at jsssn.nudyx.kruqh(Byte[] p0, Int32 p1, Int32 p2)
   at jsssn.nudyx.cpoti()
   --- End of inner exception stack trace ---
   at jsssn.nudyx.cpoti()
   at jsssn.nudyx.ishsy()
   at jsssn.roaxg.spfcg()
   at jsssn.roaxg.hwdco()
   at Rebex.Net.TlsSocket.maycd()
   at Rebex.Net.TlsSocket.Negotiate()
   at jsssn.uawzw.gxloy(ISocket p0, TlsCipher& p1)
   at jsssn.uawzw.etwen()
   at jsssn.kxsxv.hawob()
   at jsssn.kxsxv.aqnpr(Boolean p0)
   at jsssn.kxsxv.jcbcp()
2023-04-18 08:28:47.897 ERROR WebSocketClient(1)[7] WebSocket: Error occurred: Rebex.Net.WebSocketException: An error occurred while opening the WebSocket.
---> jsssn.zsvrp: Fatal error 'UnknownCa' has been reported by the remote connection end.
---> Rebex.Net.TlsException: Fatal error 'UnknownCa' has been reported by the remote connection end.
---> Rebex.Net.TlsException: Fatal error 'UnknownCa' has been reported by the remote connection end.
   at jsssn.smwfm.vvpvi(Byte[] p0, Int32 p1, Int32 p2)
   at jsssn.nudyx.kruqh(Byte[] p0, Int32 p1, Int32 p2)
   at jsssn.nudyx.cpoti()
   --- End of inner exception stack trace ---
   at jsssn.nudyx.cpoti()
   at jsssn.nudyx.ishsy()
   at jsssn.roaxg.spfcg()
   at jsssn.roaxg.hwdco()
   at Rebex.Net.TlsSocket.maycd()
   at Rebex.Net.TlsSocket.Negotiate()
   at jsssn.uawzw.gxloy(ISocket p0, TlsCipher& p1)
   at jsssn.uawzw.etwen()
   at jsssn.kxsxv.hawob()
   at jsssn.kxsxv.aqnpr(Boolean p0)
   at jsssn.kxsxv.jcbcp()
   --- End of inner exception stack trace ---
   at jsssn.kxsxv.jcbcp()
   at jsssn.smkgo.cedww.bphdf()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at jsssn.smkgo.qwxwj(Uri p0, lymyy p1, ISocketFactory p2, WebSocketClientSettings p3, WebSocketClientOptions p4, TlsParameters p5, CancellationToken p6)
   --- End of inner exception stack trace ---
   at jsssn.smkgo.qwxwj(Uri p0, lymyy p1, ISocketFactory p2, WebSocketClientSettings p3, WebSocketClientOptions p4, TlsParameters p5, CancellationToken p6)
   at Rebex.Net.WebSocketClient.ConnectAsync(Uri uri, CancellationToken cancellationToken)

commented Apr 18, 2023 by Lukas Pokorny (147k points)

commented Apr 19, 2023 by david.fehr (210 points)

commented Apr 19, 2023 by Lukas Pokorny (147k points)

To pass the whole chain, you have to pass the whole chain to CertificateRequestHandler.CreateRequestHandler. To get the whole chain, you might try building it using CertificateChain.BuildFrom. That would normally be the preferred option (it would add the CA certificates if they are found in current user's certificate stores), but I'm not quite sure whether it would work for Ed25519 certificates, which are not supported by Windows API's yet.
So if that doesn't work (= it returns a chain with only a single certificate), you can construct the chain manually from the client certificate and the authorities

    // load the certificate
    var cert = Certificate.LoadDerWithKey(certPath, keyPath, password);

    // create the chain
    var chain = new CertificateChain(cert);

    // add intermediate CA certificates to the chain (in proper order)
    var caCert1 = Certificate.LoadDer(caCert1Path);
    chain.Add(caCert1);

    var caCert2 = Certificate.LoadDer(caCert2Path);
    chain.Add(caCert2);

    ...

    // create CertificateRequestHandler based on the chain

    client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(chain);

commented Apr 25, 2023 by david.fehr (210 points)

commented May 2, 2023 by Lukas Pokorny (147k points)

commented May 30, 2023 by david.fehr (210 points)

commented May 31, 2023 by Lukas Pokorny (147k points)

commented Jun 26, 2023 by david.fehr (210 points)

commented Jun 29, 2023 by Lukas Pokorny (147k points)

commented Aug 22, 2023 by david.fehr (210 points)

Hi Lukas,

finally we are now testing again our setup with the latest Rebex-Version + latest development with our IoT-device.

Unfortunately we receive some handshake error. See Rebexlog below.

We also did some trace with WireShark. One thing we noticed, is that maybe some signature algorithm is missing. We do need so something for ED25519, but only those are available:

Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Algorithm: ecdsa_sha1 (0x0203)

We are following the approach mentioned here for integration: https://www.rebex.net/kb/simple-elliptic-curve-libraries/

Is there anything additional to consider? Do you have some extra advice, how the support for ED25519 can be enabled?

2023-08-21 17:39:01.205 INFO WebSocketClient(1)[13] WebSocket: Connecting to 'wss://192.168.217.2:28441/maintenance'...
2023-08-21 17:39:01.205 INFO WebSocketClient(1)[13] Info: Assembly: Rebex.WebSocket 7.0.8581 for .NET Core 3.1
2023-08-21 17:39:01.205 INFO WebSocketClient(1)[13] Info: Platform: macOS (Darwin 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:21:56 PDT 2023; root:xnu-8796.141.3~6/RELEASE_X86_64) 64-bit; CLR: .NET Core 3.1.32
2023-08-21 17:39:01.205 DEBUG WebSocketClient(1)[13] Info: Culture: en; windows-1252
2023-08-21 17:39:01.234 INFO WebSocketClient(1)[6] HTTP: Connecting to 'https://192.168.217.2:28441'...
2023-08-21 17:39:01.251 DEBUG WebSocketClient(1)[6] Proxy: Connecting to 192.168.217.2:28441 (no proxy).
2023-08-21 17:39:01.255 DEBUG WebSocketClient(1)[6] Proxy: Connection established.
2023-08-21 17:39:01.323 DEBUG WebSocketClient(1)[6] TLS: Using classic TLS core.
2023-08-21 17:39:01.333 DEBUG WebSocketClient(1)[6] TLS: Enabled cipher suites: 0x0C1F3CC32B000000.
2023-08-21 17:39:01.333 DEBUG WebSocketClient(1)[6] TLS: Applicable cipher suites: 0x0C1F3CC32B000000.
2023-08-21 17:39:01.457 VERBOSE WebSocketClient(1)[6] TLS: Sent TLS packet:
0000 |16-03-03-02-00-01-00-01 FC-03-03-64-E3-85-15-5D| ...........d...]
0010 |EF-AD-1F-86-35-B3-41-F2 B4-E7-D5-5B-7B-03-18-D9| ....5.A....[{...
0020 |13-61-91-B1-4A-79-1D-02 CD-F0-A3-00-00-26-C0-2B| .a..Jy.......&.+
0030 |C0-2F-C0-2C-C0-30-CC-A9 CC-A8-00-9E-00-9F-CC-AA| ./.,.0..........
0040 |C0-23-C0-27-C0-24-C0-28 00-67-00-6B-00-9C-00-9D| .#.'.$.(.g.k....
0050 |00-3C-00-3D-01-00-01-AD 00-00-00-12-00-10-00-00| .<.=............
0060 |0D-31-39-32-2E-31-36-38 2E-32-31-37-2E-32-00-17| .192.168.217.2..
0070 |00-00-FF-01-00-01-00-00 0A-00-08-00-06-00-1D-00| ................
0080 |17-00-18-00-0B-00-02-01 00-00-0D-00-12-00-10-04| ................
0090 |01-04-03-05-01-05-03-06 01-06-03-02-01-02-03-00| ................
00A0 |15-01-62-00-00-00-00-00 00-00-00-00-00-00-00-00| ..b.............
00B0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
00C0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
00D0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
00E0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
00F0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0100 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0110 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0120 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0130 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0140 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0150 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0160 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0170 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0180 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0190 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
01A0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
01B0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
01C0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
01D0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
01E0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
01F0 |00-00-00-00-00-00-00-00 00-00-00-00-00-00-00-00| ................
0200 |00-00-00-00-00                                 | .....
2023-08-21 17:39:01.459 DEBUG WebSocketClient(1)[6] TLS: HandshakeMessage:ClientHello was sent.
2023-08-21 17:39:01.466 VERBOSE WebSocketClient(1)[6] TLS: Received TLS packet:
0000 |15-03-03-00-02-02-28                           | ......(
2023-08-21 17:39:01.469 INFO WebSocketClient(1)[6] TLS: Fatal Alert:HandshakeFailure was received.
2023-08-21 17:39:01.475 DEBUG WebSocketClient(1)[6] TLS: Rebex.Net.TlsException: Fatal error 'HandshakeFailure' has been reported by the remote connection end.
   at rxohr.cklaq.ohtwy(Byte[] p0, Int32 p1, Int32 p2)
   at rxohr.drmdh.kkrxg(Byte[] p0, Int32 p1, Int32 p2)
   at rxohr.drmdh.cwoax()

commented Aug 22, 2023 by Lukas Pokorny (147k points)

How should i configure web socket client in order to connect to a secure web socket server ?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Categories

How should i configure web socket client in order to connect to a secure web socket server ?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions

Categories