plastkort 0 Posted August 26, 2019 hi! I am currently testing out websockets with TSSLWSocket, since i cannot find a good component which is free to handle this i had to create one myself.. it works on some server but the server i need to make it work with says i have to request on server, not client. I did see there was an option called SSLMode which can be set to either client or server, when I set it to server, i get a connection, but i don't get any further answer from the server after this,.. is there another eventhandler for the data or am I missing something else here ? sidenote: i always get disconnected as well after a few seconds Share this post Link to post
Angus Robertson 574 Posted August 27, 2019 SSLMode is used internally by ICS components, it's not something applications normally need to worry about. It determines whether the application makes or receives SSL connections, so a client must be sslModeClient or nothing will work. Disconnection on idle connection is normal, unless you specify keep-alive, but don't know if that is part of the websockets specification. Angus Share this post Link to post
plastkort 0 Posted August 27, 2019 5 hours ago, Angus Robertson said: SSLMode is used internally by ICS components, it's not something applications normally need to worry about. It determines whether the application makes or receives SSL connections, so a client must be sslModeClient or nothing will work. Disconnection on idle connection is normal, unless you specify keep-alive, but don't know if that is part of the websockets specification. Angus Aha! I don't really know what's going on here, but i compare with a chrome extension whats happening when i connect.. It says : GET wss://stream.bybit.com/realtime HTTP/1.1 Host: stream.bybit.com Connection: Upgrade Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Upgrade: websocket Origin: chrome-extension://pfdhoblngboilpfeibdedpjgfnlcodoo Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,nn;q=0.6,th;q=0.5 Sec-WebSocket-Key: DdNU4DODQxp7NlzjW2U5xQ== Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits this extension works.. so i try to send the following from my program SendStrLF(Format('GET %s HTTP/1.1', [TradeCouple])); SendStrLF('Accept-Encoding: gzip, deflate, br'); SendStrLF('Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,nn;q=0.6,th;q=0.5'); SendStrLF('Cache-Control: no-cache'); SendStrLF('Connection: Upgrade'); SendStrLF('Host: stream.bybit.com'); SendStrLF('Origin: chrome-extension://pfdhoblngboilpfeibdedpjgfnlcodoo'); SendStrLF('Pragma: no-cache'); SendStrLF('Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits'); SendStrLF('Sec-WebSocket-Key: k1Yxf1UeGyDXhyKx2tmr9A=='); SendStrLF('Sec-WebSocket-Version: 13'); SendStrLF('Upgrade: websocket'); SendStrLF('User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36'); this does not work, server just replies error 301... . really frustrating why its not working cause i can see no difference here 🙂 Share this post Link to post
Angus Robertson 574 Posted August 27, 2019 Can not really comment without knowing how are attempting to implement the protocol and undertstanding the protocol itself, and I don't have time now. Angus Share this post Link to post
FPiette 383 Posted August 27, 2019 Maybe SendStrLF is the culprit:HTTP protocol need CRLF and the end of each request header line. And an additional CRLF at the end of header. The the document must follow, if any. Share this post Link to post
plastkort 0 Posted August 28, 2019 9 hours ago, FPiette said: Maybe SendStrLF is the culprit:HTTP protocol need CRLF and the end of each request header line. And an additional CRLF at the end of header. The the document must follow, if any. nope, extra CRLF did not help. the function SendStrLF is just Sendstr procedure which just auto adds #13#10 to end of every line.. just to make it more readable... this connection works on another websocket service I used perfectly. however the answer from the support team was a bit cryptic to me when i don't really know all the tech stuff on SSL, but basically its just json communication over SSL socket... theire team answered this, which maybe a clue to whats happening ? "We do not allow Cross-origin resource sharing (CORS) on our WebSocket API. Kindly use the server end to subscribe our Websocket API directly" Share this post Link to post
Angus Robertson 574 Posted August 28, 2019 6 hours ago, plastkort said: "We do not allow Cross-origin resource sharing (CORS) on our WebSocket API. Kindly use the server end to subscribe our Websocket API directly" I think that says the client can not access their Websocket API, only the server is allowed to do so. A common security measure. Maybe you need an account with whoever offers that Websocket API? Angus Share this post Link to post
plastkort 0 Posted August 28, 2019 5 hours ago, Angus Robertson said: I think that says the client can not access their Websocket API, only the server is allowed to do so. A common security measure. Maybe you need an account with whoever offers that Websocket API? Angus I got a littlebit further now, but it seems im getting socketerror 10053 now, not sure where the culprit is here . but I will do some digging Share this post Link to post
Angus Robertson 574 Posted August 28, 2019 10053 is aborted, can mean SSL negotiation failed or server does not like you. Angus Share this post Link to post
plastkort 0 Posted August 28, 2019 4 minutes ago, Angus Robertson said: 10053 is aborted, can mean SSL negotiation failed or server does not like you. Angus obviously it does not like me.. Connection gets established, but it just immediately disconnects me.. i don't recevive a single byte from the server... the other server i used (bitmex) works like a charm,. but this "bybit" does not communicate.. im not sure what the difference is... websocket testing works normally. i am not sure if there is any properties i need to change which i missed Share this post Link to post
Angus Robertson 574 Posted August 28, 2019 My ICS web server has a long list of IP addresses it does not like, essentially anyone that tries to access a php, pl, sql (or various other) page on my sites, it holds the connection for one minute and then aborts it, to try and stop them making dozens of attempts a second. Of course hackers know all the tricks. Angus Share this post Link to post
plastkort 0 Posted August 28, 2019 ok, but this gets disconnected instantly, the onconnect and ondisconnect gets triggered, but thats it it works fine ifi try another service to connect Share this post Link to post
plastkort 0 Posted August 29, 2019 after some digging, I decided to test indy, which gave some other error message Project Project17.exe raised exception class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'. what do i need to set in the SSLContext to get compatibility? Share this post Link to post
plastkort 0 Posted August 29, 2019 (edited) A bit more digging, obviously there are properties i need to set i think, but which one... using linux plus gnutls-cli gave these results : root@debian:/var/www/html# gnutls-cli stream.bybit.com:443 Processed 128 CA certificate(s). Resolving 'stream.bybit.com:443'... Connecting to '143.204.47.65:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=*.bybit.com', issuer `CN=Amazon,OU=Server CA 1B,O=Amazon,C=US', serial 0x0383cade2595390d1e981419f44bf25f, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-10-13 00:00:00 UTC', expires `2019-11-13 12:00:00 UTC', pin-sha256="7mhRzLK5Z7Q+sqQckWvcD8HwrOOA4L79f7roFhuTMqc=" Public Key ID: sha1:9503e077751ee70cd099b80c3e87e725a6a3ba68 sha256:ee6851ccb2b967b43eb2a41c916bdc0fc1f0ace380e0befd7fbae8161b9332a7 Public Key PIN: pin-sha256:7mhRzLK5Z7Q+sqQckWvcD8HwrOOA4L79f7roFhuTMqc= - Certificate[1] info: - subject `CN=Amazon,OU=Server CA 1B,O=Amazon,C=US', issuer `CN=Amazon Root CA 1,O=Amazon,C=US', serial 0x067f94578587e8ac77deb253325bbc998b560d, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-22 00:00:00 UTC', expires `2025-10-19 00:00:00 UTC', pin-sha256="JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA=" - Certificate[2] info: - subject `CN=Amazon Root CA 1,O=Amazon,C=US', issuer `CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US', serial 0x067f944a2a27cdf3fac2ae2b01f908eeb9c4c6, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-05-25 12:00:00 UTC', expires `2037-12-31 01:00:00 UTC', pin-sha256="++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=" - Certificate[3] info: - subject `CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US', issuer `OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US', serial 0x00a70e4a4c3482b77f, RSA key 2048 bits, signed using RSA-SHA256, activated `2009-09-02 00:00:00 UTC', expires `2034-06-28 17:39:16 UTC', pin-sha256="KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I=" - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM) - Session ID: E7:38:E2:7E:73:4B:E7:6C:46:1B:40:82:C5:79:B9:83:39:1C:70:E7:40:69:D2:51:9E:AB:E3:60:6B:83:02:30 - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: GET wss://stream.bybit.com/realtime HTTP/1.1 Host: stream.bybit.com Upgrade: WebSocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 HTTP/1.1 101 Switching Protocols Connection: upgrade Date: Thu, 29 Aug 2019 21:39:13 GMT Upgrade: websocket Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= X-Cache: Miss from cloudfront Via: 1.1 f00e3524edcdf61801454f2bb21e71ce.cloudfront.net (CloudFront) X-Amz-Cf-Pop: OSL50-C1 X-Amz-Cf-Id: pF49hcINxgI6bYbor7C0cWbdBq8Q53_CA9kJ36JmwYi41ZIv2PPSyQ== Edited August 29, 2019 by plastkort Share this post Link to post
Angus Robertson 574 Posted August 30, 2019 OpenSSL connection errors simply mean some aspect of protocol negotiation has failed, they almost never tell you why or how to fix it. I would make sure you set-up the SslContext similarly to InitSsl in OverbyteIcsSslHttpRest;.pas which is current best practice. Note SslCliSecurity in particular, which does all the hard for you in setting protocols, security and ciphers. Angus Share this post Link to post
plastkort 0 Posted August 30, 2019 10 hours ago, Angus Robertson said: OpenSSL connection errors simply mean some aspect of protocol negotiation has failed, they almost never tell you why or how to fix it. I would make sure you set-up the SslContext similarly to InitSsl in OverbyteIcsSslHttpRest;.pas which is current best practice. Note SslCliSecurity in particular, which does all the hard for you in setting protocols, security and ciphers. Angus thanks. I will try this Share this post Link to post