TSSLWSocket (repost)

[plastkort 0]

hi!

  

I am currently testing out websockets with TSSLWSocket, since i cannot find a good component which is free to handle this i had to create one myself.. it works on some server but the server i need to make it work with says i have to request on server, not client. I did see there was an option called SSLMode which can be set to either client or server, when I set it to server, i get a connection, but i don't get any further answer from the server after this,..

 is there another eventhandler for the data or am I missing something else here ?

 

sidenote: i always get disconnected as well after a few seconds

 

[Angus Robertson 574]

SSLMode is used internally by ICS components, it's not something applications normally need to worry about.  It determines whether the application makes or receives SSL connections, so a client must be sslModeClient or nothing will work. 

 

Disconnection on idle connection is normal, unless you specify keep-alive, but don't know if that is part of the websockets specification. 

 

Angus

[plastkort 0]

5 hours ago, Angus Robertson said:

SSLMode is used internally by ICS components, it's not something applications normally need to worry about.  It determines whether the application makes or receives SSL connections, so a client must be sslModeClient or nothing will work. 

 

Disconnection on idle connection is normal, unless you specify keep-alive, but don't know if that is part of the websockets specification. 

 

Angus

 

Aha!

 

I don't really know what's going on here, but i compare with a chrome extension whats happening when i connect.. It says : 

GET wss://stream.bybit.com/realtime HTTP/1.1
Host: stream.bybit.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Upgrade: websocket
Origin: chrome-extension://pfdhoblngboilpfeibdedpjgfnlcodoo
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,nn;q=0.6,th;q=0.5
Sec-WebSocket-Key: DdNU4DODQxp7NlzjW2U5xQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

this extension works.. so i try to send the following from my program

SendStrLF(Format('GET %s HTTP/1.1', [TradeCouple]));
SendStrLF('Accept-Encoding: gzip, deflate, br');
SendStrLF('Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,nn;q=0.6,th;q=0.5');
SendStrLF('Cache-Control: no-cache');
SendStrLF('Connection: Upgrade');
SendStrLF('Host: stream.bybit.com');
SendStrLF('Origin: chrome-extension://pfdhoblngboilpfeibdedpjgfnlcodoo');
SendStrLF('Pragma: no-cache');
SendStrLF('Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits');
SendStrLF('Sec-WebSocket-Key: k1Yxf1UeGyDXhyKx2tmr9A==');
SendStrLF('Sec-WebSocket-Version: 13');
SendStrLF('Upgrade: websocket');
SendStrLF('User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36');

this does not work, server just replies error 301... .

really frustrating why its not working cause i can see no difference here 🙂

 

[Angus Robertson 574]

Can not really comment without knowing how are attempting to implement the protocol and undertstanding the protocol itself, and I don't have time now.

 

Angus

[FPiette 382]

Maybe SendStrLF is the culprit:HTTP protocol need CRLF and the end of each request header line. And an additional CRLF at the end of header. The the document must follow, if any.

 

 

[plastkort 0]

9 hours ago, FPiette said:

Maybe SendStrLF is the culprit:HTTP protocol need CRLF and the end of each request header line. And an additional CRLF at the end of header. The the document must follow, if any.

 

 

nope, extra CRLF did not help. the function SendStrLF is just Sendstr procedure which just auto adds #13#10 to end of every line.. just to make it more readable...

 

this connection works on another websocket service I used perfectly. however the answer from the support team was a bit cryptic to me when i don't really know all the tech stuff on SSL, but basically its just json communication over SSL socket...

 

theire team answered this, which maybe a clue to whats happening ? 

 

"We do not allow Cross-origin resource sharing (CORS) on our WebSocket API. Kindly use the server end to subscribe our Websocket API directly"

[Angus Robertson 574]

6 hours ago, plastkort said:

"We do not allow Cross-origin resource sharing (CORS) on our WebSocket API. Kindly use the server end to subscribe our Websocket API directly"

I think that says the client can not access their Websocket API, only the server is allowed to do so.  A common security measure.  Maybe you need an account with whoever offers that Websocket API?

 

Angus

[plastkort 0]

5 hours ago, Angus Robertson said:

I think that says the client can not access their Websocket API, only the server is allowed to do so.  A common security measure.  Maybe you need an account with whoever offers that Websocket API?

 

Angus

I got a littlebit further now, but it seems im getting socketerror 10053 now, not sure where the culprit is here . but I will do some digging

 

[Angus Robertson 574]

10053 is aborted, can mean SSL negotiation failed or server does not like you.

 

Angus

[plastkort 0]

4 minutes ago, Angus Robertson said:

10053 is aborted, can mean SSL negotiation failed or server does not like you.

 

Angus

obviously it does not like me.. Connection gets established, but it just immediately disconnects me.. i don't recevive a single byte from the server... the other server i used (bitmex) works like a charm,. but this "bybit" does not communicate.. im not sure what the difference is... websocket testing works normally.

 

i am not sure if there is any properties i need to change which i missed

 

[Angus Robertson 574]

My ICS web server has a long list of IP addresses it does not like, essentially anyone that tries to access a php, pl, sql (or various other) page on my sites,  it holds the connection for one minute and then aborts it, to try and stop them making dozens of attempts a second.  Of course hackers know all the tricks. 

 

Angus

[plastkort 0]

ok, but this gets disconnected instantly, the onconnect and ondisconnect gets triggered, but thats it

 

it works fine ifi try another service to connect

[plastkort 0]

after some digging, I decided to test indy, which gave some other error message

 

Project Project17.exe raised exception class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL.
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'.

 

what do i need to set in the SSLContext to get compatibility?

[plastkort 0]

A bit more digging, obviously there are properties i need to set i think, but which one... 

 

using linux plus gnutls-cli gave these results : 

 

root@debian:/var/www/html# gnutls-cli stream.bybit.com:443
Processed 128 CA certificate(s).
Resolving 'stream.bybit.com:443'...
Connecting to '143.204.47.65:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.bybit.com', issuer `CN=Amazon,OU=Server CA 1B,O=Amazon,C=US', serial 0x0383cade2595390d1e981419f44bf25f, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-10-13 00:00:00 UTC', expires `2019-11-13 12:00:00 UTC', pin-sha256="7mhRzLK5Z7Q+sqQckWvcD8HwrOOA4L79f7roFhuTMqc="
        Public Key ID:
                sha1:9503e077751ee70cd099b80c3e87e725a6a3ba68
                sha256:ee6851ccb2b967b43eb2a41c916bdc0fc1f0ace380e0befd7fbae8161b9332a7
        Public Key PIN:
                pin-sha256:7mhRzLK5Z7Q+sqQckWvcD8HwrOOA4L79f7roFhuTMqc=

- Certificate[1] info:
 - subject `CN=Amazon,OU=Server CA 1B,O=Amazon,C=US', issuer `CN=Amazon Root CA 1,O=Amazon,C=US', serial 0x067f94578587e8ac77deb253325bbc998b560d, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-22 00:00:00 UTC', expires `2025-10-19 00:00:00 UTC', pin-sha256="JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA="
- Certificate[2] info:
 - subject `CN=Amazon Root CA 1,O=Amazon,C=US', issuer `CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US', serial 0x067f944a2a27cdf3fac2ae2b01f908eeb9c4c6, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-05-25 12:00:00 UTC', expires `2037-12-31 01:00:00 UTC', pin-sha256="++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI="
- Certificate[3] info:
 - subject `CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US', issuer `OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US', serial 0x00a70e4a4c3482b77f, RSA key 2048 bits, signed using RSA-SHA256, activated `2009-09-02 00:00:00 UTC', expires `2034-06-28 17:39:16 UTC', pin-sha256="KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I="
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM)
- Session ID: E7:38:E2:7E:73:4B:E7:6C:46:1B:40:82:C5:79:B9:83:39:1C:70:E7:40:69:D2:51:9E:AB:E3:60:6B:83:02:30
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

GET wss://stream.bybit.com/realtime HTTP/1.1
Host: stream.bybit.com
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13

HTTP/1.1 101 Switching Protocols
Connection: upgrade
Date: Thu, 29 Aug 2019 21:39:13 GMT
Upgrade: websocket
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
X-Cache: Miss from cloudfront
Via: 1.1 f00e3524edcdf61801454f2bb21e71ce.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: OSL50-C1
X-Amz-Cf-Id: pF49hcINxgI6bYbor7C0cWbdBq8Q53_CA9kJ36JmwYi41ZIv2PPSyQ==

 

Edited August 29, 2019 by plastkort

[Angus Robertson 574]

OpenSSL connection errors simply mean some aspect of protocol negotiation has failed, they almost never tell you why or how to fix it. 

 

I would make sure you set-up the SslContext similarly to InitSsl in OverbyteIcsSslHttpRest;.pas which is current best practice. Note SslCliSecurity in particular, which does all the hard for you in setting protocols, security and ciphers.

 

Angus

 

[plastkort 0]

10 hours ago, Angus Robertson said:

OpenSSL connection errors simply mean some aspect of protocol negotiation has failed, they almost never tell you why or how to fix it. 

 

I would make sure you set-up the SslContext similarly to InitSsl in OverbyteIcsSslHttpRest;.pas which is current best practice. Note SslCliSecurity in particular, which does all the hard for you in setting protocols, security and ciphers.

 

Angus

 

thanks. I will try this