-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to connect over webockets with TLS (wss) from Firefox #1211
Comments
Thanks for the hints, I'll take a look. I'd suggest using libwebsockets 2.4.x, that has proved to be a pretty reliable version. |
Hi! I have uploaded a couple of filtered Wireshark captures to Firefox Send here one for Firefox not working and one for Chrome working. Chrome appears to be using Websockets over TLS, whereas Firefox appears to be using Websockets over http2. In the Firefox capture things seem to go awry at packet 34 when the Mosquitto host (192.168.3.28) sends RST_STREAM followed by GO_AWAY. The host client running firefox (192.168.3.23) replies with its own GO_AWAY (for the control stream?), and after that a TLS 'Close Notify' Alert. Then the Mosquitto host sends the TCP RST packets. I don't know how to get more debugging information without rebuilding Mosquitto and libwebsockets, so I don't have any insights into what is causing the Mosquitto host to reset the http2 stream. My impression is that something from Firefox is malformed/unexpected from the libwebsockets point of view and so libwebsockets responds by resetting the stream. I hope that is useful! |
Writing down the above led me to consider that it was a WSS over http/2 problem. So I recompiled libwebsockets-3.1 with http2 support disabled, and now it works! I can connect to my Mosquitto broker over WSS from Firefox and Chrome. |
@timothy-godfrey Are you able to try the current mosquitto |
Today, I download the last version of libwebsockets-3.2 and I compile it with http2 support. Next, I compile mosquitto (version 1.6.8). Result: Firefox(V71.0) does not want to use mqtt over wss. No trouble with Chrome! |
You can workaround this in firefox by setting This seems to be a bug in mosquitto, as the |
Just tested this with a connection to |
The problem seems to be be that libwebsockets claim to support http/2, so firefox tries that, |
@jonjonarnearne libwebsockets on test.mosquitto.org isn't compiled with http2 support, so if it's advertising it as available, that was a bug in libwebsockets. I use firefox all the time, and don't have a problem connecting to https://test.mosquitto.org/sys/ssl.html , for example - I haven't modified about:config. What is the best way for me to test this? One thing that may be causing an issue with lws, is that in more recent versions the WITH_EXTERNAL_POLL option is turned off by default, so Mosquitto does not receive any callbacks for the network traffic. |
@ralight It seems you are completely right. There must have been something wrong with my test setup when this connection failed on me. I'm sorry for the noise. |
This is an issue on my website where I use MQTT(wss) to show live data. The problem is, users of the website aren't going to dig to find out why, they'll just leave. |
I wiresharked some TLS websocket traffic to a server of ours that has this issue. Ubuntu 20.04, libwebsocket 3.2.1-3, mosquitto 1.6.12, compiled ourselves, using standard Ubuntu libs. Chromium never tries http2. Firefox does (by starting with Could be the I fixed it by putting an Nginx proxy in front of it, proxying using HTTP 1.1. I can afford it on this server, but it's not ideal, because you'll run into maximum number of connections, because of TCP ephemeral port exhaustion. |
@wiebeytec Is there anything special to reproduce it? The easiest you can make it for me so I don't have to guess anything would be great. The Ubuntu package doesn't have external poll support. I know there are problems around the 3.2.x versions, there are version specific fixes in Mosquitto to deal with them, but I know people have still had other problems with them. |
No, just use Ubuntu 20.04, install buildessential and libsockets-dev, compile 1.6.12 and use Firefox and look in the console (CTRL-SHIFT-K). I didn't save the error messages unfortunately. There may be a chance it only happens after a few messages. I don't have any other basis to say this than that our webapp got past the first step and then stalled. If you can't reproduce it, you can contact me privately, and I may be able to set up a dev server and have you connect to it. |
Hello everyone, what is the status of this issue? I'm having a project using mqtt over https. And our Firefox user have to use the about:config workaround in order to use the website 😞 |
Is there a reason Mosquitto should support HTTP2 websockets? It seems like unnecessary overhead. MQTT over websocket is already packing frames in frames. With HTTP2 it's frames in frames in frames. HTTP2 combines multiple requests into one connection to avoid connection overhead (and introduce new stalling problems). There is no reason for a MQTT web client to (repeatedly) open multiple connections to the same server, so packing data in yet an extra layer of frames seems like unnecessary overhead. |
I've been able to figure out the cause of the first part of the problem. Mosquitto uses the incorrect I'm afraid the only solution right now is to compile libwebsockets without http2 support. |
I ran into this problem as well in firefox and safari and, as stated above, the workaround was turning off http2. So if we already have mosquitto installed, do we have to remove libwebsockets and re install it without http2 support? As stated on libwebsockets website https://libwebsockets.org/lws-api-doc-main/html/md_READMEs_README_8build.html Have any other solutions to this been found? @ralight I saw you plan to move away from libwebsockets in favor of wslay. Is your recommendation to move to the mosquitto implementation using wslay? |
…ound eclipse-mosquitto#1211. Signed-off-by: Tom Parker <tparker@usgs.gov>
How can we utilize this newly merged commit to resolve this issue? |
The current Debian 11 package of Mosquitto (2.0.11-1) has this issue. |
I believe the option is to build mosquitto using cmake and turn libwebsockets http2 off but I have not done that yet, also checking that the polling is set to on in |
I have 2 running instances of Mosquitto and both exhibit this issue with FF. However both instances were installed via http://www.steves-internet-guide.com/install-mosquitto-linux/ basically using apt-get not using go/make i'm not really sure how to modify the currently installed versions when installed in that fashion to in turn disable http/2 to get around this issue. I don't want to keep telling people to use network.http.spdy.websockets false and would like to address this. |
To get around this issue you need to install a libwebsockets version compiled with http2 support disabled. If you are using Debian (or can switch to Debian) you just need to install both mosquitto 2.0.12 and libwebsockets 4.2.1 from http://repo.mosquitto.org (see the README). Please note that, due to issue #2322, on Debian 11 the libwebsockets dependency is not installed automatically as it should and you must download manually the correct libwebsockets18 for your platform and then install it using |
@Izerous do you have more than 30k clients? If not, you can install Nginx to proxy. You don't expose Mosquitto's websocket port, but use this example Nginx config to reach it:
If you do have more than 30k clients, you run into the TCP ephemeral port limit. You'll then have to work with multiple (bind) addresses. |
As of version 2.0.14, Debian packages from http://repo.mosquitto.org have this issue fixed. |
@jmico, I was quite excited to read your note about 2.0.14. However, installing the Ubuntu ppa from https://mosquitto.org/download/ (at the bottom), and installing 2.0.14, the problem is still there on Ubuntu 21.10 (Impish). Where did you find the package with the fix? |
As it is explained before to you need a libwebsockets compiled with http2 support disabled. On Debian I've got libwebsockets 4.2.1 installed automatically from http://repo.mosquitto.org and it works fine (the actual packages can be browsed at https://repo.mosquitto.org/debian/pool/main/libw/libwebsockets/). I can see on Ubuntu PPA that libwebsockets 4.2.1 package for 21.10 (Impish) is not available yet (the last one published is for 21.04). |
Apparently the issue still persists even with the latest version (2.0.15). Chrome seems to be no issue, but Firefox is still rejecting the connection. Any news on the issue and the libwebsockets package? It would be interesting to hear about the workarounds you guys used to make it work in the long haul (if that's the case). |
We've found putting Mosquitto behind a reverse proxy seems to solve this problem. It's a stop-gap solution though. |
Firefox has a bug preventing websockets being created with a server that uses http/2. Building libwebsockets without http/2 support fixes this issue for mosquitto. See eclipse-mosquitto/mosquitto#1211 (comment)
Firefox has a bug preventing websockets being created with a server that uses http/2. Building libwebsockets without http/2 support fixes this issue for mosquitto. See eclipse-mosquitto/mosquitto#1211 (comment)
Hello! |
Hi,
I'm running Mosquitto v1.5.8 with enabled websockets, but I'm unable to connect from Firefox when the broker is running over TLS. Strange thing is that It works from Chrome/Chromium. I tried both MQTT.js as well as Paho javascript client libraries with no success.
Connecting always ends with error
Firefox can’t establish a connection to the server at wss://localhost:9001/mqtt.
Environment:
Here is my broker configuration:
(When I comment the cafile, certfile and keyfile entries and thus running on ws:/ everything in Firefox works)
Here you can find GIST for JS Paho client: https://gist.github.com/stepanmracek/9b6d4a6ee9ef9d4d6efe738c069a9577
I always outputs following error to the console:
AMQJS0007E Socket error:undefined.
HINT
Therefore I'm suspecting that this is some regression in libwebsockets that is unfortunately reproducible only in Firefox.
The text was updated successfully, but these errors were encountered: