为什么我的 wss://(基于 SSL/TLS 的 WebSockets)连接会立即断开而不出现任何错误? [英] Why does my wss:// (WebSockets over SSL/TLS) connection immediately disconnect without giving any errors?

问题描述

为遇到相同问题的其他人发布此信息.

Posting this for anybody else running across the same problem.

我正在开发一个浏览器客户端，该客户端使用 stanza.io 连接到 XMPP 服务器(就我而言是 Prosody).我默认使用 wss://连接.在开发过程中的某个时刻，我的客户端根本无法连接 - 它会立即以静默方式断开连接，不提供任何有用的错误信息.

I was working on a browser client that used stanza.io to connect to an XMPP server (Prosody, in my case). I was using a wss:// connection by default. At some point during development, my client failed to connect at all - it would immediately disconnect silently, without providing any kind of useful error information.

没有错误日志，没有错误代码，没有确认对话框或栏，没有任何可能出错的迹象.

There were no error logs, no error codes, no confirmation dialogs or bars, no indications of what might be wrong.

推荐答案

经过几个小时的调试，终于找到了问题所在；由于我正在处理 XMPP 服务器的配置，因此我重新生成了 XMPPd 的 SSL 证书.由于我使用的是自签名证书，这会导致 SSL 错误.因为我之前曾通过 HTTPS 访问过相同的 URI，所以我已经手动批准了旧的自签名证书 - 但显然在重新生成 SSL 证书后该批准不再有效.

After hours of debugging, I eventually found the problem; as I was messing around with the configuration of my XMPP server, I had re-generated the SSL certificates for the XMPPd. Since I was using self-signed certificates, this would cause an SSL error. Because I had visited that same URI over HTTPS before, I'd already manually approved the old self-signed certificate - but obviously that approval was no longer valid after regenerating the SSL certificate.

问题的关键在于:如果您的 SSL 证书导致任何形式的警告，wss:// WebSocket 连接将立即失败，并且没有规范的方法来检测这个.

The key to the problem is this: If your SSL certificate causes a warning of any sort, wss:// WebSocket connections will immediately fail, and there is no canonical way to detect this.

如上所述，似乎没有标准化的方法来检测这个问题的发生，更不用说解决它.我能找到的这个问题的最佳解决方案如下:

As stated above, there appears to be no standardized way to even detect that this problem is occurring, let alone solve it. The best solution to this problem that I have been able to find, is as follows:

1. 如果 WebSocket 在收到登录确认(XMPP 特定)之前断开连接，请尝试与非 SSL 端口.
2. 如果明文连接成功，则意味着服务器已启动 - 因此问题出在 SSL 证书上.(如果明文连接也失败，则服务器根本不可用.)
3. 向用户显示错误，表明存在 SSL 问题，他们应该检查证书，并提供有关如何手动批准证书的说明.
4. 提供指向 wss:// URL 的 target="_blank" 链接，但将协议替换为 https://.这可能是特定于 Prosody 的，但通过访问该 URL，您将看到 SSL 警告页面.Prosody 将显示以It works！"开头的文本.批准证书后 - 如果服务器端是自定义应用程序，您应该显示一条消息，指出问题已解决，您可以立即关闭此选项卡".
5. 在后台的主应用程序中，每隔几秒不断尝试通过 wss://重新连接.一旦连接成功，这意味着用户已经批准了证书.隐藏/删除错误并继续正常的连接/登录过程.

1. If the WebSocket disconnects prior to having received a login confirmation (XMPP-specific), try to make a plaintext ws:// (without SSL) connection to the non-SSL port.
2. If the plaintext connection succeeds, this means that the server is up - thus the problem is with the SSL certificate. (If the plaintext connection also fails, the server is simply unavailable.)
3. Display an error to the user, indicating that there was an SSL problem, and that they should check the certificate, with instructions on how to manually approve it.
4. Provide a target="_blank" link to the wss:// URL, but replacing the protocol with https://. This might be Prosody-specific, but by visiting that URL you will see the SSL warning page. Prosody will display a text that starts with "It works!" after approving the certificate - if the server-side is a custom application, you should display a message saying that "the problem has been solved, you can close this tab now".
5. In the background, in the main application, keep attempting to reconnect over wss:// every few seconds. Once a connection succeeds, this means the user has approved the certificate. Hide/remove the error and continue the normal connection/login process.

在用户体验方面，这远非一个顺利的过程，但它是我发现的最顺畅的方法.不可能对错误页面进行 iframe(这是我的第一个想法之一) - Chrome 将完全拒绝加载它，Firefox 将隐藏添加例外"按钮，我想其他浏览器也会表现出类似的行为.

It's far from a smooth process, UX-wise, but it's the smoothest approach I've found. It is not possible to iframe the error page (this was one of my first ideas) - Chrome will refuse to load it at all, Firefox will hide the "Add exception" button, and I'd imagine other browsers exhibit similar behaviour.

这篇关于为什么我的 wss://(基于 SSL/TLS 的 WebSockets)连接会立即断开而不出现任何错误?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！