Re: [hybi] Client certificate authentication for WSS websockets using twisted and autobahn
Takeshi Yoshino <tyoshino@google.com> Tue, 14 May 2013 08:56 UTC
Return-Path: <tyoshino@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A962B21F90AC for <hybi@ietfa.amsl.com>; Tue, 14 May 2013 01:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.121
X-Spam-Level:
X-Spam-Status: No, score=-100.121 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1, SARE_OBFU_AMP2B=2.555, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMJsJfNdEdU0 for <hybi@ietfa.amsl.com>; Tue, 14 May 2013 01:56:11 -0700 (PDT)
Received: from mail-ee0-f42.google.com (mail-ee0-f42.google.com [74.125.83.42]) by ietfa.amsl.com (Postfix) with ESMTP id 3DA5F21F90B3 for <hybi@ietf.org>; Tue, 14 May 2013 01:56:10 -0700 (PDT)
Received: by mail-ee0-f42.google.com with SMTP id c50so164277eek.1 for <hybi@ietf.org>; Tue, 14 May 2013 01:56:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=55Lub3Tzbugx0HDnbeXMsvDqkpBmZ3XePLBDGi7ZB3Y=; b=PMPt9Qqs6ef05tKqNRvg3AnZ/wE5M/uXj4BOyHokkhJXWGHxZMXSzruO26/WyjC2kh 7WTGWoqUF7zu/lKmuDkbZ9tiCaMvC5IVq93DdjbdGo9QaS23mnwKXxGfBPUxE7SEBKRk Z3qxohdzEgxtZ1JwCywyg6ut/tUCOS5pc+cxPVxaTsUGLUbv2Jr49Qj1yyjp89vt0N4m evUSBvd3Ts7u0QP3zPO1lUI7/Gy/ePwuV3RAMfGOtLKx0gh3ej3dF2ObXaSkqlwRiqOe l0Xc0Oyx022tDM4/Wfj4CGT2eA4ljXW191NAueAQmBK4ojd5MvNYM3l4woT49N/8WRwb 6DDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=55Lub3Tzbugx0HDnbeXMsvDqkpBmZ3XePLBDGi7ZB3Y=; b=i59epuni2Wd0GNxHg25u8dYBC0d3VfodiXa1cvlWFl2RdPPhZaVr0dCoWFgpGo7XM6 M14FEbPaejg3/n9D5IfguzXRUYoQTn79fllHnC5QqBOvjd4ZZHewJjTnfD/tE9sS7iPz II9755mbRnn5/t6sXyYcOH8ypgtrj2c37g6w6exHRar9Tc0MmZ82zMwoABt/axso0vuW qbLOVDhyTJNoez3ketFV2OZ5hwe6CO/NuiVK+JGvVw+whFxwm+RGOmWrfV38gIyBY3gU Ml6ggUqReOGXNC6QVayzkXQ/n0smJJe3eoNqU8oB/IZ2+GVaCHx67yg7tMpWCbbwhu3D d8ew==
X-Received: by 10.14.7.198 with SMTP id 46mr25552143eep.17.1368521770167; Tue, 14 May 2013 01:56:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.85.152 with HTTP; Tue, 14 May 2013 01:55:49 -0700 (PDT)
In-Reply-To: <CAKeGy=cUO3yACsf8pKiNO+n9g7+j0V-B9yJjnaZ7FC4dwtNgqQ@mail.gmail.com>
References: <CAKeGy=cUO3yACsf8pKiNO+n9g7+j0V-B9yJjnaZ7FC4dwtNgqQ@mail.gmail.com>
From: Takeshi Yoshino <tyoshino@google.com>
Date: Tue, 14 May 2013 17:55:49 +0900
Message-ID: <CAH9hSJZLqsL0ANUxcVSLeeLbAFpY9JfXQzgrSgwwiDB6YOVZ7w@mail.gmail.com>
To: Marc Mühlbauer <muehlbauer.marc@googlemail.com>
Content-Type: multipart/alternative; boundary="001a11c1b764faa63304dca9cdee"
X-Gm-Message-State: ALoCoQk3nO1FPeXyaWIJoPfrtRj7vu4YZ93hWQL02dc6gCO2gP7GqA+PlkT1IZxZIIRJfqdBbb3d4sSAMn+y5sxgkzadXHWp7N4Il1D5rwcszPVSYRtv5GAIquUhO2Be/tQ94kbSsbURGXqdKMwS+NUp5vmlVfBqXZ+eMQcSaHzJEMGAlk/icONtc0eG1ACXGICiCjYUIS7w
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Client certificate authentication for WSS websockets using twisted and autobahn
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2013 08:56:15 -0000
On Mon, May 13, 2013 at 6:17 PM, Marc Mühlbauer < muehlbauer.marc@googlemail.com> wrote: > I'm currently facing an issue while implementing client certificate > authentication for the use of secure websockets using the twisted and > autobahn python libraries. > > Following the instructions of Tobias Oberstein, the CEO of tavendo which > hosts the autobahn library, I managed to get the authentication working in > the IE 10 ( at > http://stackoverflow.com/questions/16234429/how-can-i-setup-an-autobahn-pub-sub-server-and-a-autobahn-webserver-listening-onyou can see the conversation and part of my source code). > > The problem seems to be, as far as I can tell, that the security context > of the SSL session is not used for the access to the websocket. In other > words: If I authenticate with a client certificate to retrieve the page > running on https://, Firefox and Chrome don't ask me again to > authenticate for the use of the secure websocket and also dont use the > recent authentication for that. This means, the client is not authenticated > and hence isnt allowed to use the websocket. > Chrome does support wss client authentication using a certificate. We don't show any prompt but just use the cached info for that host. Can you get any debug information from your server about the TLS negotiation? As it's not clear if it's related to the spec or just an issue with Chrome, please file a bug at crbug.com and let's discuss there. > In IE 10, it works as intended. > > Now I'm curious if this has something to do with the different browser > behaviour or the root cause of the problem can be found on server side. > Note that webserver and websocket are running on the same port. For test > purposes, the whole thing runs only locally on localhost:9000 and I'm using > self signed certificates. > Using self signed one should be fine.
- [hybi] Client certificate authentication for WSS … Marc Mühlbauer
- Re: [hybi] Client certificate authentication for … Takeshi Yoshino