[hybi] Client certificate authentication for WSS websockets using twisted and autobahn
Marc Mühlbauer <muehlbauer.marc@googlemail.com> Mon, 13 May 2013 09:17 UTC
Return-Path: <muehlbauer.marc@googlemail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93D5121F93E5 for <hybi@ietfa.amsl.com>; Mon, 13 May 2013 02:17:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.121
X-Spam-Level:
X-Spam-Status: No, score=-0.121 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1, SARE_OBFU_AMP2B=2.555]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECpE2b9X0YlA for <hybi@ietfa.amsl.com>; Mon, 13 May 2013 02:17:34 -0700 (PDT)
Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) by ietfa.amsl.com (Postfix) with ESMTP id 2764E21F93D7 for <hybi@ietf.org>; Mon, 13 May 2013 02:17:29 -0700 (PDT)
Received: by mail-lb0-f178.google.com with SMTP id p10so2436718lbv.37 for <hybi@ietf.org>; Mon, 13 May 2013 02:17:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=GbZShKOM/1f+MzOuIY3f+0TL534smHcozXF0YMz0hw4=; b=0QKN2XID7wQjAd6T2DpLD9qvPcmdmXjpT2JHazK4Su0mErt8Zt2sULwm/2MjuGylPO +6xs+j8sUTeG7XC8bmiYyQea0xhItMPz14CR/a0H/suCA2Xr7YSC/7V+eEVTmJalNl1x U7QE95qtaGGhEKyUGr3ePkxwnl1y6SmDo1NtsP3rYDL2W5h9eSxBhb07bJb5XhYYWs4k 8/Qzeiat1uDgVucKIeaCbd+ZFPmAQPIj4cdWB7361JKZpy7O96HffbKzzWV9jTacXnBC KqSAYQASisfVH8bgZ8I1O9FfcI2x/1q3iJuzh0S5oyX37rwBEKOaYr7yUfiJN9zsAQtE zhEg==
MIME-Version: 1.0
X-Received: by 10.112.138.228 with SMTP id qt4mr12102430lbb.106.1368436648788; Mon, 13 May 2013 02:17:28 -0700 (PDT)
Received: by 10.112.134.167 with HTTP; Mon, 13 May 2013 02:17:28 -0700 (PDT)
Date: Mon, 13 May 2013 11:17:28 +0200
Message-ID: <CAKeGy=cUO3yACsf8pKiNO+n9g7+j0V-B9yJjnaZ7FC4dwtNgqQ@mail.gmail.com>
From: Marc Mühlbauer <muehlbauer.marc@googlemail.com>
To: hybi@ietf.org
Content-Type: multipart/alternative; boundary="089e0112bfd05948d104dc95fc6a"
Subject: [hybi] Client certificate authentication for WSS websockets using twisted and autobahn
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 May 2013 09:19:24 -0000
Dear subscribers, I'm currently facing an issue while implementing client certificate authentication for the use of secure websockets using the twisted and autobahn python libraries. Following the instructions of Tobias Oberstein, the CEO of tavendo which hosts the autobahn library, I managed to get the authentication working in the IE 10 ( at http://stackoverflow.com/questions/16234429/how-can-i-setup-an-autobahn-pub-sub-server-and-a-autobahn-webserver-listening-onyou can see the conversation and part of my source code). The problem seems to be, as far as I can tell, that the security context of the SSL session is not used for the access to the websocket. In other words: If I authenticate with a client certificate to retrieve the page running on https://, Firefox and Chrome don't ask me again to authenticate for the use of the secure websocket and also dont use the recent authentication for that. This means, the client is not authenticated and hence isnt allowed to use the websocket. In IE 10, it works as intended. Now I'm curious if this has something to do with the different browser behaviour or the root cause of the problem can be found on server side. Note that webserver and websocket are running on the same port. For test purposes, the whole thing runs only locally on localhost:9000 and I'm using self signed certificates. Any advice would be really nice! If you guys need further information, please let me know. Thanks in advance! Greetings, Marc
- [hybi] Client certificate authentication for WSS … Marc Mühlbauer
- Re: [hybi] Client certificate authentication for … Takeshi Yoshino