-
Notifications
You must be signed in to change notification settings - Fork 2.6k
FAQ: Secure WebSockets
If you do not have a valid certificate in place then you will have to create a self signed one. Browsers will simply refuse the connection in case of a bad certificate and will not ask the user to accept it. So the first step will be to make a browser to accept your self signed certificate. ( https://bugzilla.mozilla.org/show_bug.cgi?id=594502 ).
If the websocket server url is wss://localhost:8000 visit the url https://localhost:8000 with your browser. The browser will recognize the handshake and allow you to accept the certificate. This technique is also demonstrated in this video.
If you want to use wss on the android platfrom you should take a look at this.
This lib allows you to use specific cipher suites/protocols for your connection. Specific endpoints may allow some ciphers and/or some ciphers are buggy.
Please take a look at the SSLServerCustomWebsocketFactoryExample for an example!
SSL on Android is always a bit buggy. If you have the following issue, this may help you!
javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:682)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:644)
at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:260)
at java.lang.Thread.run(Thread.java:761)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xaa19cb80: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.c:192 0xa706d196:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
... 4 moreThis issue is known and it is recommended to remove the protocol SSLv3 for your websocket! (See SSLServerCustomWebsocketFactoryExample)