ws: Secure Client WebSocket Connections Fail Due to `wrong version number` Errors

Is there an existing issue for this?

  • I’ve searched for any related issues and avoided creating a duplicate issue.

Description

I have a Node.js server that only supports HTTPS. It creates its server using https, with the cert and key being generated by mkcert. Chrome is able to trust this certificate just fine. And thanks to NODE_EXTRA_CA_CERTS, Node’s https.Agent is able to trust the certificate as well.

This https server is supplied to the WebSocketServer constructor. However, when I try to create a WebSocket client via new WebSocket("wss://localhost:3000"), the connection fails. Instead, I get this error:

Error: write EPROTO 4444288512:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:

Supplying 8 or 13 to WebSocket.protocolVersion doesn’t seem to change the outcome. And I get an error message saying I can only use 8 or 13 if I try anything else. Not sure what’s going on here.

Happy to provide any additional details as needed.

(Note: I cannot connect to the WebSocketServer from the Browser either.)

(Note: I’ve already seen #1839. I can confirm that I can make HTTPS requests to my own server from Node.js, so that is not the issue. The resolution proposed in #1882 is also insufficient.)

ws version

7.4.5

Node.js Version

16.17.0

System

  System:
    OS: macOS 12.6
    CPU: (8) x64 Intel(R) Core(TM) i7-1068NG7 CPU @ 2.30GHz
    Memory: 87.46 MB / 32.00 GB
    Shell: 5.8.1 - /bin/zsh

Expected result

I would expect the connection to go through just fine (whether via Browser or via the WebSocket client) since both the Browser and Node.js trust my certificate.

Actual result

Neither the browser nor the package’s WebSocket client are able to connect over wss.

Attachments

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Yeah, both of those things are valid. That makes sense. Well thanks for taking the time to engage this Issue! Sorry it turned out to be a dud. 😕 Hopefully you don’t get these TLS queries too often.

Thanks for all the help!

+1
ITenthusiasm on Dec 15, 2022

Would it not be sufficient to conditionally switch between the http server and the https server depending on whether or not the certificates were added? What is this downside to this, if you don’t mind my asking?

Multiple ways of doing the same thing (I think the server option was added after the port option) and the complexity needed to handle additional options when the feature is already supported.

Yes, I am aware. The option(s) would be applied to remix.config.js. Their WebSocketServer has access to the options exported from that file, so it would just use those. Fairly straightforward.

They still have to change this

https://github.com/remix-run/remix/blob/7b330a8beb79be6d693cfed59b436a93ad55af2e/packages/remix-dev/devServer/liveReload.ts#L18

so again, they can just create their own HTTPS server and pass it to the WebSocketServer constructor via the server option.

+1
lpinca on Dec 15, 2022
Read more comments on GitHub
← ws: Second connection does not always fire the open event.
ws: TypeError: Cannot read property 'unmask' of undefined at Receiver.unmask →