websocket closed right after being opened

[Piero01]

Hello,

In case where permessage-deflate and ssl are activated, the websocket is closed right after being opened and the following error is written in the log:

GOAWAY: last sid 0, error 0x00000009, string 'Framer error: 24 (HPACK_TRUNCAT'

It seems the problem occurs since version v4.3.0-311-g24c37d1e (compiled with -DLWS_WITHOUT_EXTENSIONS=OFF)
To reproduce, modify minimal-ws-server-pmd example to use ssl:

	info.port = 443;
	info.options = LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE
                     | LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;

and add

	info.ssl_cert_filepath
	info.ssl_private_key_filepath

[lws-team]

If lws is the server, what's the client?

hpack is an h2 thing, as is GOAWAY. It seems the client doesn't like what we sent? You can use -DLWS_TLS_LOG_PLAINTEXT_TX=1 (and / or _RX=1) to see unencrypted packet contents even with SSL.

Everything is fine without om-deflate enabled?

[Piero01]

Thanks for the quick response.

The client is Edge or Brave (Chromium).
With firefox it is OK but it seems the request is made with HTTP1.1
If I disable either SSL or pmd-deflate it is working and with v4.3.0-310-g8eb89baf it is ok also.

This is the log of what the server send before receiving the error.

[2024/05/28 11:37:16:8397] N: _lws_lc_tag: ++ [mux|4|default|h2_sid9(wsisrv|0|default)] (1)
[2024/05/28 11:37:16:8401] N: lws_ssl_capable_write: len 13
[2024/05/28 11:37:16:8402] N:
[2024/05/28 11:37:16:8402] N: 0000: 00 00 04 08 00 00 00 00 09 00 04 00 00 .............
[2024/05/28 11:37:16:8402] N:
[2024/05/28 11:37:16:8407] N: lws_ssl_capable_write: len 13
[2024/05/28 11:37:16:8408] N:
[2024/05/28 11:37:16:8408] N: 0000: 00 00 04 08 00 00 00 00 00 00 04 00 00 .............
[2024/05/28 11:37:16:8408] N:
[2024/05/28 11:37:16:8413] N: lws_ssl_capable_write: len 431
[2024/05/28 11:37:16:8414] N:
[2024/05/28 11:37:16:8414] N: 0000: 00 01 A6 01 04 00 00 00 09 00 07 3A 73 74 61 74 ...........:stat
[2024/05/28 11:37:16:8415] N: 0010: 75 73 03 32 30 30 00 17 63 6F 6E 74 65 6E 74 2D us.200..content-
[2024/05/28 11:37:16:8415] N: 0020: 73 65 63 75 72 69 74 79 2D 70 6F 6C 69 63 79 7F security-policy.
[2024/05/28 11:37:16:8415] N: 0030: 3A 64 65 66 61 75 6C 74 2D 73 72 63 20 27 6E 6F :default-src 'no
[2024/05/28 11:37:16:8416] N: 0040: 6E 65 27 3B 20 69 6D 67 2D 73 72 63 20 27 73 65 ne'; img-src 'se
[2024/05/28 11:37:16:8416] N: 0050: 6C 66 27 20 64 61 74 61 3A 20 3B 20 73 63 72 69 lf' data: ; scri
[2024/05/28 11:37:16:8417] N: 0060: 70 74 2D 73 72 63 20 27 73 65 6C 66 27 3B 20 66 pt-src 'self'; f
[2024/05/28 11:37:16:8417] N: 0070: 6F 6E 74 2D 73 72 63 20 27 73 65 6C 66 27 3B 20 ont-src 'self';
[2024/05/28 11:37:16:8417] N: 0080: 73 74 79 6C 65 2D 73 72 63 20 27 73 65 6C 66 27 style-src 'self'
[2024/05/28 11:37:16:8418] N: 0090: 3B 20 63 6F 6E 6E 65 63 74 2D 73 72 63 20 27 73 ; connect-src 's
[2024/05/28 11:37:16:8418] N: 00A0: 65 6C 66 27 20 77 73 3A 20 77 73 73 3A 3B 20 66 elf' ws: wss:; f
[2024/05/28 11:37:16:8419] N: 00B0: 72 61 6D 65 2D 61 6E 63 65 73 74 6F 72 73 20 27 rame-ancestors '
[2024/05/28 11:37:16:8420] N: 00C0: 6E 6F 6E 65 27 3B 20 62 61 73 65 2D 75 72 69 20 none'; base-uri
[2024/05/28 11:37:16:8420] N: 00D0: 27 6E 6F 6E 65 27 3B 66 6F 72 6D 2D 61 63 74 69 'none';form-acti
[2024/05/28 11:37:16:8420] N: 00E0: 6F 6E 20 27 73 65 6C 66 27 3B 00 16 78 2D 63 6F on 'self';..x-co
[2024/05/28 11:37:16:8421] N: 00F0: 6E 74 65 6E 74 2D 74 79 70 65 2D 6F 70 74 69 6F ntent-type-optio
[2024/05/28 11:37:16:8421] N: 0100: 6E 73 07 6E 6F 73 6E 69 66 66 00 10 78 2D 78 73 ns.nosniff..x-xs
[2024/05/28 11:37:16:8421] N: 0110: 73 2D 70 72 6F 74 65 63 74 69 6F 6E 0D 31 3B 20 s-protection.1;
[2024/05/28 11:37:16:8422] N: 0120: 6D 6F 64 65 3D 62 6C 6F 63 6B 00 0F 78 2D 66 72 mode=block..x-fr
[2024/05/28 11:37:16:8422] N: 0130: 61 6D 65 2D 6F 70 74 69 6F 6E 73 04 64 65 6E 79 ame-options.deny
[2024/05/28 11:37:16:8422] N: 0140: 00 0F 72 65 66 65 72 72 65 72 2D 70 6F 6C 69 63 ..referrer-polic
[2024/05/28 11:37:16:8423] N: 0150: 79 0B 6E 6F 2D 72 65 66 65 72 72 65 72 00 16 73 y.no-referrer..s
[2024/05/28 11:37:16:8423] N: 0160: 65 63 2D 77 65 62 73 6F 63 6B 65 74 2D 70 72 6F ec-websocket-pro
[2024/05/28 11:37:16:8423] N: 0170: 74 6F 63 6F 6C 0B 6C 77 73 2D 6D 69 6E 69 6D 61 tocol.lws-minima
[2024/05/28 11:37:16:8424] N: 0180: 6C 0D 0A 53 65 63 2D 57 65 62 53 6F 63 6B 65 74 l..Sec-WebSocket
[2024/05/28 11:37:16:8424] N: 0190: 2D 45 78 74 65 6E 73 69 6F 6E 73 3A 20 70 65 72 -Extensions: per
[2024/05/28 11:37:16:8425] N: 01A0: 6D 65 73 73 61 67 65 2D 64 65 66 6C 61 74 65 message-deflate
[2024/05/28 11:37:16:8425] N:
[2024/05/28 11:37:16:8512] N: lws_ssl_capable_read: len 58
[2024/05/28 11:37:16:8513] N:
[2024/05/28 11:37:16:8513] N: 0000: 00 00 31 07 00 00 00 00 00 00 00 00 00 00 00 00 ..1.............
[2024/05/28 11:37:16:8514] N: 0010: 09 46 72 61 6D 65 72 20 65 72 72 6F 72 3A 20 32 .Framer error: 2
[2024/05/28 11:37:16:8514] N: 0020: 34 20 28 48 50 41 43 4B 5F 54 52 55 4E 43 41 54 4 (HPACK_TRUNCAT
[2024/05/28 11:37:16:8514] N: 0030: 45 44 5F 42 4C 4F 43 4B 29 2E ED_BLOCK).
[2024/05/28 11:37:16:8515] N:
[2024/05/28 11:37:16:8515] N: GOAWAY: last sid 0, error 0x00000009, string 'Framer error: 24 (HPACK_TRUNCAT'

[lws-team]

Does it affect it if you remove LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE (to shorten the headers)

Disabling tls is the same as disabling h2.

Chrome seems to work fine, in h2 and ws-over-h2 with https://libwebsockets.org/testserver which is recent lws

[Piero01]

I confirm https://libwebsockets.org/testserver is working but lws version is
4.3.0-298-ga62c3a112 and the problem was introduced by version v4.3.0-311-g24c37d1e

Still the same problem without LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE

[2024/05/28 11:50:33:8125] N:
[2024/05/28 11:50:33:8125] N: 0000: 00 00 04 08 00 00 00 00 09 00 04 00 00 .............
[2024/05/28 11:50:33:8125] N:
[2024/05/28 11:50:33:8131] N: lws_ssl_capable_write: len 13
[2024/05/28 11:50:33:8131] N:
[2024/05/28 11:50:33:8132] N: 0000: 00 00 04 08 00 00 00 00 00 00 04 00 00 .............
[2024/05/28 11:50:33:8132] N:
[2024/05/28 11:50:33:8136] N: lws_ssl_capable_write: len 104
[2024/05/28 11:50:33:8136] N:
[2024/05/28 11:50:33:8137] N: 0000: 00 00 5F 01 04 00 00 00 09 00 07 3A 73 74 61 74 .._........:stat
[2024/05/28 11:50:33:8137] N: 0010: 75 73 03 32 30 30 00 16 73 65 63 2D 77 65 62 73 us.200..sec-webs
[2024/05/28 11:50:33:8137] N: 0020: 6F 63 6B 65 74 2D 70 72 6F 74 6F 63 6F 6C 0B 6C ocket-protocol.l
[2024/05/28 11:50:33:8138] N: 0030: 77 73 2D 6D 69 6E 69 6D 61 6C 0D 0A 53 65 63 2D ws-minimal..Sec-
[2024/05/28 11:50:33:8138] N: 0040: 57 65 62 53 6F 63 6B 65 74 2D 45 78 74 65 6E 73 WebSocket-Extens
[2024/05/28 11:50:33:8138] N: 0050: 69 6F 6E 73 3A 20 70 65 72 6D 65 73 73 61 67 65 ions: permessage
[2024/05/28 11:50:33:8139] N: 0060: 2D 64 65 66 6C 61 74 65 -deflate
[2024/05/28 11:50:33:8139] N:
[2024/05/28 11:50:33:8243] N: lws_ssl_capable_read: len 58
[2024/05/28 11:50:33:8244] N:
[2024/05/28 11:50:33:8244] N: 0000: 00 00 31 07 00 00 00 00 00 00 00 00 00 00 00 00 ..1.............
[2024/05/28 11:50:33:8245] N: 0010: 09 46 72 61 6D 65 72 20 65 72 72 6F 72 3A 20 32 .Framer error: 2
[2024/05/28 11:50:33:8245] N: 0020: 34 20 28 48 50 41 43 4B 5F 54 52 55 4E 43 41 54 4 (HPACK_TRUNCAT
[2024/05/28 11:50:33:8245] N: 0030: 45 44 5F 42 4C 4F 43 4B 29 2E ED_BLOCK).
[2024/05/28 11:50:33:8246] N:

[lws-team]

It's literally caused by 24c37d1? What happens if you revert that patch?

[Piero01]

It is working if I revert the patch but the "Sec-WebSocket-Extensions: permessage-deflate" is not sent by the server

[2024/05/28 14:52:13:5954] N:
[2024/05/28 14:52:13:5955] N: 0000: 00 00 31 01 04 00 00 00 09 00 07 3A 73 74 61 74 ..1........:stat
[2024/05/28 14:52:13:5956] N: 0010: 75 73 03 32 30 30 00 16 73 65 63 2D 77 65 62 73 us.200..sec-webs
[2024/05/28 14:52:13:5957] N: 0020: 6F 63 6B 65 74 2D 70 72 6F 74 6F 63 6F 6C 0B 6C ocket-protocol.l
[2024/05/28 14:52:13:5958] N: 0030: 77 73 2D 6D 69 6E 69 6D 61 6C ws-minimal
[2024/05/28 14:52:13:5959] N:

Shouldn't it be "sec-websocket-extensions" in lower case in h2?

[lws-team]

Yes it should be lower case for h2...

diff --git a/lib/roles/ws/server-ws.c b/lib/roles/ws/server-ws.c
index 53559c6e..b2005109 100644
--- a/lib/roles/ws/server-ws.c
+++ b/lib/roles/ws/server-ws.c
@@ -176,7 +176,7 @@ lws_extension_server_handshake(struct lws *wsi, char **p, int budget)
                                *(*p)++ = ',';
                        else
                                LWS_CPYAPP(*p,
-                                         "\x0d\x0aSec-WebSocket-Extensions: ");
+                                         "\x0d\x0asec-websocket-extensions: ");
                        *p += lws_snprintf(*p, lws_ptr_diff_size_t(end, *p), "%s", ext_name);
 
                        /*

should be enough to try it.

[lws-team]

Oh well.... no actually that can only work for h1... it needs redoing.