[SOLVED] SSL Issue when using websocket from a VPN

Lex · September 14, 2021, 3:22pm

Hello,
I’m hitting a weird issue.

Defold: 1.2.186
iOS 14.6
Nakama server: 3.1.2+cf6d355a
Websocket extension: 3.0.0

I’m using Nakama with Defold.
My Nakama instance is hosted in Europe.

When I open the app without a VPN (I’m in Europe), the app connects to the server and everything works fine.

As soon as I set up the VPN in a “far” country (Canada, UAE), I get the following error:

WARNING:WEBSOCKET: STATE_CREATE -> STATE_CONNECTING
ERROR:DLIB: mbedtls_ssl_handshake failed: Unknown error - -26624 (-0x6800)
ERROR:DLIB: SSL handshake timeout
WARNING:WEBSOCKET: STATUS: 'Failed to open connection: WOULDBLOCK'  len: 37
WARNING:WEBSOCKET: STATE_CONNECTING -> STATE_DISCONNECTED
DEBUG:SCRIPT: Problem connection
DEBUG:SCRIPT: Failed to open connection: WOULDBLOCK

The issues arises when trying to connect with a websocket.

socket.connection = websocket.connect(...)

Does anyone know what the issue is? And how to solve it? Here’s my config.yml on Nakama’s side :

socket:
  server_key: "XXXXXXX"
  port: 7350
  address: ""
  protocol: "tcp"
  max_message_size_bytes: 4096
  max_request_size_bytes: 131072
  read_buffer_size_bytes: 4096
  write_buffer_size_bytes: 4096
  read_timeout_ms: 30000
  write_timeout_ms: 30000
  idle_timeout_ms: 60000
  write_wait_ms: 10000
  pong_wait_ms: 10000
  ping_period_ms: 8000
  ping_backoff_threshold: 20
  outgoing_queue_size: 64
  ssl_certificate: "" #/nakama/data/cert.pem"
  ssl_private_key: "" #/nakama/data/key.pem"

I posted also on Nakama forum because I’m not sure if the issue comes from Nakama and Defold.

britzl · September 14, 2021, 10:40am

The timeout happens here:

github.com

defold/defold/blob/dev/engine/dlib/src/dlib/sslsocket.cpp#L327-L341

    
      
          if (ret != 0)
          {
              SSL_LOGE("mbedtls_ssl_handshake failed", ret);
              if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
              {
                  dmLogError("Unable to verify the server's certificate.");
                  return RESULT_CONNREFUSED;
              }
              else if (ret == MBEDTLS_ERR_SSL_TIMEOUT)
              {
                  dmLogError("SSL handshake timeout");
                  return RESULT_WOULDBLOCK;
              }
              return RESULT_HANDSHAKE_FAILED;
          }

This is part of the process when the connection is created:

github.com

defold/defold/blob/dev/engine/dlib/src/dlib/connection_pool.cpp#L298-L330

    
      
          static Result Connect(HPool pool, const char* host, dmSocket::Address address, uint16_t port, bool ssl, int timeout, Connection* c, dmSocket::Result* sr)
          {
              uint64_t connectstart = dmTime::GetTime();
          
          
    Result r = ConnectSocket(pool, address, port, timeout, c, sr);
              if( r != RESULT_OK )
              {
                  c->m_Socket = dmSocket::INVALID_SOCKET_HANDLE;
                  return r;
              }
          
          
    uint64_t handshakestart = dmTime::GetTime();
              if( timeout > 0 && (handshakestart - connectstart) > (uint64_t)timeout )
              {
                  dmSocket::Delete(c->m_Socket);
                  c->m_Socket = dmSocket::INVALID_SOCKET_HANDLE;
                  return RESULT_SOCKET_ERROR;
              }
          
          
    if (RESULT_OK == r && ssl) {

This file has been truncated. show original

As you can see there’s a timeout being passed around. What kind of timeout have you set when connecting the socket? See example here:

I now see that you mentioned that you are using Nakama. The timeout can be configured for the Nakama client when the client is created:

local defold = require "nakama.engine.defold"
local nakama = require "nakama.nakama"
local config = {
    host = "127.0.0.1",
    port = 7350,
    use_ssl = false,
    username = "defaultkey",
    password = "",
    engine = defold,
    timeout = 10, -- connection timeout in seconds
}
local client = nakama.create_client(config)

Lex · September 14, 2021, 10:51am

@britzl I looked at the code of the extension and realized the websocket has undocumented configuration parameters. I set

[websocket]
debug = 1
socket_timeout = 10000000

in my game.project and it just worked!

By the way, adding a timeout value in nakama parameter didn’t fix the issue:

local config = {
    host = "127.0.0.1",
    port = 7350,
    use_ssl = false,
    username = "defaultkey",
    password = "",
    engine = defold,
    timeout = 10,
}

britzl · September 14, 2021, 11:21am

Ah, yes, there’s two different timeouts. The one you are using deals with the underlying socket timeout and the one I mentioned is for the high level websocket timeout. Sorry for the confusion!

britzl · September 14, 2021, 11:31am

Added this to the documentation:

github.com

defold/extension-websocket/blob/master/docs/index.md#configuration

---
title: Defold websocket extension API documentation
brief: This manual covers how to use websockets with Defold
---

# Defold websocket extension API documentation

This extension supports both secure (`wss://`) and non secure (`ws://`) websocket connections.
All platforms should support this extension.


Here is how you connect to a websocket and listen to events:

```lua
local function websocket_callback(self, conn, data)
    if data.event == websocket.EVENT_DISCONNECTED then
        log("Disconnected: " .. tostring(conn))
        self.connection = nil
        update_gui(self)
    elseif data.event == websocket.EVENT_CONNECTED then

This file has been truncated. show original