Xpra: Ticket #2506: Clicking past cert errors with HTML5 client over https resulting in ws request failures.

Uninstalled the 4.0-0.20191119r24461.fc30 server with dnf remove xpra, then disabled the xpra-beta repo... and then re-installed stable to get 3.0.2-r24387.

Launched with the usual-

 xpra start :13 --no-daemon --bind-tcp=0.0.0.0:1234 --bind-ws=0.0.0.0:1237 --bind-wss=0.0.0.0:1239 --ssl-    cert=/etc/xpra/148-ssl.pem  --start-child=xterm --start-child=xterm --exit-with-children

(148-ssl.pem being a self-signed/issued cert with no SAN which has no chance of being valid for Chrome 78, being used as HTML5 client.)

There is a new error immediately on launch, which looks likely to be part of the cause, and some other output messages that seem less relevant but interesting.

2019-12-05 14:34:23,647 Error: cannot enable SSH socket upgrades:
2019-12-05 14:34:23,648  No module named 'paramiko'
2019-12-05 14:34:23,648 created wss socket '0.0.0.0:1239'
2019-12-05 14:34:23,649 created tcp socket '0.0.0.0:1234'
2019-12-05 14:34:23,649 created ws socket '0.0.0.0:1237'
2019-12-05 14:34:23,650 cannot access python uinput module:
2019-12-05 14:34:23,650  No module named 'uinput'
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.

Upon trying to connect the HTML5 client though, probably once I click through the cert warnings, I get this repeated over and over and over in the server output... and while the client looks like it has connected, neither the start-children nor any other attempt to start any other process results in anything but the greyish background that's usually displayed on disconnection being displayed.

2019-12-05 14:35:50,265 Error: ws request failure
2019-12-05 14:35:50,265  for client 10.0.4.54:54521:
2019-12-05 14:35:50,266  request: 'ü÷f`á��Á�Äiä�P»Í¼öéjÂÏàeö=´9▒?sQ±ÎÏmyC%�¦Ú¾,�h�IÝ°'ò*kvó x"ÚÚÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-05 14:35:50,266  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-05 14:35:54,031 Error: ws request failure
2019-12-05 14:35:54,031  for client 10.0.4.54:54524:
2019-12-05 14:35:54,031  request: 'ü÷▒pöey|=":[>¯�Îo�,]á`ëÅ�®� qÇXxøó0QÐ!
ö(Gíÿ�zQ�P�ªtÏ�YJØ"êêÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-05 14:35:54,031  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-05 14:35:54,047 Error: ws request failure
2019-12-05 14:35:54,048  for client 10.0.4.54:54527:
2019-12-05 14:35:54,048  request: 'üq¿§Ým¿ÕjmkjU»·, >É"k3�-p¸ �Á�îø¾�Î(¶Æäð®¢4±F©2q¬Qú»"À+À/À,À0̨̩ÀÀ��/5'
2019-12-05 14:35:54,048  [Errno 0] Error
PuTTY2019-12-05 14:35:54,223 Error: ws request failure
2019-12-05 14:35:54,223  for client 10.0.4.54:54532:
2019-12-05 14:35:54,223  request: 'ü±�7íÄ.ZÕ[?tßrU�¼¶á|o�(> 7�
y�T)N ÷¿ö�·�Ãgiª¡�cö�i�c8,R¿ä�Ò�÷"zzÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-05 14:35:54,224  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)

The client tab's console logs suggest the client isn't loading because of those ws errors.

Failed to load resource: the server responded with a status of 404 (File not found)
jquery-ui.js:1 Uncaught ReferenceError: jQuery is not defined
    at jquery-ui.js:1
    at jquery-ui.js:1
Notifications.js:1 Uncaught ReferenceError: $ is not defined
    at Notifications.js:1
Menu-custom.js:1 Uncaught ReferenceError: $ is not defined
    at Menu-custom.js:1
(index):264 Uncaught ReferenceError: $ is not defined
    at (index):264
(index):279 Uncaught ReferenceError: $ is not defined
    at show_about ((index):279)
    at HTMLAnchorElement.onclick ((index):98)

Is this another Fedora packaging issue maybe?



Fri, 06 Dec 2019 10:45:23 GMT - Antoine Martin: owner changed

Error: ws request failure

Are you sure you're not hitting the ws port instead of the wss port with your https connection? You have both and the log message is for 'ws'. I had seen some spurious ssl errors, so r24420 + r24383 + r21809 make them less scary.

Is this another Fedora packaging issue maybe?

You should have jquery and jquery-ui libraries here:

ls -la /usr/share/xpra/www/js/lib/

One may be a symlink to the js-jquery RPM file.


Fri, 06 Dec 2019 18:46:44 GMT - alas: owner changed

Ahh... looks like I recycled the wrong tab and did, indeed, hit the ws port.

Unfortunately, correctly hitting the wss port (1239) seems to give me the same error, as a wss request failure.

2019-12-06 10:23:49,862 Error: wss request failure
2019-12-06 10:23:49,862  for client 10.0.4.54:61499:
2019-12-06 10:23:49,862  request: 'üä\® V}×|/±Oaë�2Wå@�ö�´n  ³oÚüBñøS;ÙFÒbÞ6¥P¤ª        f'¼2zõÙÕ"ººÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-06 10:23:49,862  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-06 10:23:50,006 Error: wss request failure
2019-12-06 10:23:50,006  for client 10.0.4.54:61505:
2019-12-06 10:23:50,006  request: 'üÊçàÕZI¡�w��%#ê1��yïß}Ò¶ï�Dë �l�wÊôÈûÁí��#Û÷�|º=.-PÆƽ°Æó�ð"JJÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-06 10:23:50,006  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
PuTTY2019-12-06 10:23:50,008 Error: wss request failure
2019-12-06 10:23:50,009  for client 10.0.4.54:61511:
2019-12-06 10:23:50,009 Error: wss request failure
2019-12-06 10:23:50,009  for client 10.0.4.54:61508:
2019-12-06 10:23:50,010  request: 'ü3¤ê�#í6=X=wË­�:Éç�ÒFÛ¦Ã6!xñKº �l�wÊôÈûÁí��#Û÷�|º=.-PÆƽ°Æó�ð"ÚÚÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-06 10:23:50,010  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-06 10:23:50,009  request: 'üa·.Ë}�C8[©�ú8VÆÝ|17¤z§�7'(U�Ô¬ �l�wÊôÈûÁí��#Û÷�|º=.-PÆƽ°Æó�ð"ªªÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-06 10:23:50,009 Error: wss request failure
2019-12-06 10:23:50,011  for client 10.0.4.54:61520:
2019-12-06 10:23:50,011  request: 'ü/9�bjÄ�ý«N'
2019-12-06 10:23:50,011  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-06 10:23:50,010  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)

Trying the ws port with http (http://10.0.3.148:1237)... I am getting that missing jquery.js error.

2019-12-06 10:28:28,940 Error sending '/usr/share/xpra/www/js/lib/jquery.js':
2019-12-06 10:28:28,941  [Errno 2] No such file or directory
2019-12-06 10:28:29,284 Error sending '/usr/share/xpra/www/js/lib/jquery.js':
2019-12-06 10:28:29,284  [Errno 2] No such file or directory

Checking where that file ought to be, looks like you indicate it should... ls -la /usr/share/xpra/www/js/lib/ ...

-rw-r--r--. 1 root root    947 Nov 22 18:32 jquery.ba-throttle-debounce.js
-rw-r--r--. 1 root root    418 Nov 22 18:32 jquery.ba-throttle-debounce.js.gz
lrwxrwxrwx. 1 root root     44 Nov 22 18:32 jquery.js -> /usr/share/javascript/jquery/3.2.1/jquery.js
-rw-r--r--. 1 root root  38054 Nov 22 18:32 jquery.js.gz
-rw-r--r--. 1 root root 311911 Nov 22 18:32 jquery-ui.js
-rw-r--r--. 1 root root  75113 Nov 22 18:32 jquery-ui.js.gz

But... checking that symlink I think I found a problem.

[root@xpra-lib-fed30-2 maint]# ls /usr/share/javascript/jquery/3.2.1/
ls: cannot access '/usr/share/javascript/jquery/3.2.1/': No such file or directory

Just to see what I do have in that directory...

[root@xpra-lib-fed30-2 maint]# ls -la /usr/share/javascript/jquery/
total 0
drwxr-xr-x. 3 root root 53 Jun  6  2019 .
drwxr-xr-x. 3 root root 20 Jun  6  2019 ..
lrwxrwxrwx. 1 root root  5 Feb  1  2019 3 -> 3.3.1
lrwxrwxrwx. 1 root root  5 Feb  1  2019 3.3 -> 3.3.1
drwxr-xr-x. 2 root root 66 Jun  6  2019 3.3.1
lrwxrwxrwx. 1 root root  5 Feb  1  2019 latest -> 3.3.1
[root@xpra-lib-fed30-2 maint]# ls -la /usr/share/javascript/jquery/3.3.1/
total 488
drwxr-xr-x. 2 root root     66 Jun  6  2019 .
drwxr-xr-x. 3 root root     53 Jun  6  2019 ..
-rw-r--r--. 1 root root 271751 Feb  1  2019 jquery.js
-rw-r--r--. 1 root root  86861 Feb  1  2019 jquery.min.js
-rw-r--r--. 1 root root 132912 Feb  1  2019 jquery.min.map

So... figuring the server wasn't gonna get any worse, I symlinked to /usr/share/javascript/jquery/3.3.1/jquery.js... lrwxrwxrwx. 1 root root 44 Dec 6 10:38 jquery.js -> /usr/share/javascript/jquery/3.3.1/jquery.js

... and while I still get the no module paramiko error, I am able to connect over ws with http.

When I try to connect over wss with https I succeed now too, but I still get a lot of cert errors in the logs.

2019-12-06 10:39:38,329 Error: wss request failure
2019-12-06 10:39:38,329  for client 10.0.4.54:62253:
2019-12-06 10:39:38,330  request: 'ü    ìÿj'
2019-12-06 10:39:38,330  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-06 10:39:38,449 Error: wss request failure
2019-12-06 10:39:38,449 Error: wss request failure
2019-12-06 10:39:38,449  for client 10.0.4.54:62259:
2019-12-06 10:39:38,449  for client 10.0.4.54:62262:
2019-12-06 10:39:38,450  request: 'ü|7ÊA�ÏHý|)×ô�ð9NH^�®��iF£uî aâÎ*èì§�UßG
O-q)#Ð��é�ßã�   Þ�"ZZÀ+À/À,À0̨̩ÀÀ��/5'
2019-12-06 10:39:38,450  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)
2019-12-06 10:39:38,450  request: 'ü i!¿�¦@ØDÈñN)&¬l   ��ó5N¿F�.
                                                                  aâÎ*èì§�UßG
O-q)#Ð��é�ßã�   Þ�"��À+À/À,À0̨̩ÀÀ��/5'
2019-12-06 10:39:38,450  [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2508)

I suppose there's an easy-ish fix in there somewhere - I'll assign this back to you to pick one.


Fri, 06 Dec 2019 19:16:00 GMT - Antoine Martin: owner changed

That's odd, my freshly rebuilt symlink looks correct on Fedora 31:

$ ls -la /usr/share/xpra/www/js/lib/jquery.js
lrwxrwxrwx. 1 root root 40 Dec  7 02:02 /usr/share/xpra/www/js/lib/jquery.js -> /usr/share/javascript/jquery/3/jquery.js

r24632 + r24633 will use 'latest', avoiding using the version number altogether:

$ ls -la /usr/share/xpra/www/js/lib/jquery.js
lrwxrwxrwx. 1 root root 45 Dec  7 02:07 /usr/share/xpra/www/js/lib/jquery.js -> /usr/share/javascript/jquery/latest/jquery.js

So then I picked some RPMs from https://xpra.org/beta/Fedora and tried to find one that had a broken symlink:

wget https://xpra.org/beta/..../xpra-html5-*rpm
rpm2cpio ./xpra-html5* | cpio -idmv
ls -l usr/share/xpra/www/js/lib/

So far, no "luck".

What is your exact RPM version?

$ rpm -qa xpra-html5
xpra-html5-3.0.2-0.r24387.fc31.noarch

Sat, 07 Dec 2019 02:21:23 GMT - Antoine Martin:

(long comment deleted - see #2605)

You're getting xpra from the fedora repos, now that they have a 3.0.2 in there. r24633 will try harder to install our one instead of fedora's. (will be included in 3.0.3)


Wed, 12 Feb 2020 05:22:30 GMT - Antoine Martin: status changed

Could be related to #2587


Sat, 15 Feb 2020 12:37:55 GMT - Antoine Martin: status changed

Should be fine now, both on stable and beta channels.


Thu, 19 Mar 2020 16:32:22 GMT - Antoine Martin: status changed; resolution set


Sat, 23 Jan 2021 05:53:08 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2506