Bug 33587 - noVNC: Server disconnected (code: 1006) in Firefox
noVNC: Server disconnected (code: 1006) in Firefox
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Virtual machines (UVMM)
UCS 3.2
Other Linux
: P2 normal (vote)
: UCS 3.2-0-errata
Assigned To: Philipp Hahn
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-27 11:19 CET by Florian Best
Modified: 2014-01-29 11:17 CET (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2013-11-27 11:19:59 CET
For me noVNC does not work in Firefox, I get the error message:
Server disconnected (code: 1006)

Reloading of the VNC-page doesn't help. In chromium everything is fine.
Comment 1 Alexander Kläser univentionstaff 2013-11-27 11:30:03 CET
At least in our internal KVM environment, VNC does neither work with FF nor with Chromium.
Comment 2 Alexander Kläser univentionstaff 2013-11-27 11:35:41 CET
(In reply to Alexander Kläser from comment #1)
> At least in our internal KVM environment, VNC does neither work with FF nor
> with Chromium.

Hm, I lied, now it works in both browsers.
Comment 3 Philipp Hahn univentionstaff 2013-11-28 08:42:15 CET
From Firefoxs error console:
> [08:27:27.232] Firefox kann keine Verbindung zu dem Server unter ws://localhost:17523/ aufbauen. @ http://laiva/univention-novnc/include/websock.js:285

Looks like a problem in noVNC to detect WS support: <https://github.com/Medical-Insight/noVNC/commit/ec34af8f6133f5b5603f47b0c3f91bde60e6d9b5>
A quick test shows that this work-around fixes the issue with Firefox 22.0.
Comment 4 Philipp Hahn univentionstaff 2013-11-28 15:38:29 CET
Blocker in the UCS technical training.

Work-around: Use http:// instead of https://
Comment 5 Moritz Muehlenhoff univentionstaff 2013-11-28 15:56:04 CET
It worked for all users still using Firefox 17 ESR and breaks when using ESR24 (as released as an errata update)
Comment 6 Moritz Muehlenhoff univentionstaff 2013-11-29 09:54:38 CET
(In reply to Moritz Muehlenhoff from comment #5)
> It worked for all users still using Firefox 17 ESR and breaks when using
> ESR24 (as released as an errata update)

Another regression in Firefox 24 compared to 17; it's no longer possible to enter a "\" (as needed for a Windows 7 domain administrator login). Apparently a problem with parsing "Alt GR"?
Comment 7 Philipp Hahn univentionstaff 2013-11-29 10:11:28 CET
(In reply to Moritz Muehlenhoff from comment #6)
> (In reply to Moritz Muehlenhoff from comment #5)
> > It worked for all users still using Firefox 17 ESR and breaks when using
> > ESR24 (as released as an errata update)
> 
> Another regression in Firefox 24 compared to 17; it's no longer possible to
> enter a "\" (as needed for a Windows 7 domain administrator login).
> Apparently a problem with parsing "Alt GR"?

See Bug #30540 comment 5
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2014-01-14 17:11:29 CET
(In reply to Philipp Hahn from comment #4)
> Blocker in the UCS technical training.

Happened again in technical training.
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2014-01-15 08:13:52 CET
(In reply to Sönke Schwardt-Krummrich from comment #8)
> (In reply to Philipp Hahn from comment #4)
> > Blocker in the UCS technical training.
> 
> Happened again in technical training.

To be more precise: the "http vs https" problem happend again.
Comment 10 Philipp Hahn univentionstaff 2014-01-21 13:18:01 CET
r47293 | Bug #33587: Test for secured WebSocket port
univention-novnc_0.4+0+20131014+git142aa45-2.3.201401211307
r47297 | Bug #33587: Test for secured WebSocket port (YAML)
Comment 11 Erik Damrose univentionstaff 2014-01-21 14:15:42 CET
REOPEN:

When accessing the UMC with https://[IP-ADDRESS]/umc instead of the hostname and adding a certificate exception, the novnc connection is still not possible (Server disconnected, Error 1006). In the firefox browser console the certificate is blamed:

GET https://10.200.29.120:6080/ [0ms]
14:12:38.790 10.200.29.120:6080 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for ucsmaster.ucs.local

(Error code: sec_error_untrusted_issuer)

14:12:38.791 Firefox can't establish a connection to the server at wss://10.200.29.120:6080/?token=a078281f-9fe4-7327-adc5-b4b56c4addf4.
Comment 12 Philipp Hahn univentionstaff 2014-01-21 20:23:29 CET
(In reply to Erik Damrose from comment #11)
> REOPEN:
> 
> When accessing the UMC with https://[IP-ADDRESS]/umc instead of the hostname
> and adding a certificate exception, the novnc connection is still not
> possible (Server disconnected, Error 1006). In the firefox browser console
> the certificate is blamed:
> 
> GET https://10.200.29.120:6080/ [0ms]
> 14:12:38.790 10.200.29.120:6080 uses an invalid security certificate.
> 
> The certificate is not trusted because the issuer certificate is not trusted.
> The certificate is only valid for ucsmaster.ucs.local
> 
> (Error code: sec_error_untrusted_issuer)
> 
> 14:12:38.791 Firefox can't establish a connection to the server at
> wss://10.200.29.120:6080/?token=a078281f-9fe4-7327-adc5-b4b56c4addf4.

Firefox stores the SSL exceptions on a (host+port) basis, that is a second exception must be added for https://10.200.29.120:6080/. As this port is only accessed through wss://, Firefox does not not the well-known dialog to add a security exception.
Explicitly going to https:// currently does not work either, as the websockify daemon listening on port 6080 does only handle the WebSocket protocol, but not HTTP.
But it has the --web= option to enable serving a directory through HTTP. This can be used to serve /usr/share/novnc/ through websockify let UVMMd point there. When Firefox first goes there, it will ask for an exception for https://:6080/, then get the vnc_auto.html, which can then also open a connection using wss://:6080/.

r47330 | Bug #33587: noVNC: work-around Firefox security excetion
univention-novnc_0.4+0+20131014+git142aa45-3.4.201401212016
r47331 | Bug #33587: noVNC: work-around Firefox security exception (YAML)

Testes successfully with (Firefox, Chromium) × (http://, https://) × (IP-Address, Name).


See <https://github.com/kanaka/websockify/wiki/Feature_Matrix> for alternatived to the Python-websockify.


For reference: I get this exception from websockify, when Firefox connects without the prior security exception:
  2: 192.168.0.191: SSL/TLS (wss://) WebSocket connection
  2: handler exception: [Errno 1] _ssl.c:1331: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
  2: Traceback (most recent call last):
  File "/usr/share/novnc/utils/websocket.py", line 783, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/share/novnc/utils/websocket.py", line 714, in do_handshake
    wsh = WSRequestHandler(retsock, address, not self.web)
  File "/usr/share/novnc/utils/websocket.py", line 955, in __init__
    SimpleHTTPRequestHandler.__init__(self, req, addr, object())
  File "/usr/lib/python2.6/SocketServer.py", line 617, in __init__
    self.handle()
  File "/usr/lib/python2.6/BaseHTTPServer.py", line 329, in handle
    self.handle_one_request()
  File "/usr/lib/python2.6/BaseHTTPServer.py", line 312, in handle_one_request
    self.raw_requestline = self.rfile.readline()
  File "/usr/lib/python2.6/socket.py", line 444, in readline
    data = self._sock.recv(self._rbufsize)
  File "/usr/lib/python2.6/ssl.py", line 215, in recv
    return self.read(buflen)
  File "/usr/lib/python2.6/ssl.py", line 136, in read
    return self._sslobj.read(len)
SSLError: [Errno 1] _ssl.c:1331: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Comment 13 Philipp Hahn univentionstaff 2014-01-22 09:55:47 CET
Also works with IE9 in Win7 using https://IP-Address/ and http://IP-Address/.

FYI:
Long-term it would help to get WebSocket support into Apache on port 80, so the second SSL Exception would no longer be needed, but:
1. mod_proxy from Apache-2.2 does not support WebSocket, only >= 2.4.
2. alternatively mod_python to embed websockify into Apache
See <http://serverfault.com/questions/290121/configuring-apache2-to-proxy-websocket> for more information.

Both options I consider rather heavy-weight changes, which I don't consider appropriate for an erratum update. Accepting one more exception once is IMHO acceptable.
Comment 14 Erik Damrose univentionstaff 2014-01-23 09:16:51 CET
Tests with http, https, each with ip-address and hostname
WinXP:
  Firefox 10, 26: OK
  Chrome 32: OK
  Internet Explorer 8 (latest available for XP): fail -> But we recommend at least iexplorer version 9 in our release notes -> OK, nothing we can do for XP w/ iexplorer

Win7:       
  Firefox 10, 26: OK
  Chrome 32: OK
  Internet Explorer 10: OK
  Internet Explorer 11: Fail -> Bug #33968
  Internet Explorer 9: shows certificate error, upon proceeding novnc complains that "WebSocket or Adobe Flash is required". Upon installing Adobe Flash, i receive a connect timeout via http and https. Documentation shows that websocket support is only available for iexplorer version >=10

Ubuntu 12.04:
  Firefox 26: OK
  Chromium 21:  OK

->Verified
Comment 15 Moritz Muehlenhoff univentionstaff 2014-01-29 11:17:11 CET
http://errata.univention.de/ucs/3.2/31.html