Univention Bugzilla – Full Text Bug Listing |
Summary: | noVNC: Server disconnected (code: 1006) in Firefox | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC - Virtual machines (UVMM) | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | normal | ||
Priority: | P2 | CC: | gohmann, hahn, jmm, klaeser, schwardt |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Florian Best
2013-11-27 11:19:59 CET
At least in our internal KVM environment, VNC does neither work with FF nor with Chromium. (In reply to Alexander Kläser from comment #1) > At least in our internal KVM environment, VNC does neither work with FF nor > with Chromium. Hm, I lied, now it works in both browsers. From Firefoxs error console: > [08:27:27.232] Firefox kann keine Verbindung zu dem Server unter ws://localhost:17523/ aufbauen. @ http://laiva/univention-novnc/include/websock.js:285 Looks like a problem in noVNC to detect WS support: <https://github.com/Medical-Insight/noVNC/commit/ec34af8f6133f5b5603f47b0c3f91bde60e6d9b5> A quick test shows that this work-around fixes the issue with Firefox 22.0. Blocker in the UCS technical training. Work-around: Use http:// instead of https:// It worked for all users still using Firefox 17 ESR and breaks when using ESR24 (as released as an errata update) (In reply to Moritz Muehlenhoff from comment #5) > It worked for all users still using Firefox 17 ESR and breaks when using > ESR24 (as released as an errata update) Another regression in Firefox 24 compared to 17; it's no longer possible to enter a "\" (as needed for a Windows 7 domain administrator login). Apparently a problem with parsing "Alt GR"? (In reply to Moritz Muehlenhoff from comment #6) > (In reply to Moritz Muehlenhoff from comment #5) > > It worked for all users still using Firefox 17 ESR and breaks when using > > ESR24 (as released as an errata update) > > Another regression in Firefox 24 compared to 17; it's no longer possible to > enter a "\" (as needed for a Windows 7 domain administrator login). > Apparently a problem with parsing "Alt GR"? See Bug #30540 comment 5 (In reply to Philipp Hahn from comment #4) > Blocker in the UCS technical training. Happened again in technical training. (In reply to Sönke Schwardt-Krummrich from comment #8) > (In reply to Philipp Hahn from comment #4) > > Blocker in the UCS technical training. > > Happened again in technical training. To be more precise: the "http vs https" problem happend again. r47293 | Bug #33587: Test for secured WebSocket port univention-novnc_0.4+0+20131014+git142aa45-2.3.201401211307 r47297 | Bug #33587: Test for secured WebSocket port (YAML) REOPEN: When accessing the UMC with https://[IP-ADDRESS]/umc instead of the hostname and adding a certificate exception, the novnc connection is still not possible (Server disconnected, Error 1006). In the firefox browser console the certificate is blamed: GET https://10.200.29.120:6080/ [0ms] 14:12:38.790 10.200.29.120:6080 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. The certificate is only valid for ucsmaster.ucs.local (Error code: sec_error_untrusted_issuer) 14:12:38.791 Firefox can't establish a connection to the server at wss://10.200.29.120:6080/?token=a078281f-9fe4-7327-adc5-b4b56c4addf4. (In reply to Erik Damrose from comment #11) > REOPEN: > > When accessing the UMC with https://[IP-ADDRESS]/umc instead of the hostname > and adding a certificate exception, the novnc connection is still not > possible (Server disconnected, Error 1006). In the firefox browser console > the certificate is blamed: > > GET https://10.200.29.120:6080/ [0ms] > 14:12:38.790 10.200.29.120:6080 uses an invalid security certificate. > > The certificate is not trusted because the issuer certificate is not trusted. > The certificate is only valid for ucsmaster.ucs.local > > (Error code: sec_error_untrusted_issuer) > > 14:12:38.791 Firefox can't establish a connection to the server at > wss://10.200.29.120:6080/?token=a078281f-9fe4-7327-adc5-b4b56c4addf4. Firefox stores the SSL exceptions on a (host+port) basis, that is a second exception must be added for https://10.200.29.120:6080/. As this port is only accessed through wss://, Firefox does not not the well-known dialog to add a security exception. Explicitly going to https:// currently does not work either, as the websockify daemon listening on port 6080 does only handle the WebSocket protocol, but not HTTP. But it has the --web= option to enable serving a directory through HTTP. This can be used to serve /usr/share/novnc/ through websockify let UVMMd point there. When Firefox first goes there, it will ask for an exception for https://:6080/, then get the vnc_auto.html, which can then also open a connection using wss://:6080/. r47330 | Bug #33587: noVNC: work-around Firefox security excetion univention-novnc_0.4+0+20131014+git142aa45-3.4.201401212016 r47331 | Bug #33587: noVNC: work-around Firefox security exception (YAML) Testes successfully with (Firefox, Chromium) × (http://, https://) × (IP-Address, Name). See <https://github.com/kanaka/websockify/wiki/Feature_Matrix> for alternatived to the Python-websockify. For reference: I get this exception from websockify, when Firefox connects without the prior security exception: 2: 192.168.0.191: SSL/TLS (wss://) WebSocket connection 2: handler exception: [Errno 1] _ssl.c:1331: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2: Traceback (most recent call last): File "/usr/share/novnc/utils/websocket.py", line 783, in top_new_client self.client = self.do_handshake(startsock, address) File "/usr/share/novnc/utils/websocket.py", line 714, in do_handshake wsh = WSRequestHandler(retsock, address, not self.web) File "/usr/share/novnc/utils/websocket.py", line 955, in __init__ SimpleHTTPRequestHandler.__init__(self, req, addr, object()) File "/usr/lib/python2.6/SocketServer.py", line 617, in __init__ self.handle() File "/usr/lib/python2.6/BaseHTTPServer.py", line 329, in handle self.handle_one_request() File "/usr/lib/python2.6/BaseHTTPServer.py", line 312, in handle_one_request self.raw_requestline = self.rfile.readline() File "/usr/lib/python2.6/socket.py", line 444, in readline data = self._sock.recv(self._rbufsize) File "/usr/lib/python2.6/ssl.py", line 215, in recv return self.read(buflen) File "/usr/lib/python2.6/ssl.py", line 136, in read return self._sslobj.read(len) SSLError: [Errno 1] _ssl.c:1331: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Also works with IE9 in Win7 using https://IP-Address/ and http://IP-Address/. FYI: Long-term it would help to get WebSocket support into Apache on port 80, so the second SSL Exception would no longer be needed, but: 1. mod_proxy from Apache-2.2 does not support WebSocket, only >= 2.4. 2. alternatively mod_python to embed websockify into Apache See <http://serverfault.com/questions/290121/configuring-apache2-to-proxy-websocket> for more information. Both options I consider rather heavy-weight changes, which I don't consider appropriate for an erratum update. Accepting one more exception once is IMHO acceptable. Tests with http, https, each with ip-address and hostname WinXP: Firefox 10, 26: OK Chrome 32: OK Internet Explorer 8 (latest available for XP): fail -> But we recommend at least iexplorer version 9 in our release notes -> OK, nothing we can do for XP w/ iexplorer Win7: Firefox 10, 26: OK Chrome 32: OK Internet Explorer 10: OK Internet Explorer 11: Fail -> Bug #33968 Internet Explorer 9: shows certificate error, upon proceeding novnc complains that "WebSocket or Adobe Flash is required". Upon installing Adobe Flash, i receive a connect timeout via http and https. Documentation shows that websocket support is only available for iexplorer version >=10 Ubuntu 12.04: Firefox 26: OK Chromium 21: OK ->Verified |