v7.6.4

.gitignore

@@ -1,3 +1,7 @@
 build
 *.pyc
 venv
+ixsnake/ixsnake/.certs/
+site/
+ws/.certs/
+ws/.srl

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:edge as build
+FROM alpine:3.11 as build
 
 RUN apk add --no-cache gcc g++ musl-dev linux-headers cmake openssl-dev 
 RUN apk add --no-cache make
@@ -16,7 +16,7 @@ WORKDIR /opt
 USER app
 RUN [ "make", "ws_install" ]
 
-FROM alpine:edge as runtime
+FROM alpine:3.11 as runtime
 
 RUN apk add --no-cache libstdc++
 RUN apk add --no-cache strace

docs/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
-All notable changes to this project will be documented in this file.
+All changes to this project will be documented in this file.
+
+## [7.6.4] - 2019-12-22
+
+(client) error handling, quote url in error case when failing to parse on
+(ws) ws_cobra_publish: register callbacks before connecting
+(doc) mention mbedtls in supported ssl server backend
+
+
+## [7.6.3] - 2019-12-20
+
+(tls) add a simple description of the TLS configuration routine for debugging
+
+## [7.6.2] - 2019-12-20
+
+(mbedtls) correct support for using own certificate and private key
+
+## [7.6.1] - 2019-12-20
+
+(ws commands) in websocket proxy, disable automatic reconnections + in Dockerfile, use alpine 3.11
 
 ## [7.6.0] - 2019-12-19
 

docs/ws.md

@@ -247,7 +247,7 @@ Options:
 
 [cobra](https://github.com/machinezone/cobra) is a real time messenging server. ws has several sub-command to interact with cobra. There is also a minimal cobra compatible server named snake available.
 
-Below are examples on running a snake server and clients with TLS enabled (the server only works with the OpenSSL backend for now).
+Below are examples on running a snake server and clients with TLS enabled (the server only works with the OpenSSL and the Mbed TLS backend for now).
 
 First, generate certificates.
 
@@ -366,4 +366,4 @@ $ ws cobra_publish --endpoint wss://127.0.0.1:8765 --appkey FC2F10139A2BAc53BB72
 [2019-12-19 20:46:42.659] [info] Published message id 3 acked
 ```
 
-To use OpenSSL on macOS, compile with `make ws_openssl`. First you will have to install OpenSSL libraries, which can be done with Homebrew.
+To use OpenSSL on macOS, compile with `make ws_openssl`. First you will have to install OpenSSL libraries, which can be done with Homebrew. Use `make ws_mbedtls` accordingly to use MbedTLS.

ixcobra/ixcobra/IXCobraMetricsThreadedPublisher.cpp

@@ -98,6 +98,8 @@ namespace ix
     {
         _channel = channel;
 
+        ix::IXCoreLogger::Log(socketTLSOptions.getDescription().c_str());
+
         ix::WebSocketPerMessageDeflateOptions webSocketPerMessageDeflateOptions(enablePerMessageDeflate);
         _cobra_connection.configure(appkey, endpoint,
                                     rolename, rolesecret,

ixwebsocket/IXSocketMbedTLS.cpp

@@ -71,11 +71,16 @@ namespace ix
 
         if (_tlsOptions.hasCertAndKey())
         {
-            if (mbedtls_x509_crt_parse_file(&_cacert, _tlsOptions.certFile.c_str()) < 0)
+            if (mbedtls_x509_crt_parse_file(&_cert, _tlsOptions.certFile.c_str()) < 0)
             {
                 errMsg = "Cannot parse cert file '" + _tlsOptions.certFile + "'";
                 return false;
             }
+            if (mbedtls_pk_parse_keyfile(&_pkey, _tlsOptions.keyFile.c_str(), "") < 0)
+            {
+                errMsg = "Cannot parse key file '" + _tlsOptions.keyFile + "'";
+                return false;
+            }
         }
 
         if (_tlsOptions.isPeerVerifyDisabled())
@@ -84,7 +89,7 @@ namespace ix
         }
         else
         {
-            mbedtls_ssl_conf_ca_chain(&_conf, &_cacert, NULL);
+            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 
             // FIXME: should we call mbedtls_ssl_conf_verify ?
 
@@ -97,7 +102,13 @@ namespace ix
                 errMsg = "Cannot parse CA file '" + _tlsOptions.caFile + "'";
                 return false;
             }
-            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+
+            mbedtls_ssl_conf_ca_chain(&_conf, &_cacert, NULL);
+
+            if (_tlsOptions.hasCertAndKey())
+            {
+                mbedtls_ssl_conf_own_cert(&_conf, &_cert, &_pkey);
+            }
         }
 
         if (mbedtls_ssl_setup(&_ssl, &_conf) != 0)

ixwebsocket/IXSocketMbedTLS.h

@@ -45,6 +45,7 @@ namespace ix
         mbedtls_ctr_drbg_context _ctr_drbg;
         mbedtls_x509_crt _cacert;
         mbedtls_x509_crt _cert;
+        mbedtls_pk_context _pkey;
 
         std::mutex _mutex;
         SocketTLSOptions _tlsOptions;

ixwebsocket/IXSocketTLSOptions.cpp

@@ -8,6 +8,7 @@
 
 #include <assert.h>
 #include <fstream>
+#include <sstream>
 
 namespace ix
 {
@@ -71,4 +72,15 @@ namespace ix
     {
         return _errMsg;
     }
+
+    std::string SocketTLSOptions::getDescription() const
+    {
+        std::stringstream ss;
+        ss << "TLS Options:" << std::endl;
+        ss << "  certFile = " << certFile << std::endl;
+        ss << "  keyFile  = " << keyFile << std::endl;
+        ss << "  caFile   = " << caFile << std::endl;
+        ss << "  ciphers  = " << ciphers << std::endl;
+        return ss.str();
+    }
 } // namespace ix

ixwebsocket/IXSocketTLSOptions.h

@@ -43,6 +43,8 @@ namespace ix
 
         const std::string& getErrorMsg() const;
 
+        std::string getDescription() const;
+
     private:
         mutable std::string _errMsg;
         mutable bool _validated = false;

ixwebsocket/IXWebSocketTransport.cpp

@@ -144,7 +144,9 @@ namespace ix
 
         if (!UrlParser::parse(url, protocol, host, path, query, port))
         {
-            return WebSocketInitResult(false, 0, std::string("Could not parse URL ") + url);
+            std::stringstream ss;
+            ss << "Could not parse url: '" << url << "'";
+            return WebSocketInitResult(false, 0, ss.str());
         }
 
         std::string errorMsg;

ixwebsocket/IXWebSocketVersion.h

@@ -6,4 +6,4 @@
 
 #pragma once
 
-#define IX_WEBSOCKET_VERSION "7.5.8"
+#define IX_WEBSOCKET_VERSION "7.6.4"

ws/ws_cobra_publish.cpp

@@ -43,7 +43,6 @@ namespace ix
                        rolesecret,
                        ix::WebSocketPerMessageDeflateOptions(true),
                        tlsOptions);
-        conn.connect();
 
         // Display incoming messages
         std::atomic<bool> authenticated(false);
@@ -94,6 +93,8 @@ namespace ix
             }
         });
 
+        conn.connect();
+
         while (!authenticated)
             ;
         while (!messageAcked)

ws/ws_proxy_server.cpp

@@ -61,7 +61,7 @@ namespace ix
 
             // Server connection
             state->webSocket().setOnMessageCallback([webSocket, state, verbose](
-                                                        const WebSocketMessagePtr& msg) {
+                                                     const WebSocketMessagePtr& msg) {
                 if (msg->type == ix::WebSocketMessageType::Open)
                 {
                     std::cerr << "New connection" << std::endl;
@@ -120,6 +120,7 @@ namespace ix
                     std::string url(remoteUrl);
                     url += msg->openInfo.uri;
                     state->webSocket().setUrl(url);
+                    state->webSocket().disableAutomaticReconnection();
                     state->webSocket().start();
 
                     // we should sleep here for a bit until we've established the