Can't connect via TLS

[hillelt]

I installed spark from npm (v0.2.2) and I can connect locally. However, when starting the server with spark-wallet -i 0.0.0.0 and browsing to https://<internal_ip>:9737 my web browser times out trying to establish connection. The client machine is a different box on my home network and I tried connecting with Firefox, Chrome and Brave, all timing out in the same fashion.

Note that I can telnet to the internal ip and the server machine is responsive. It seems like something in the TLS handshake might be broken.

On the server:

>> spark-wallet -i 0.0.0.0
...
HTTPS server running on https://0.0.0.0:9737

On the client (browsers timing out, telnet is working):

>> telnet <internal_ip> 9737
Trying x.x.x.x...
Connected to ubuntu-server.
Escape character is '^]'.

[hillelt]

Also, if I start spark with spark-wallet -i 0.0.0.0 --no-tls then I can connect from remote machines -- the problem is definitely with TLS.

[shesek]

Can you try making a request from a remote machine using curl --verbose https://<internal_ip>:9737 and report the output here?

[hillelt]

Yes. When I run it it gets stuck for a couple of minutes in the following state:

>> curl --verbose https://<internal_ip>:9737
* Rebuilt URL to: https://<internal_ip>:9737/
*   Trying <internal_ip>...
* TCP_NODELAY set
* Connected to <internal_ip> (internal_ip) port 9737 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /home/<my_user>/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

and then prints the error below and exits:

* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <private_ip>:9737 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <private_ip>:9737

[shesek]

Are you able to access it from the same host running the server using curl -v https://localhost/?

[hillelt]

No, I can't. It fails with essentially the same output as before (changing the issue title to reflect).

[ghost]

I have the same problem and can't use Spark wallet except with --no-tls.

[shesek]

@hillelt @sumBTC which OS and nodejs version are you using?

Btw, another alternative that you could consider is using --onion. This will start a hidden service that you could connect to from everywhere, without worrying about NATs and router configuration. You also get strong encryption with a key that is pinned to the .onion hostname (so you don't need CAs). This doesn't require pre-installing Tor on your system, should (hopefully) Just Work ™. :)

[ghost]

Ubuntu 16.04, spark-wallet 0.2.2 and nodejs 11.8.0

[hillelt]

Ubuntu 18.04 spark-wallet 0.2.2 nodejs v11.6.0

Got an error trying to start with --onion (opened #60)

[astupidmoose]

Can confirm, also cannot open without the --no-tls flag. Simply goes to connection refused

[k3tan172]

can also confirm, cannot open without the --no-tls flag.

[hillelt]

By the way, I just found out that my router (Bezeq Be) comes with a "secure surfing" protection that randomly blocks me from establishing secure connections with certain web-sites (e.g. Tor). Not sure yet but I have a feeling the problems might be related.

[pseudozach]

Having the same issue on debian. port allowed on firewall but https fails. --no-tls works.
no luck with my certificates or lets-encrypt either.

[scottshapiro]

Same issue on Ubuntu 16. Can't access remotely.

[hillelt]

@shesek see also https://github.com/mimblewimble/grin/issues/2523 (maybe an opportunity for cross pollination: solutions like i2pd might be relevant for spark or maybe some of the work on spark-wallet could be relevant to grin).

[alko89]

I am unable to open even with --no-tls flag. Keeps redirecting to https.

[pseudozach]

As a workaround I managed to get https working with ngrok
Run spark regularly on localhost and start ngrok to tunnel the port to remote https domain.
Tested and works with both spark and KwH.

[ghost]

@shesek After trying to tweak tls/ssl for Ubuntu for days and not being able to connect via openssl s_client -connect IP:9737 (local or external IP), I decided to look at tls.js. I managed to get spark-wallet working over tls (so without --no-tls) in a browser. The App still can't connect but maybe my solution gives you enough information to get the App working as well.

In tls.js I had to change

socket.resume();

into

process.nextTick(() => socket.resume());

and that made spark-wallet finally work in a browser (including the camera permission) without --no-tls.

See the comment (As of NodeJS 10.x ...) in your own hint.

I don't understand why the App still refuses to connect. I have added the TLS certificate (cert.pem) as a user trusted certificate. I don't see anything in the server logs when the App tries to connect, while I do see text lines appear when spark-wallet (successfully) connects in a browser.

Now, I would be more than happy to use spark-wallet in a browser but there the camera has permission but when I try to scan a QR-code (for example via coinpanic.com) a red line starts scanning but the QR-code isn't read, whatever I try. While with the App (with --no-tls) the QR-code is read immediately.

[shesek]

@sumBTC Thank you! I was finally able to reproduce the issue by upgrading to nodejs 10 and was able to resolve it by resuming the socket asynchronously as you suggested. I implemented this in 3fc7e1a.

I don't understand why the App still refuses to connect. I have added the TLS certificate (cert.pem) as a user trusted certificate.

I'm not entirely sure, but I think that some Android versions/configurations may not respect user-trusted certificates for connections made by apps (and block the requests). It worked for me when I tried it awhile back (I normally use onion), but I've heard of others having issues.

the QR-code isn't read

Which browser and version are you using?

I'm wondering if this is also somehow related to the user-trusted self-signed tls certificate. Websites without tls or with invalid certs are not allowed to access the camera, perhaps this restriction is still in place for websites with user-trusted certs?

I'll try to look a bit more into how user-trusted certs affect these two issues. Would it be possible for you to point some (sub)domain at your IP address and try the letsencrypt integration, to help pinpoint if the self-signed cert is the cause?

[ghost]

@shesek

I was finally able to reproduce the issue

Glad to hear that because if you can't reproduce an issue it's kind of impossible to solve it.

Websites without tls or with invalid certs are not allowed to access the camera

But I am allowed to access the camera now that tls is working.

Which browser and version are you using?

I tried it with Google Chrome (79.0.3967.93) and Firefox (6.8.30) (on my android (9) phone). Both give me permission to use the camera and start scanning the QR code for Pay but are never able to read it and report back what's in the QR-code while other scanners report back immediately (including the spark-wallet App)

Am I right that Pay will not accept any QR-code but only specific QR-codes that are valid invoices? If so, I think the problem lies there. The QR-code is not seen as valid for some reason.

[shesek]

Alright, seems like the original issue here was (finally!) resolved. I created #134 and #135 to keep track of the other two issues raised by @sumBTC.