Websocket security

Posted on
  • Hi! help with the Websocket security client example.

  • ...there is a bit more needed to understand which part of it you need help with... such as: what did you and could do successfully, what avenues you went down to - literally - go down, and where and with what are you stuck right now /:

  • I try so:

    SPI3.setup({ mosi:B5, miso:C11, sck:C10 });
    var eth = require("WIZnet").connect(SPI3, D0);
    eth.setIP({ip : "",subnet : "",gateway:"",dn­s:""});
    var WebSocket = require("ws");
    const ws = new WebSocket('echo.websocket.org', {
        port: 80
    ws.on('open', function() {
        ws.send("hello world");
    ws.on('message', function(message) {
        console.log('received: ', message);

    how to use WSS correctly?

    ws = new WebSocket('wss://echo.websocket.org', {
        port: 443


  • What board are you on?

  • Thr 2018.11.08

    @Wilberforce, I'm going to side with you on this, start with the board type.

    But, isn't it as simple as in Line 1 setup?

    SPI3.setup({ mosi:B5, miso:C11, sck:C10 });

    When I played with Espruino Original, Pico and Wifi, for hardware SPI, wasn't the SPI requirement that all pins had to stay with the same SPI designation?

    and, when one checks the board pinouts, @Gordon did a fantastic job on establishing a firm naming convention, and keeping it consistent. e.g. A pins with SPIn for instance

    Unless the non-Espruino boards have a different labeling requirement, seems to be a good place to start.

    @MaksR please post the board type and verify with the online docs about SPI pin designation.

    If that doesn't solve the issue would you please post some output as in the paths tried, as @allObjects pointed out. It is extremely difficult for those willing to expend their valuable time to assist without some basic foundation to work with.

    'help with the Websocket security client example'

    Were you working from an online snippet perhaps and would you please post that link?

    'how to use WSS correctly?'

    Are you asking if this is the correct syntax to set up a WebSocket, perhaps?

  • Board: STM32F4DISCOVERY + W5500 NET
    Library "crypto " added to firmware (mbedtls).
    SPI interface works!
    Using WS and 80 port I get a response from echo.websocket.org "hello world"
    Also I tried to connect to https server. It works!

    ws = new WebSocket('wss://echo.websocket.org', {
        port: 443

    does not work!

    may be incorrect syntax or something?

  • Ok, I think the issue is that by default the WebSocket example just uses the net library to initialise a connection, not tls: https://github.com/espruino/EspruinoDocs­/blob/master/modules/ws.js#L94

    So ideally changing the library to do this:

    WebSocket.prototype.initializeConnection­ = function () {
        host: this.host,
        port: this.port
      }, this.onConnect.bind(this));

    would probably work. Unfortunately the way it's done (not actually exporting WebSocket itself) means that you can't actually modify just that function when loading in the library - you'd have to copy the module, change it, and load it in yourself.

  • Thank you!
    what to do with mbedtls_ssl_handshake returned -0x7 ?

  • Handshake from Wireshark:
    Espruino - Client Hello:

       TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 49
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 45
            Version: TLS 1.2 (0x0303)
            Random: 30de5c92dbfd4ddcb00fa82fed023683b8b89978­8e0e189e...
                GMT Unix Time: Dec 25, 1995 11:10:58.000000000 RTZ 2 (зима)
                Random Bytes: dbfd4ddcb00fa82fed023683b8b899788e0e189e­3b5f5a72...
            Session ID Length: 0
            Cipher Suites Length: 6
            Cipher Suites (3 suites)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)

    Tomcat 9.13 - Handshake Failure:

       TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

    Maybe the problem is due to version: TLS 1.0 (0x0301)?
    or Random (GMT Unix Time)?
    or Cipher Suites ?

  • Maybe you could try providing pre-made certs when you connect? http://www.espruino.com/Reference#l_tls_­connect

  • Referring to #7

    I tried this on the Linux build and there was no -x07 error

  • in module wss.js:

    function WebSocket(host, options) {
      this.socket = null;
      options = options || {};
      this.host = host;
      this.port = options.port || 80;
      this.protocolVersion = options.protocolVersion || 13;
      this.origin = options.origin || 'Espruino';
      this.keepAlive = options.keepAlive * 1000 || 60000;
      this.masking = options.masking!==undefined ? options.masking : true;
      this.path = options.path || "/";
      this.protocol = options.protocol;
      this.lastData = "";
      this.secWebSocketKey = buildKey();
      this.cert = options.cert;
      this.key = options.key;
      this.ca = options.ca;
      this.connected = false || options.connected;
      this.headers = options.headers || {};
    WebSocket.prototype.initializeConnection­ = function () {
        host: this.host,
        port: this.port,
        ca: this.ca,
        cert: this.cert,
        key: this.key
      }, this.onConnect.bind(this));

    Espruino code:

    SPI3.setup({ mosi:B5, miso:C11, sck:C10 });
    var eth = require("WIZnet").connect(SPI3, D0);
    eth.setIP({ip : "",subnet : "",gateway:"",dn­s:""});
    var WebSocket = require('wss');
    const ws = new WebSocket('', {
          path: '/time/ws',
          port: 8443,
          protocolVersion: '13',
          protocol : "chat", // optional websocket protocol
          origin: '',
         // keepAlive: 60,  // Ping Interval in seconds.
         // headers:{ some:'header', 'another-header':42 } // optional websocket headers
         ca: atob("MIIFaTCCA1GgAwIBAgIJANSBTFhEm7iTMA­0GCSqGSIb3DQEBCwUAMEsxCzAJBgNVBAYTAlJVMQ­8wDQYDVQQIDAZSdXNzaWExEzARBgNVBAoMCkxvZ2­ljaG91c2UxFjAUBgNVBAMMDUxvZ2ljaG91c2UgQ0­EwHhcNMTYxMDA0MTkxNDEzWhcNMjYxMDAyMTkxND­EzWjBLMQswCQYDVQQGEwJSVTEPMA0GA1UECAwGUn­Vzc2lhMRMwEQYDVQQKDApMb2dpY2hvdXNlMRYwFA­YDVQQDDA1Mb2dpY2hvdXNlIENBMIICIjANBgkqhk­iG9w0BAQEFAAOCAg8AMIICCgKCAgEAmIc8oR9feU­tXztaQQBnwMkXoIjGb6+6DIADk/J/VflTOYk6tin­j0Si7+3jAYrHjUZHGDTvTa52In10xcat5h9oW8hy­3PekmbO2/C88zh/gbcgX5O7StvU3PWk4TdVTJk+Y­3stxajBgEvrh+CXmb+iztmFltG7ySbyqifa4LTkV­q2udmsBcQAScaUd7EZ3/ZZejd9ShzzHpnA58s9YW­1j+DdQ+GAwxfYB6LhvtRpkrybDoPVWgJDbl7Q4Wu­Ocx56+MhjQMbzRM2K9vWOzZns/Un0YZe6rokDjur­XuOpOsp9IzVkK9lE2jeqDQRkf4RxiFy5vEuZRjpx­7haZAajeNevoG28RwKe64VDsYHQCgQcs7VRXokvP­nrCgAlRpeZmIpVWHxb8xR3+VU0cw+DIg75nQBf74­KfPmCyhhVAvsN3ljC9rb9Rzf8/X4mMBP15JJk5v9­EgXUqmSiYfSTSfGYl6J9jiJW3wNtf48v2DRVw83K­I1NjVi3RkYkACayqEupk1cIDNKvHP0Vdh0L+JeHN­GXHPK/LwtOomVF8j9u5tr9hjoIf12luA8vbSxSpT­BRRpuV3IGAzl268c92Uh0wzNUmsfBz3aZY/+PvFR­XFiIljiHFKL/Wq0eJKjtBJZZxckJpBWgYUUR18Yv­R+JMRMpwIMNfLjkgGmxyPbsbSkfD+vsr8CAwEAAa­NQME4wHQYDVR0OBBYEFKT60m+kotmyktFFsy9Wei­kad/pMMB8GA1UdIwQYMBaAFKT60m+kotmyktFFsy­9Weikad/pMMAwGA1UdEwQFMAMBAf8wDQYJKoZIhv­cNAQELBQADggIBAImZKZ/nuT/UtZf/9PLKmVDcH3­hi5qt0bYZ6BNJ66smpA5XyJOInMzapHmuqPYObj7­Yk52qfDOLWrVEHddf29rwkiVQcgriYt9HHZNBF8A­dkK5fglDN1jUPpPRUG64iewXM31WizMN7bSlAqeM­anYui2rw9bvqSDpkt9HTVHY+bbdH1t0DJIo7sm1u­TJefugfZC9EoIW3Qtt8ErBdpPimerN7CAQiNXuaB­h9JOafEZFUkWIdp4O9oEGkn6oHTeyhaTaZ+Na3sT­UIvCTgPRcJO8GwZHCbE27mXeN/aycTrMxFJfFvp7­F5zv8vKsbhQqkxpye2YrKeeIxOt8vA8MS/hRiHhB­CE4dRo34QV61U5R/TyaDJkHuhLPfKH6+80ZNE7fM­dSJQCfcd1ySPcCrrwmeaXf9gZ6YgtgFJjSKArYsB­v4/ChVf3U7q6bI5anUdluol69jc0lbNUzV3o/FQV­gAxcY/BM171SFEqKlriLmeAyJSBH/ovfHhGp1mIQ­iHs9KOtibS079tXALP4hORUHFmsk1rDdqSJ0GdkR­gbbEkecJLOTa5nmeriSZ6CaOcA9vPdpQxb36fZvZ­L9KfqzsraoNIOM3TDXTOJ3kCOvlF3g3t2gamJxNg­w6wSZW2R/1sRvJvXm99r3V0uUq9dMTLZ6DB2fdhz­J14a2xYwlVtvwpbibG")
    ws.on('message', function(message) {
        console.log('received: ', message);
    ws.on('close', function() {
      console.log("Connection closed");
 - real ip with Tomcat 9.0.13 and websocket (wss:// + server.crt sign ca

    Espruino error: mbedtls_ssl_handshake returned -0x7780.
    Wireshark shows that the stage of certificate exchange is not coming !? (I'm not sure).
    Tomcat responds with Handshake Failure.

    Сan tomcat not like Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256 ?

    But Espruino is connected to the node.js server! (certificates are the same) , node.js client and browser connects to Tomcat.

    1 Attachment

    • wireshark.png
  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview

Websocket security

Posted by Avatar for MaksR @MaksR