Unable to connect to Websocket server over TLS

Question

I have been testing the functionality of Websockets using a Javascript front-end and Java back-end. I have managed to get communication between client and server working on standard HTTP/WS protocols, but would like to enable HTTPS for serving up the front-end (website) and then use WSS for connecting to the server Java Endpoint.

So far I have setup the website with HTTPS/TLS using a self-signed certificate, and I am able to navigate to the website using the HTTPS protocol: " https://domain-name.chat ".

Now I assumed it was just a matter of changing the protocol in the uri to WSS when establishing a new Websocket connection, so I changed the uri to "wss://domain.name.chat/serverEndpoint".

Now when I load the webpage the connection is not made, because it fires the Websocket.onclose() event handler.

I know there is nothing wrong with the code because it was previously working using HTTP/WS.

Am I right in understanding that Websockets doesn't have the issues of cross-domain script blocking?

Am I missing a step in the process of setting up HTTPS/WSS?

EDIT: Added Virtual host information for the website domain

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName domain-name.chat
    ServerAlias www.domain-name.chatt

    DocumentRoot /usr/local/apache-tomcat-7.0.47/webapps/WebSocketChat/
    RewriteEngine on
    RewriteRule ^/(.*)$ /WebSocketChat/$1 [l,PT]
    JkMount /* worker2

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

</VirtualHost>
</IfModule>

This is the connector setup in server.xml for Tomcat7:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="250" scheme="https" secure="true"
               keystoreFile="${user.home}/.keystore" keystorePass="changeit"
               clientAuth="false" sslProtocol="TLS" />

Answer 1

Since you are using a self-signed certificate, there is a chance that the browser is refusing to connect even when everything is set up correctly.

For instance, my Safari browser will not connect to my self-signed certificate server (Iodine) while Chrome will.

I think Safari keeps checking the certificate Registry while Chrome doesn't (if you pass the warning screen)... It's browser specific.

The Websocket protocol states that browsers should terminate the connection if the certificate isn't valid.

as for:

Am I right in understanding that Websockets doesn't have the issues of cross-domain script blocking?

It's not so simple and there is a minor security header that prevents cross-site scripting.

Although the security on this point is very easy to circumvent, browsers send the header Origin which states the original URL. When you try to connect to a Websocket on a different URL, the server is likely to refuse that connection unless it is set up to accept connections from any origin.

Edit : Another thought, brought on by the comments, is that your server might not be set up properly. Did you connect to the clear-text websocket server directly or using apache? for apache to proxy Websockets, some adjustments need to be made (search for mod_websocket ).