Trying to add TLS to static ticket auth example / pls help

Hi there, sorry for the repeated posts but I am having trouble making this work. I am trying to get some sanity on this config by using the examples but nothing is working for me.

I thought I would take the static ticket auth example and try to add the wss example config to the config.json of that example to try to get ticket auth within a TLS connection. So to accomplish this, I copied all the keys from the wss example to the static ticket auth example and then added the transports->endpoint->TLS section to it, and I changed ws:// in the static ticket auth client to wss://.

When the client tries to connect with this config I get: SSL error: certificate verify failed (in tls_process_server_certificate). Note that these are the same keys from the wss example and that one works.

Here is my config.json. Can anyone tell me what I am doing wrong?

{
    "version": 2,
    "workers": [
        {
            "type": "router",
            "options": {
                "pythonpath": [
                    ".."
                ]
            },
            "realms": [
                {
                    "name": "realm1",
                    "roles": [
                        {
                            "name": "backend",
                            "permissions": [
                                {
                                    "uri": "",
                                    "match": "prefix",
                                    "allow": {
                                        "call": true,
                                        "register": true,
                                        "publish": true,
                                        "subscribe": true
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.example.topic2",
                                    "match": "exact",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": false,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                }
                            ]
                        },
                        {
                            "name": "frontend",
                            "permissions": [
                                {
                                    "uri": "com.example.add2",
                                    "match": "exact",
                                    "allow": {
                                        "call": true,
                                        "register": false,
                                        "publish": false,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.example.",
                                    "match": "prefix",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": true,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.example.topic2",
                                    "match": "exact",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": false,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                },
                                {
                                    "uri": "com.foobar.topic1",
                                    "match": "exact",
                                    "allow": {
                                        "call": false,
                                        "register": false,
                                        "publish": true,
                                        "subscribe": false
                                    },
                                    "disclose": {
                                        "caller": false,
                                        "publisher": false
                                    },
                                    "cache": true
                                }
                            ]
                        }
                    ]
                }
            ],
            "transports": [
                {
                    "type": "web",
                    "endpoint": {
                        "type": "tcp",
                        "port": 8080,
                        "tls": {
                            "key": "server_key.pem",
                            "certificate": "server_cert.pem",
                            "dhparam": "dhparam.pem",
                            "ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
                        }
                    },
                    "paths": {
                        "/": {
                            "type": "static",
                            "directory": "../web"
                        },
                        "shared": {
                            "type": "static",
                            "directory": "../../../../_shared-web-resources"
                        },
                        "ws": {
                            "type": "websocket",
                            "serializers": [
                                "json"
                            ],
                            "auth": {
                                "ticket": {
                                    "type": "static",
                                    "principals": {
                                        "client1": {
                                            "ticket": "${MYTICKET}",
                                            "role": "frontend"
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            ],
            "components": [
                {
                    "type": "class",
                    "classname": "backend.BackendSession",
                    "realm": "realm1",
                    "role": "backend"
                }
            ]
        }
    ]
}

I think the “safe” approach here would be if you could verify that the issue is specific to autobahn-java or if it happening with other WAMP libraries as well.

Can you please test with autobahn-python example and see if you are able to connect ?

Hi thanks for the suggestion, will do. I just came back to say that the web based client in the static ticket auth example DOES seem to work. It uses joe / secret!!!. Once I added that as a valid ticket, it worked with wss://. However I need this to work with python clients. And I’m sorry, this is all autobahn-python. I have not tried with autobahn-java yet. You can move this to the proper category if it is misplaced. I guess it is.

I have found this bug report and it suggests that autobahn-java does not currently support self-signed certificates https://github.com/crossbario/autobahn-java/issues/257

Currently I am just going out of the crossbario/crossbar-examples. would this bug apply to that as well?

I can’t get a commercial SSL cert to work either. More details here: Problems with static ticket auth within TLS