mORMot Open Source

What browser are you using? I recently noticed a similar situation in browsers other than Firefox.

Ab, I apologize for the language barrier, and I thank you in advance for your attention.

I was able to identify the issue that caused confusion here. The conclusion is that when SChannel is used, the certificate generated by the call to InitNetTlsContextSelfSignedServer(FTls, Algo, {UsePreComputed=}TRUE) only works with mormot2, or curl, and is not valid and/or compatible with current browsers. However, when a .pfx certificate is used, and not the precomputed one, it works normally.

Ab, check this out:

I ran an additional step with openssl, as documented in TSChannelNetTls.AfterBind:

openssl pkcs12 -inkey private.key -in certificate.crt -export -out certificate.pfx

Using ...

InitNetTlsContext(FTls, True, 'C:\Devel\eCentric-11\certificate\certificate.pfx', 'C:\Devel\eCentric-11\certificate\private.key');

Or ...

FWsServer.WaitStarted(10, 'C:\Devel\eCentric-11\certificate\certificate.pfx', 'C:\Devel\eCentric-11\certificate\private.key');

And, ignoring the server-side exception...

It worked again!!!

The browser displays the usual warning:

Your connection is not private Attackers might be trying to steal your information from 192.168.0.128 (for example, passwords, messages, or credit cards). Learn more about this warning net::ERR_CERT_AUTHORITY_INVALID Turn on enhanced protection to get Chrome's highest level of security This server could not prove that it is 192.168.0.128; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to 192.168.0.128 (unsafe).

And the websocket client (wss) also works.

The certificate has been deleted from Windows!!!

Working with or without openssl

Ab, in my understanding it doesn't work when we use InitNetTlsContextSelfSignedServer(FTls, Algo).

What do you think ?

Ok, I'll test as suggested.

I tried using openssl but I'm getting the following error:

[dcc64 Error] mormot.crypt.openssl.pas(879): E2250 There is no overloaded version of 'AlgoName' that can be called with these arguments
[dcc64 Error] mormot.crypt .openssl.pas(966): E2250 There is no overloaded version of 'AlgoName' that can be called with these arguments
[dcc64 Fatal Error] mor.wss.acceptor.pas(918): F2063 Could not compile used unit 'mormot. crypt.openssl.pas' Failed

Ab, I also tested it this way, and the exception continues to occur on the server side, in any version of TLS

PS C:\Windows\system32> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11
PS C:\Windows\system32> Invoke-WebRequest -Uri https://192.168.0.128:7799

PS C:\Windows\system32> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS C:\Windows\system32> Invoke-WebRequest -Uri https://192.168.0.128:7799

PS C:\Windows\system32> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13
PS C:\Windows\system32> Invoke-WebRequest -Uri https://192.168.0.128:7799

Ab, with curl, there is no exception at server side:

C:\Tools\curl\bin>curl -v -k "https://192.168.0.128:7799"
*   Trying 192.168.0.128:7799...
* Connected to 192.168.0.128 (192.168.0.128) port 7799
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=127.0.0.1
*  start date: Jul  6 20:15:22 2022 GMT
*  expire date: Jul  3 20:15:22 2032 GMT
*  issuer: CN=127.0.0.1
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 192.168.0.128:7799
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: ecentric.I11
< Content-Length: 0
<
* Connection #0 to host 192.168.0.128 left intact

Hi Ab,

I'm using InitNetTlsContextSelfSignedServer. It was working perfectly since my first tests. Now, it only works in mormot2 connections (wss client, for example) to mormot2 (wss server, for example), and the following exception occurs when connected via browser (https, or wss):

:00007FFFD9D0FABC ; C:\Windows\System32\KERNELBASE.dll
System._RaiseAtExcept(???,???)
System._RaiseExcept(???)
mormot.net.sock.TSChannelNetTls.ESChannelRaiseLastError('''¼'#0#0#0#0#0'&'#3#9'€'#0#0#0#0#0#0#0#0#3#0#0#0'xy’'#7#0#0#0#0#$1C#1#1#0'&'#3#9'€ày’'#7#0#0#0#0'¨&¼'#0#0#0#0#0'€¼Á'#4#0#0#0#0'Õ''¼'#0#0#0#0#0'&'#3#9'€'#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0'P'#$B'¼'#0#0#0#0#0'ðD»'#4#0#0#0#0#8'ÿ’'#7#0#0#0#0'Àz’'#7#0#0#0#0#0#0#0#0#0#0#0#0'<'#4#0#0#0#0#0#0'ðD»'#4'8J'#0#0'PNî'#6#0#0#0#0#0#0#0#0'&'#3#9'€`z’'#7#0#0#0#0' !¼'#0#0#0#0#0'€¼Á'#4#0#0#0#0'Â!¼'#0#0#0#0#0#0#0#0#0#0#0#0#0'P"ñ'#6#0#0,2148074278)
mormot.net.sock.TSChannelNetTls.CheckSEC_E_OK('''¼'#0#0#0#0#0'&'#3#9'€'#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0'P'#$B'¼'#0#0#0#0#0'ðD»'#4#0#0#0#0#8'ÿ’'#7#0#0#0#0'Àz’'#7#0#0#0#0#0#0#0#0#0#0#0#0'<'#4#0#0#0#0#0#0'ðD»'#4'8J'#0#0'PNî'#6#0#0#0#0#0#0#0#0'&'#3#9'€`z’'#7#0#0#0#0' !¼'#0#0#0#0#0'€¼Á'#4#0#0#0#0'Â!¼'#0#0#0#0#0#0#0#0#0#0#0#0#0'P"ñ'#6#0#0#0#0'Àz’'#7#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0'°¼Á'#4#0#0#0#0#0#0#0#0#0#0#0#0#$90'¿'#$12#1#0#0#0#0'Àz’'#7#0#0#0#0#0#0#0#0#0#0,-2146893018)
mormot.net.sock.TSChannelNetTls.HandshakeLoop
mormot.net.sock.TSChannelNetTls.AfterAccept($43C,(True, True, True, True, False, False, False, '', nil, '', ),???,nil {''})
mormot.net.async.TAsyncServer.OnFirstReadDoTls($4B93F30)
mormot.net.async.TPollAsyncConnection.OnFirstRead($4BDBFB0)
mormot.net.async.TPollAsyncSockets.ProcessRead($4C66CD0,1152921504686096176)
mormot.net.async.TAsyncConnectionsThread.Execute
System.Classes.ThreadProc($4C66CD0)
System.ThreadWrapper($4BB44E0)
:00007FFFDADE257D ; C:\Windows\System32\KERNEL32.DLL
:00007FFFDC82AF28 ; ntdll.dll

...
InitNetTlsContextSelfSignedServer(FTls, caaRS256);
FTls.IgnoreCertificateErrors := True;
...
FWsServer :=
  TWebSocketAsyncServer.Create(
    Target, Nil, Nil, 'Acceptor', FOuAccepts, 30000, [
    hsoNoStats, hsoEnableTls,
    hsoNoXPoweredHeader,
    hsoHeadersInterning,
    hsoCreateSuspended,
    hsoThreadSmooting ]);
...
FWsServer.Start;
FWsServer.WaitStarted(10, @FTls);
...

I understood. Perfect ! The implementation, as it stands, already meets the needs. In the production environment, we will have thousands of concurrent connections, and, in addition to Linux, with several clients using the Windows server. This is why the synchronous version does not suit us.

Once again, thank you very much for your attention

Good morning Arnaud !

When I define USE_OPENSSL in the project it works normally.

Good morning Arnaud !

What do you think could be happening ?

Thank you for your attention

Good morning !

What excellent news, Ab. Our team thanks you immensely for all your attention and effort.

Testing like this now
...
         atpReadPoll:
           // main thread will just fill pending events from socket polls
           // (no process because a faulty service would delay all reading)
...
             if new <> 0 then
               fOwner.ThreadPollingWakeup(new)
             else
             begin
                new := fOwner.fClients.fRead.PollForPendingEvents(ms);
                If new = 0 Then Begin
                   TThread.Sleep(1); // Without this things don't work, anyway
                   Continue;
                End;
             end;
...

Good morning !

With this change, a single connection causes high CPU consumption!

It appears to be working normally again with the following:

...
             fWaitForReadPending := true; // should be set before wakeup
             if new <> 0 then
               fOwner.ThreadPollingWakeup(new)
             Else Begin
               fEvent.WaitFor(1); // ec **
               Continue;             
             End;
...

Good morning !

If so, it's much more efficient! Correct me if I'm wrong: -1 = INFINITE, which is the same as mormot.core.os.windows.inc.WaitFor(INFINITE), in the given snippet. Tested with thousands of operations.
Working perfectly, with minimal CPU consumption!!!

Thank you very much for your attention.

Adding hsoThreadSmooting option, with a thread pool of 16, receiving 4 frames of 50 bytes, per second, without any processing, consumption drops to 6%.

Yes. I even just tested with the new stable version released today