use native SecureSocket instead of hurlant crypto

[chatziko]

It's faster, more secure, and greatly reduces swf size.

Apart from removing the hurlant files, the only real change is in WebSocket.as and it's actually quite small.

[VelniasGriebtu]

I tried to use this project to communicate with Tomcat 8.5.6.
Insecure Socket (ws://) - worked for me only after disabling extentions (deflate) -Dorg.apache.tomcat.websocket.DISABLE_BUILTIN_EXTENSIONS=true. Otherwise I encounter message fragmentation issues.

SecureSocket (wss://) - unable to use as I don't have Flash Policy Server that knows handle TLS handshake.
How it is supposed to be used? Thanks.

[VelniasGriebtu]

I didn't find Flash Policy Server for SSL/TLS out of the box and have implemented one using JSSE SSLServerSocket and it works now.

[chatziko]

A working TLS Flash Policy Server using nodejs is available in the sample server of chatziko/FlashSocket.IO

[VelniasGriebtu]

It works fine when I disable 'permessage-deflate' extension. Flash client fails to decode inflated message otherwise. Any clue?
JSONParseError: Unexpected end of input
at com.adobe.serialization.json::JSONTokenizer/parseError()
at com.adobe.serialization.json::JSONDecoder/checkValidToken()
at com.adobe.serialization.json::JSONDecoder/parseValue()
at com.adobe.serialization.json::JSONDecoder/parseObject()
at com.adobe.serialization.json::JSONDecoder/parseValue()
at com.adobe.serialization.json::JSONDecoder/parseArray()
at com.adobe.serialization.json::JSONDecoder/parseValue()
at com.adobe.serialization.json::JSONDecoder/parseObject()
at com.adobe.serialization.json::JSONDecoder/parseValue()
at com.adobe.serialization.json::JSONDecoder()
at com.adobe.serialization.json::JSON$/decode()
at com.icap.mytreasury.services.websoket::JSONDataTransformer/decode()
at com.icap.mytreasury.services.websoket::MessagingAgent/handleWebSocketMessage()
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at com.worlize.websocket::WebSocket/processFrame()
at com.worlize.websocket::WebSocket/handleSocketData()

[VelniasGriebtu]

Additional information from Flash debugger log.
JSONDataTransformer Error #1034: Type Coercion failed: cannot convert Object@4d3c9a49 to flash.utils.Dictionary.

[chatziko]

Try https://github.com/chatziko/AS3WebSocket, it has (limited) support for permessage-deflate (not included in this PR)

[VelniasGriebtu]

https://github.com/chatziko/AS3WebSocket is exactly the project I use and it doesn't work for me as described above. The JSON I get after inflation fails on parsing.

[chatziko]

Try to set websocket.debug = true to see if you get something useful.

[VelniasGriebtu]

I set websocket.debug = true. Where I should search for useful information?

[chatziko]

Wherever trace() output goes in your setup.

[VelniasGriebtu]

There is no additional trace prints from WebSocket. The symptom is that only part of the deflated fragmented message arrives to the client. Client knows assemble fragmented message to the whole and everything works fine when deflate is disabled. I think you can easily reproduce it by sending long messages that are deflated on the server side.

[Anniywell]

Don't work on Chrome58.

Connecting to xxx.com on port 8443
错误: 请求位于 tlssocket://xxx.com:8443 的资源（请求者从 https://s1.002.xxx.com/FlexWeb-debug/FlexWeb.swf 发出请求）失败，原因是无法访问服务器。

*** 安全沙箱冲突 ***
到 xxx.com:8443 的连接已停止 - 不允许从 https://s1.002.xxx.com/FlexWeb-debug/FlexWeb.swf 进行连接
Security Error: [SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048: 安全沙箱冲突:https://s1.002.xxx.com/FlexWeb-debug/FlexWeb.swf 不能从 xxx.com:8443 加载数据。"]
securityError
closed

[code5381]

Anniywell, It works on Chrome59.

1. install policy server. (https://www.npmjs.com/package/policyfile)

2. listen by 843 port

pf.listen(843, function () {
logger.info('Flash Policy Server has been started.');
});

[Jiro90TC]

@VelniasGriebtu

I didn't find Flash Policy Server for SSL/TLS out of the box and have implemented one using JSSE SSLServerSocket and it works now.

Can you share the JSSE SSLServerSocket server? I am facing the same security error and I need to use only java server.
Thanks.

[oleg-prince]

Is it still relevant? If so - how do you want me to share?

[exstrim401]

is there some way to connect to websocket server under cloudflare?

[theturtle32]

https://support.cloudflare.com/hc/en-us/articles/200169466-Using-Cloudflare-with-WebSockets

…

On Mon, Apr 12, 2021 at 10:41 AM exstrim401 ***@***.***> wrote: is there some way to connect to websocket server under cloudflare? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#28 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAM7QGLFF7ACFMS3MT46F3TIMWDPANCNFSM4BZFINPA> .