I am setting following property on my readStream when setting up open socked towards my server:
var readStream : Unmanaged<CFReadStream>?
inputStream = readStream!.takeRetainedValue()
inputStream!.setProperty(
StreamSocketSecurityLevel.tlSv1.rawValue,
forKey: Stream.PropertyKey.socketSecurityLevelKey
)
If my server supports TLS 1.0-1.2 does StreamSocketSecurityLevel.tlSv1.rawValue mean that I will get the highest supported TLS version from my server, in this case 1.2 then ? Or should I simply use negotiatedSSL ?
Related
I have a remote AuraDB, but I'm unable to visualize with neovis.js
var config = {
container_id: "viz",
server_url: "bolt://<server_url>:7687",
server_user: <user>,
server_password: <pwd>,
initial_cypher: "match n=(:Person)-[:Knows]->(:Person) return n"
}
The above code segment is from the neovis GitHub documentation.
(https://github.com/neo4j-contrib/neovis.js/)
If I use the "bolt" protocol, the error is :
Neo4jError: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3
If I use the "neo4j" protocol, then :
Neo4jError: Could not perform discovery. No routing servers available.
If I use the "neo4j+s" / "neo4j+ssc" protocols, then :
Encryption/trust can only be configured either through URL or config, not both
I have observed neovis plugin for my webapp works well with a local neo4j db and the bolt protocol.
Please help me out with some understanding in the case of visualizing a remote neo4j aura db.
Aura has strict encryption policies. And the driver config used for neovis.js seems half-baked. It doesn't seem to be enough for Aura and doesn't seem to allow turning encryption off completely either.
So the best option here is to enforce encryption in the config and use an unencrypted connection Scheme.
Working config for Aura by using an unencrypted connection URI and enforcing encryption in the config
var config = {
encrypted:"ENCRYPTION_ON",
trust: "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES",
container_id: "viz",
server_url: "neo4j://<dbid>.databases.neo4j.io",
...
Updated Solution for Neovis 2.0.2, from this GitHub issue
var config = {
containerId: "viz",
neo4j: {
serverUrl: "neo4j://<dbid>.databases.neo4j.io",
serverUser: "neo4j",
serverPassword: "secret",
driverConfig: {
encrypted: "ENCRYPTION_ON",
trust: "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES"
}
},
Getting error of "Error code: -9989(0x-2705), Connection refused" by using BlueSocket framework and connecting between Mac and IOS.
Here is the logic:
I am treating Mac as a server:
// making TCP IPV4 socket
try self.listenSocket = Socket.create(family: .inet, type: .stream, proto: .tcp)
// start lisening port of 8888
try socket.listen(on: self.port)
// accept client connection when there is
let newSocket = try socket.acceptClientConnection()
// keep opening and reading data ....
iPhone as a client:
self.socket = try Socket.create(family: .inet)
try self.socket?.connect(to: ip, port: 8888)
try self.socket?.setReadTimeout(value: readWriteTimeOut)
try self.socket?.setWriteTimeout(value: readWriteTimeOut)
self.socket?.readBufferSize = Socket.SOCKET_MAXIMUM_SSL_READ_BUFFER_SIZE
client first time connect with the server works fine.
after the server receives data, client-side automatically closes the socket.
client tries to connect the server again to send back data by using same code above.
Then error displays!
I think by default when the server-side uses socket.listen, it has SO_REUSEADDR set to true
Need suggestions on how to resolve this issue. Thanks!
Just need to make sure while loop for socket.acceptClientConnection() is opening all the time....
I'm trying to connect to wss socket, and the host name looks like this: "myhostname.com/ws/v2".
Here is how I start the connection:
let host = "myhostname.com/ws/v2"
CFStreamCreatePairWithSocketToHost(kCFAllocatorDefault, host as CFString, 443, &readStream, &writeStream)
inputStream = readStream!.takeRetainedValue()
outputStream = writeStream!.takeRetainedValue()
outputStream.setProperty(StreamSocketSecurityLevel.negotiatedSSL, forKey: Stream.PropertyKey.socketSecurityLevelKey)
inputStream.setProperty(StreamSocketSecurityLevel.negotiatedSSL, forKey: Stream.PropertyKey.socketSecurityLevelKey)
inputStream.schedule(in: .current, forMode: .commonModes)
outputStream.schedule(in: .current, forMode: .commonModes)
inputStream.delegate = self
outputStream.delegate = self
inputStream.open()
outputStream.open()
This fails with an error:
The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 1.)
However, if I remove the path from the host name, so it looks like this: myhostname.com then in my delegate I get an event openCompleted. However, it doesn't respond to my messages after that, I assume it's because I'm connected to a wrong socket, since I removed the path.
What is the proper way of connecting to a socket when the host name has an additional path?
myhostname.com/ws/v2 is not a hostname. It is an (incomplete) URL (the complete URL is wss://myhostname.com/ws/v2). The hostname is just myhostname.com, and the Websocket path on that host is just /ws/v2.
The WebSockets handshake uses HTTP/S, so it is not enough to just connect to the host with an NSStream. You have to connect a TCP socket to the host and port, then negotiate an SSL/TLS handshake if using WSS, then use HTTP to request the path asking for an Upgrade to WebSocket, and only if a successful HTTP 101 reply is returned then perform the WebSocket handshake.
That is a lot of work to do manually. You really should be using an actual WebSocket client library instead. There are plenty available.
I would like to implement STARTTLS in an iOS application but I'm having trouble figuring out from the documentation how to do it.
So far I have:
I create the socket with CFStreamCreatePairWithSocketToHost and open the streams:
CFStreamCreatePairWithSocketToHost(
NULL, (__bridge CFStringRef)host, port,
&read_stream, &write_stream
);
reader = objc_retainedObject(read_stream);
[ reader setDelegate:self ];
[ reader scheduleInRunLoop:[NSRunLoop mainRunLoop] forMode:NSDefaultRunLoopMode ];
[ reader open ];
writer = objc_retainedObject(write_stream);
[ writer setDelegate:self ];
[ writer scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode ];
[ writer open ];
I get the right callbacks when data are available on the streams so the connection is working.
I successfully interact with the server in plain text and negociate STARTTLS.
Eventually, the server sends the go-ahead for STARTTLS:
. OK Begin TLS negotiation now.
Now it is time to upgrade the socket form plaintext to TLS. What do I do next?
I thought I should do this as per Apple's documentation:
[ reader setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey ];
[ writer setProperty:NSStreamSocketSecurityLevelNegotiatedSSL forKey:NSStreamSocketSecurityLevelKey ];
But that doesn't seem to do anything. I'm not surprised that it doesn't work since the documentation says quite clearly:
You must set the property before you open the stream.
Yet of course the stream must be already opened in this case since it is used to conduct the plaintext STARTTLS negociation!
I cannot find any documentation on how to upgrade a socket from plaintext to SSL or perhaps how to layer a new set of SSL-encrypted streams on top of a set of input&output plaintext streams.
I could not find any way to implement STARTTLS using the high-level CFStream API. There is CFStreamCreatePairWithSocket which allows you to connect your own socket and then apply TLS to it afterwards, but there is no way to get the library to verify the remote host name against the certificate host name.
The only way to do it appears to be using this much lower level library: Secure Transport Reference.
I have read that HttpURLConnection supports persistent connections, so that a connection can be reused for multiple requests. I tried it and the only way to send a second POST was by calling openConnection for a second time. Otherwise I got a IllegalStateException("Already connected");
I used the following:
try{
URL url = new URL("http://someconection.com");
}
catch(Exception e){}
HttpURLConnection con = (HttpURLConnection) url.openConnection();
//set output, input etc
//send POST
//Receive response
//Read whole response
//close input stream
con.disconnect();//have also tested commenting this out
con = (HttpURLConnection) url.openConnection();
//Send new POST
The second request is send over the same TCP connection (verified it with wireshark) but I can not understand why (although this is what I want) since I have called disconnect.
I checked the source code for the HttpURLConnection and the implementation does keep a keepalive cache of connections to the same destinations. My problem is that I can not see how the connection is placed back in the cache after I have send the first request. The disconnect closes the connection and without the disconnect, still I can not see how the connection is placed back in the cache. I saw that the cache has a run method to go through over all idle connections (I am not sure how it is called), but I can not find how the connection is placed back in the cache. The only place that seems to happen is in the finished method of httpClient but this is not called for a POST with a response.
Can anyone help me on this?
EDIT
My interest is, what is the proper handling of an HttpUrlConnection object for tcp connection reuse. Should input/output stream be closed followed by a url.openConnection(); each time to send the new request (avoiding disconnect())? If yes, I can not see how the connection is being reused when I call url.openConnection() for the second time, since the connection has been removed from the cache for the first request and can not find how it is returned back.
Is it possible that the connection is not returned back to the keepalive cache (bug?), but the OS has not released the tcp connection yet and on new connection, the OS returns the buffered connection (not yet released) or something similar?
EDIT2
The only related i found was from JDK_KeepAlive
...when the application calls close()
on the InputStream returned by
URLConnection.getInputStream(), the
JDK's HTTP protocol handler will try
to clean up the connection and if
successful, put the connection into a
connection cache for reuse by future
HTTP requests.
But I am not sure which handler is this. sun.net.www.protocol.http.Handler does not do any caching as I saw
Thanks!
Should input/output stream be closed
followed by a url.openConnection();
each time to send the new request
(avoiding disconnect())?
Yes.
If yes, I can not see how the connection is being
reused when I call
url.openConnection() for the second
time, since the connection has been
removed from the cache for the first
request and can not find how it is
returned back.
You are confusing the HttpURLConnection with the underlying Socket and its underlying TCP connection. They aren't the same. The HttpURLConnection instances are GC'd, the underlying Socket is pooled, unless you call disconnect().
From the javadoc for HttpURLConnection (my emphasis):
Each HttpURLConnection instance is
used to make a single request but the
underlying network connection to the
HTTP server may be transparently
shared by other instances. Calling the
close() methods on the InputStream or
OutputStream of an HttpURLConnection
after a request may free network
resources associated with this
instance but has no effect on any
shared persistent connection. Calling
the disconnect() method may close the
underlying socket if a persistent
connection is otherwise idle at that
time.
I found that the connection is indeed cached when the InputStream is closed. Once the inputStream has been closed the underlying connection is buffered. The HttpURLConnection object is unusable for further requests though, since the object is considered still "connected", i.e. its boolean connected is set to true and is not cleared once the connection is placed back in the buffer. So each time a new HttpUrlConnection should be instantiated for a new POST, but the underlying TCP connection will be reused, if it has not timed out.
So EJP answer's was the correct description. May be the behavior I saw, (reuse of the TCP connection) despite explicitly calling disconnect() was due to caching done by the OS? I do not know. I hope someone who knows can explain.
Thanks.
How do you "force use of HTTP1.0" using the HttpUrlConnection of JDK?
According to the section „Persistent Connections” of the Java 1.5 guide support for HTTP1.1 connections can be turned off or on using the java property http.keepAlive (default is true). Furthermore, the java property http.maxConnections indicates the maximum number of (concurrent) connections per destination to be kept alive at any given time.
Therefore, a "force use of HTTP1.0" could be applied for the whole application at once by setting the java property http.keepAlive to false.
Hmmh. I may be missing something here (since this is an old question), but as far as I know, there are 2 well-known ways to force closing of the underlying TCP connection:
Force use of HTTP 1.0 (1.1 introduced persistent connections) -- this as indicated by the http request line
Send 'Connection' header with value 'close'; this will force closing as well.
Abandoning streams will cause idle TCP connections. The response stream should be read completely. Another thing I overlooked initially, and have seen overlooked in most answers on this topic is forgetting to deal with the error stream in case of exceptions. Code similar to this fixed one of my apps that wasn't releasing resources properly:
HttpURLConnection connection = (HttpURLConnection)new URL(uri).openConnection();
InputStream stream = null;
BufferedReader reader = null;
try {
stream = connection.getInputStream();
reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8")));
// do work on part of the input stream
} catch (IOException e) {
// read the error stream
InputStream es = connection.getErrorStream();
if (es != null) {
BufferedReader esReader = null;
esReader = new BufferedReader(new InputStreamReader(es, Charset.forName("UTF-8")));
while (esReader.ready() && esReader.readLine() != null) {
}
if (esReader != null)
esReader.close();
}
// do something with the IOException
} finally {
// finish reading the input stream if it was not read completely in the try block, then close
if (reader != null) {
while (reader.readLine() != null) {
}
reader.close();
}
// Not sure if this is necessary, closing the buffered reader may close the input stream?
if (stream != null) {
stream.close();
}
// disconnect
if (connection != null) {
connection.disconnect();
}
}
The buffered reader isn't strictly necessary, I chose it because my use case required reading one line at a time.
See also: http://docs.oracle.com/javase/1.5.0/docs/guide/net/http-keepalive.html