SSL not working in client using couchbase-lite-core


#1

I am using couchbase-lite-core (CBL2.0.0) to connect to a couchbase server. When I try to use SSL by using “blips” or “wss” as the schema in C4Address for c4repl_new(), I get an error when trying to replicate:

*** 1537276274.196254880 0 140735888205568 mg_connect_websocket_client2:14177: Websocket client connect error: SSL is not initialized

This seems to be because mg_init_library() is not called with the flag to enable SSL support. CBL passes 0, but enabling SSL would require 2. See https://github.com/couchbase/couchbase-lite-core/blob/6d0ad8fdbdbf694b70be3fbf0bf62451194e60db/Replicator/CivetWebSocket.cc#L123.
Q: Is this a bug in CBL or am I missing something?

By changing the value to 2, CBL will then try to initialize SSL. However that fails, because the symbol CRYPTO_num_locks is not found in libcrypto.so. This seems to be because Ubuntu 18.04 is using OpenSSL 1.1, which no longer has that symbol.
Q: Am I missing something here to make that work? Or do I need to manually pass the compiler define OPENSSL_API_1_1 to the build system, which looks like it should fix the problem?


#2

Couchbase lite core does not support opening network connections directly. Rather it refers it to Couchbase lite because of the complexity involved in establishing an encrypted connection and determining trust. This is delegated to the OS and/or runtime that the final product runs on.

To accomplish your goal you will have to go through the steps you mentioned and there is not any guarantee it will work. Couchbase lite core is not supported as a standalone product but feel free to ask for technical advice.


#3

Thanks for the quick answer.

I don’t understand when you say “Couchbase lite core does not support opening network connections directly” - connecting to the couchbase server and doing a replication worked fine here, with just couchbase-lite-core. Support for SSL is included by using the civetweb submodule, it’s just not working correctly for me. So I’m confused about the whole paragraph, could you please clarify?


#4

Also note that I can’t use couchbase-lite directly, as it doesn’t seem to have a cross-platform C or C++ API. I’m using couchbase-lite-core to have the same C++ code on iOS, Android, Windows, Mac and Linux.


#5

What I mean is that we don’t claim support for that, though as you realize it technically works. We were going to put all that into lite core but SSL proved too big a task for a c++ library on all the platforms we need. Civetweb has ssl support but we neither use nor test it. Instead we defer actual transport to Couchbase Lite. I must repeat that lite core is not a directly supported product so whatever you do find in it is subject to change without notice.


#6

Ok, I see, thanks for the clarification.

As far as I understand then, there is transport and encryption functionality in couchbase-lite-core, but it’s actually not used by Couchbase Mobile - instead Couchbase Mobile has their own platform-specific transport and encryption code. As a consequence, transport and encryption in couchbase-lite-core is unused and untested. Correct me if I’m wrong here.


#7

Correct. We use the networking layer in LiteCore for testing its replicator, and for the cblite command-line tool.

LiteCore is not a Couchbase product on its own, and we don’t officially support using it directly.


#8

Thanks a lot borrrden and jens for explaining this, I now understand the situation.


#9

Of course you’re welcome to try to enable TLS :slight_smile: At some point I suspect we’ll need it, like if/when we build a C/C++ public API around LiteCore for use on Linux.

The issues, as I recall them:

  • Civetweb only supports OpenSSL, but OpenSSL is rather large and would have made CBL too big. We were hoping to go with mbed-TLS.
  • The inevitable compatibility problems of MS Windows
  • The X.509 support in any TLS library has to have a list of valid root certs. This list should not be baked into our code (or we and app developers are on the hook for updating it whenever it changes, which is a security nightmare), and every OS has a different API for accessing it, so there would have to be per-OS glue code for that.

#10

So I’ve realized now that TLS support in couchbase-lite-core is too broken/incomplete to fix myself, especially since I want to support iOS, Linux, Mac and Windows. And with Civetweb only supporting OpenSSL that’s not doable.

Since we’re also using Qt, I’ll instead use the socket factory API in couchbase-lite-core (https://couchbase.github.io/couchbase-lite-core/C/html/group___socket.html) to make it use Qt’s QSslSocket, which I know works on all platforms and also AFAIK handles the certificate list correctly. That seems to be the easiest way forward.


#11

That sounds like the best approach. The C4Socket API can be a bit confusing, but at least you have three implementations (Obj-C, Java, C#) to look at for reference :slight_smile: