SSL not working in client using couchbase-lite-core

thomas.mcguire · September 19, 2018, 8:37am

I am using couchbase-lite-core (CBL2.0.0) to connect to a couchbase server. When I try to use SSL by using “blips” or “wss” as the schema in C4Address for c4repl_new(), I get an error when trying to replicate:

*** 1537276274.196254880 0 140735888205568 mg_connect_websocket_client2:14177: Websocket client connect error: SSL is not initialized

This seems to be because mg_init_library() is not called with the flag to enable SSL support. CBL passes 0, but enabling SSL would require 2. See https://github.com/couchbase/couchbase-lite-core/blob/6d0ad8fdbdbf694b70be3fbf0bf62451194e60db/Replicator/CivetWebSocket.cc#L123.
Q: Is this a bug in CBL or am I missing something?

By changing the value to 2, CBL will then try to initialize SSL. However that fails, because the symbol CRYPTO_num_locks is not found in libcrypto.so. This seems to be because Ubuntu 18.04 is using OpenSSL 1.1, which no longer has that symbol.
Q: Am I missing something here to make that work? Or do I need to manually pass the compiler define OPENSSL_API_1_1 to the build system, which looks like it should fix the problem?

borrrden · September 19, 2018, 8:52am

Couchbase lite core does not support opening network connections directly. Rather it refers it to Couchbase lite because of the complexity involved in establishing an encrypted connection and determining trust. This is delegated to the OS and/or runtime that the final product runs on.

To accomplish your goal you will have to go through the steps you mentioned and there is not any guarantee it will work. Couchbase lite core is not supported as a standalone product but feel free to ask for technical advice.

thomas.mcguire · September 19, 2018, 9:11am

Thanks for the quick answer.

I don’t understand when you say “Couchbase lite core does not support opening network connections directly” - connecting to the couchbase server and doing a replication worked fine here, with just couchbase-lite-core. Support for SSL is included by using the civetweb submodule, it’s just not working correctly for me. So I’m confused about the whole paragraph, could you please clarify?

thomas.mcguire · September 19, 2018, 9:14am

Also note that I can’t use couchbase-lite directly, as it doesn’t seem to have a cross-platform C or C++ API. I’m using couchbase-lite-core to have the same C++ code on iOS, Android, Windows, Mac and Linux.

borrrden · September 19, 2018, 12:48pm

What I mean is that we don’t claim support for that, though as you realize it technically works. We were going to put all that into lite core but SSL proved too big a task for a c++ library on all the platforms we need. Civetweb has ssl support but we neither use nor test it. Instead we defer actual transport to Couchbase Lite. I must repeat that lite core is not a directly supported product so whatever you do find in it is subject to change without notice.

thomas.mcguire · September 19, 2018, 1:13pm

Ok, I see, thanks for the clarification.

As far as I understand then, there is transport and encryption functionality in couchbase-lite-core, but it’s actually not used by Couchbase Mobile - instead Couchbase Mobile has their own platform-specific transport and encryption code. As a consequence, transport and encryption in couchbase-lite-core is unused and untested. Correct me if I’m wrong here.

jens · September 19, 2018, 6:17pm

Correct. We use the networking layer in LiteCore for testing its replicator, and for the cblite command-line tool.

LiteCore is not a Couchbase product on its own, and we don’t officially support using it directly.

thomas.mcguire · September 20, 2018, 7:00am

Thanks a lot borrrden and jens for explaining this, I now understand the situation.

jens · September 20, 2018, 5:56pm

Of course you’re welcome to try to enable TLS At some point I suspect we’ll need it, like if/when we build a C/C++ public API around LiteCore for use on Linux.

The issues, as I recall them:

Civetweb only supports OpenSSL, but OpenSSL is rather large and would have made CBL too big. We were hoping to go with mbed-TLS.
The inevitable compatibility problems of MS Windows
The X.509 support in any TLS library has to have a list of valid root certs. This list should not be baked into our code (or we and app developers are on the hook for updating it whenever it changes, which is a security nightmare), and every OS has a different API for accessing it, so there would have to be per-OS glue code for that.

thomas.mcguire · September 21, 2018, 7:32am

So I’ve realized now that TLS support in couchbase-lite-core is too broken/incomplete to fix myself, especially since I want to support iOS, Linux, Mac and Windows. And with Civetweb only supporting OpenSSL that’s not doable.

Since we’re also using Qt, I’ll instead use the socket factory API in couchbase-lite-core (https://couchbase.github.io/couchbase-lite-core/C/html/group___socket.html) to make it use Qt’s QSslSocket, which I know works on all platforms and also AFAIK handles the certificate list correctly. That seems to be the easiest way forward.

jens · September 21, 2018, 5:40pm

That sounds like the best approach. The C4Socket API can be a bit confusing, but at least you have three implementations (Obj-C, Java, C#) to look at for reference