Persistent "invalid opcode 7" and "RSV1 must be clear" errors

[martin-langhoff]

A low traffic site I code and maintain is seeing persistent "invalid opcode 7" and "RSV1 must be clear".

Following #919 and #1140, my initial diagnosis was that some client is buggy and not handling the fact that we do not support, or have disabled, the per-message-deflate extension.

Here is the interesting thing. I have added an adequate error handler, and I have fiddled with the perMessageDeflate option. Even with perMessageDeflate: true, the problem persists.

Also of note:

• Using CloudFlare
• Node v6.11.1
• ws@3.3.0

How could I debug/diagnose this further? Is there a reasonable way of getting at the UA string, to see whether we can blame it on buggy UA?

[lpinca]

You can get the UA from the request argument of the 'connection' event listener.

[lpinca]

@martin-langhoff FYI the "RSV1 must be clear" error can be emitted also when permessage-deflate is enabled, for example when a frame is a continuation frame or a control frame and it has the RSV1 bit set.

[martin-langhoff]

Thanks for the info. I've enabled logging, and expect will have further info soon. At first read, it's not UA-specific. I hope to be able to repro in a controlled experiment tonight.

[martin-langhoff]

@lpinca with perMessageDeflate disabled, the server response still contains Sec-WebSocket-Extensions:permessage-deflate. Normal? Expected?

[lpinca]

Not expected, this function should return an empty object.

[martin-langhoff]

ws/lib/WebSocketServer.js

Line 241 in d96c58c

if (props.length) {

seems to expose/offer all loaded extensions...

[lpinca]

If

ws/lib/WebSocketServer.js

Lines 293 to 309 in d96c58c

	function acceptExtensions (options, offer) {
	const pmd = options.perMessageDeflate;
	const extensions = {};
	if (pmd && offer[PerMessageDeflate.extensionName]) {
	const perMessageDeflate = new PerMessageDeflate(
	pmd !== true ? pmd : {},
	true,
	options.maxPayload
	);
	perMessageDeflate.accept(offer[PerMessageDeflate.extensionName]);
	extensions[PerMessageDeflate.extensionName] = perMessageDeflate;
	}
	return extensions;
	}

returns an empty object as expected props.length is 0.

[lpinca]

Here is a test:

const WebSocket = require('.');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, () => {
  const socket = new net.Socket();

  socket.connect(3000, () => {
    socket.write([
      'GET / HTTP/1.1',
      'Host: localhost',
      'Upgrade: websocket',
      'Connection: Upgrade',
      'Sec-WebSocket-Extensions: permessage-deflate;server_no_context_takeover',
      'Sec-WebSocket-Key: rfeGe1izPRq2JyonWunAQw==',
      'Sec-WebSocket-Version: 13',
      '\r\n'
    ].join('\r\n'));
  });

  socket.on('data', (data) => console.log(data.toString()));
});

[geogeorgiev]

Just a thought: I get an "RSV1 must be clear" error upon failed verification when I make use of the verifyClient option.

[lpinca]

@geogeorgiev are you sure? The WebSocket instance is not created if verifyClient() fails, so it shouldn't be possible.

[geogeorgiev]

@Ipinca if I simply return true in the callback of verifyClient I stop receiving the error. The process of verification may be somehow involved though. In my case it's just an http request using the request-promise-native lib. As long as my auth credentials were incorrect and hence getting 401 from the auth server and failed verification, the error was thrown.

[lpinca]

@geogeorgiev If you can please create and share a reproducible test case.

[lpinca]

@lpinca with perMessageDeflate disabled, the server response still contains Sec-WebSocket-Extensions:permessage-deflate. Normal? Expected?

Is it possible that the proxy you are using incorrectly adds the header an tricks the client into using the extension when it shouldn't?

[lpinca]

Closing due to inactivity.