[OpenSIPS-Users] TLS issue with WSS

Volkan Oransoy voransoy at gmail.com
Wed Feb 27 08:21:39 EST 2019 

Hi all,

I am trying to apply this tutorial to my test environment but I couldn't
solve a problem with TLS handshake.
https://www.opensips.org/Documentation/Tutorials-WebSocket-2-2

My configuration is simply like that.

listen=ws:10.10.10.10:8080
listen=wss:10.10.10.10:443
...
loadmodule "proto_tls.so"
loadmodule "proto_wss.so"
loadmodule "proto_ws.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm", "certificate","/etc/letsencrypt/live/
testserver.example.net/fullchain.pem")
modparam("tls_mgm", "private_key","/etc/letsencrypt/live/
testserver.example.net/privkey.pem")



When I try to connect the server via a websocket client like SIP.js or
jssip, I got this error.

Feb 27 15:22:39 [26842] DBG:core:probe_max_sock_buff: getsockopt: snd is
initially 425984
Feb 27 15:22:39 [26842] INFO:core:probe_max_sock_buff: using snd buffer of
416 kb
Feb 27 15:22:39 [26842] INFO:core:init_sock_keepalive: TCP keepalive
enabled on socket 49
Feb 27 15:22:39 [26842] DBG:core:print_ip: tcpconn_new: new tcp connection
to: 192.168.100.100
Feb 27 15:22:39 [26842] DBG:core:tcpconn_new: on port 34560, proto 6
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: entered: Creating a
whole new ssl connection
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: looking up socket
based TLS server domain [10.10.10.10:443]
Feb 27 15:22:39 [26842] DBG:tls_mgm:tls_find_server_domain: virtual TLS
server domain not found, Using default TLS server domain settings
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: found socket based TLS
server domain [0.0.0.0:0]
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: Setting in ACCEPT mode
(server)
Feb 27 15:22:39 [26842] DBG:core:tcpconn_add: hashes: 607, 660
Feb 27 15:22:39 [26842] DBG:core:handle_new_connect: new connection:
0x7fd6a55d8240 49 flags: 001c
Feb 27 15:22:39 [26842] DBG:core:send2child: to tcp child 0 (26839),
0x7fd6a55d8240 rw 1
Feb 27 15:22:39 [26839] DBG:core:handle_io: We have received conn
0x7fd6a55d8240 with rw 1 on fd 5
Feb 27 15:22:39 [26839] DBG:core:io_watch_add: [TCP_worker] io_watch_add op
(5 on 46) (0x563321968480, 5, 19, 0x7fd6a55d8240,1), fd_no=4/1024
Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: Using the global
( per process ) buff
Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: ws_read end
Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
Feb 27 15:22:39 [26839] ERROR:proto_wss:tls_accept: New TLS connection from
192.168.100.100:34560 failed to accept
Feb 27 15:22:39 [26839] ERROR:proto_wss:wss_read_req: cannot fix read
connection
Feb 27 15:22:39 [26839] DBG:core:io_watch_del: [TCP_worker] io_watch_del op
on index 0 5 (0x563321968480, 5, 0, 0x10,0x3) fd_no=5 called
Feb 27 15:22:39 [26839] DBG:core:tcpconn_release:  releasing con
0x7fd6a55d8240, state -2, fd=-1, id=1151231636
Feb 27 15:22:39 [26839] DBG:core:tcpconn_release:  extra_data 0x7fd6a55d8438
Feb 27 15:22:39 [26842] DBG:core:handle_tcp_worker: response= 7fd6a55d8240,
-2 from tcp worker 26839 (0)
Feb 27 15:22:39 [26842] DBG:core:tcpconn_destroy: destroying connection
0x7fd6a55d8240, flags 001c
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_clean: entered
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_update_fd: New fd is 49



I have tried to test my installation with openssl client and I think it has
an issue with the setup because there is an error message.

➜ openssl s_client -connect testserver.example.net:443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = testserver.example.net
verify return:1
4499986028:error:14020410:SSL routines:CONNECT_CR_SESSION_TICKET:sslv3
alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL
alert number 40
4499986028:error:140200E5:SSL routines:CONNECT_CR_SESSION_TICKET:ssl
handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
Certificate chain
 0 s:/CN=testserver.example.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgISAyIztk4mccb0A0k9XLOtFkGXMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMTIwOTU4MTRaFw0x
OTA1MTMwOTU4MTRaMB8xHTAbBgNVBAMTFHNpcDMtdjIuYnVsdXRmb24ubmV0MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DSkfcRZcjjhsyrnH6i/xmM2
7q9GfkPopmj8+RzJemdqSK7fSsGodSZznsYDn+b+u9AhYwr01WS0HPeag3kEMA+S
Bn8cu1s/osa9Jipj4BnkPhU14T4/9x/Tvurt8v1BdS6uYLqFInV1LnGfTp7XhlRY
uF+SRve0vxtXOPtokS68xvjVRrWI4UNR+S+neDvZqsDQQ6q2hcdQ1aRoEt0wbKO+
k4jwZRf52cKscD2jfEniXCDUbawYq6CstzPqfx9+DYYS4NqRVtEUWeBI6MgR54QI
KorBHqv382rcf/cz0vFEccmuF6NFFZFM385hdlV9YMcCQUUpwWh3FSgWh2y65QID
AQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQmc6fJQRbTaUerCJlz
W6gbPd0o5TAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHNpcDMtdjIuYnVsdXRmb24ubmV0MEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADy
AHcAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFo4Vt4PQAABAMA
SDBGAiEAiKzASz3oQ1R8GCA77Hn7eBkLxncg4dBhAMQwobR3Oh4CIQD3r/+A9KpK
MzzvjLrw6ltN4RJt/9GAksjY7XJoHi+fRQB3AGPy283oO8wszwtyhCdXazOkjWF3
j711pjixx2hUS9iNAAABaOFbeoUAAAQDAEgwRgIhAN+Jvz1CVK7dACu8SLV3NYWQ
TpUIk3RlSnqbioXoLPeSAiEA/aRTstIBRApuPqi+9U2DdsIjBMPBEWvPC+Q6V95V
tWYwDQYJKoZIhvcNAQELBQADggEBADJCRG8rFR5v3wWaSZZlzRCOxNw992PjpoyE
WI9ba1NP4IAUq/ORc4eFKa6bnvhnlwGkKfivxviGJFZRBauf9ydqnbNSsSc0THEt
FMOMJ+fEZ6MIROmbz1ElWx8vO2crgIBMaOBjJdNEjLiKDIkwF67g7580A6ZplmN9
tMUg/qQlgx/ABL7AAqy12zoGYdB5gf4y8escm/7S2OJeMDAK122Lkxi/PjzUheAb
Zlrvxf862vd/ykdvcy8UjrJPTOt1CKlYuKgWIPR8Tb7BAIsIbAebXoqmvPN//Y72
VknQALQUXxpnTNLperhBibpfqOp2MLWwnDktDGxUQRjfba5jeaA=
-----END CERTIFICATE-----
subject=/CN=testserver.example.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3008 bytes and written 105 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key:
EA79ADD7422068E3C79258F309B1D0772B5F11F3DB995DBB869BB68AA154D2827D781A57517CF8841E58F3EB9F18D656
    Start Time: 1551272932
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---


Does anyone have an idea about the solution?

Thanks in advance.

-- 
Volkan Oransoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190227/0cc9f7f0/attachment-0001.html>

More information about the Users mailing list