[OpenSIPS-Users] TLS issue with WSS

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Mar 5 10:59:45 EST 2019 

Hi Volkan,

The SSL_accept() fails (part of the SSL lib), meaning that the SSL 
handshake failed (maybe the incoming conn was not actually TLS??). I 
have to admit the log does not give more details on the error, but are 
you sure the incoming connection is a TLS valid one ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 02/27/2019 03:21 PM, Volkan Oransoy wrote:
> Hi all,
>
> I am trying to apply this tutorial to my test environment but I 
> couldn't solve a problem with TLS handshake.
> https://www.opensips.org/Documentation/Tutorials-WebSocket-2-2
>
> My configuration is simply like that.
>
>     listen=ws:10.10.10.10:8080 <http://10.10.10.10:8080>
>     listen=wss:10.10.10.10:443 <http://10.10.10.10:443>
>     ...
>     loadmodule "proto_tls.so"
>     loadmodule "proto_wss.so"
>     loadmodule "proto_ws.so"
>     loadmodule "tls_mgm.so"
>     modparam("tls_mgm",
>     "certificate","/etc/letsencrypt/live/testserver.example.net/fullchain.pem
>     <http://testserver.example.net/fullchain.pem>")
>     modparam("tls_mgm",
>     "private_key","/etc/letsencrypt/live/testserver.example.net/privkey.pem
>     <http://testserver.example.net/privkey.pem>")
>
>
>
> When I try to connect the server via a websocket client like SIP.js or 
> jssip, I got this error.
>
>     Feb 27 15:22:39 [26842] DBG:core:probe_max_sock_buff: getsockopt:
>     snd is initially 425984
>     Feb 27 15:22:39 [26842] INFO:core:probe_max_sock_buff: using snd
>     buffer of 416 kb
>     Feb 27 15:22:39 [26842] INFO:core:init_sock_keepalive: TCP
>     keepalive enabled on socket 49
>     Feb 27 15:22:39 [26842] DBG:core:print_ip: tcpconn_new: new tcp
>     connection to: 192.168.100.100
>     Feb 27 15:22:39 [26842] DBG:core:tcpconn_new: on port 34560, proto 6
>     Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: entered:
>     Creating a whole new ssl connection
>     Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: looking up
>     socket based TLS server domain [10.10.10.10:443
>     <http://10.10.10.10:443>]
>     Feb 27 15:22:39 [26842] DBG:tls_mgm:tls_find_server_domain:
>     virtual TLS server domain not found, Using default TLS server
>     domain settings
>     Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: found socket
>     based TLS server domain [0.0.0.0:0 <http://0.0.0.0:0>]
>     Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: Setting in
>     ACCEPT mode (server)
>     Feb 27 15:22:39 [26842] DBG:core:tcpconn_add: hashes: 607, 660
>     Feb 27 15:22:39 [26842] DBG:core:handle_new_connect: new
>     connection: 0x7fd6a55d8240 49 flags: 001c
>     Feb 27 15:22:39 [26842] DBG:core:send2child: to tcp child 0
>     (26839), 0x7fd6a55d8240 rw 1
>     Feb 27 15:22:39 [26839] DBG:core:handle_io: We have received conn
>     0x7fd6a55d8240 with rw 1 on fd 5
>     Feb 27 15:22:39 [26839] DBG:core:io_watch_add: [TCP_worker]
>     io_watch_add op (5 on 46) (0x563321968480, 5, 19,
>     0x7fd6a55d8240,1), fd_no=4/1024
>     Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
>     Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: Using
>     the global ( per process ) buff
>     Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
>     Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: ws_read end
>     Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
>     Feb 27 15:22:39 [26839] ERROR:proto_wss:tls_accept: New TLS
>     connection from 192.168.100.100:34560
>     <http://192.168.100.100:34560> failed to accept
>     Feb 27 15:22:39 [26839] ERROR:proto_wss:wss_read_req: cannot fix
>     read connection
>     Feb 27 15:22:39 [26839] DBG:core:io_watch_del: [TCP_worker]
>     io_watch_del op on index 0 5 (0x563321968480, 5, 0, 0x10,0x3)
>     fd_no=5 called
>     Feb 27 15:22:39 [26839] DBG:core:tcpconn_release: releasing con
>     0x7fd6a55d8240, state -2, fd=-1, id=1151231636
>     Feb 27 15:22:39 [26839] DBG:core:tcpconn_release: extra_data
>     0x7fd6a55d8438
>     Feb 27 15:22:39 [26842] DBG:core:handle_tcp_worker: response=
>     7fd6a55d8240, -2 from tcp worker 26839 (0)
>     Feb 27 15:22:39 [26842] DBG:core:tcpconn_destroy: destroying
>     connection 0x7fd6a55d8240, flags 001c
>     Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_clean: entered
>     Feb 27 15:22:39 [26842] DBG:proto_wss:tls_update_fd: New fd is 49
>
>
>
> I have tried to test my installation with openssl client and I think 
> it has an issue with the setup because there is an error message.
>
>     ➜ openssl s_client -connect testserver.example.net:443
>     <http://testserver.example.net:443>
>     CONNECTED(00000005)
>     depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
>     verify return:1
>     depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>     verify return:1
>     depth=0 CN = testserver.example.net <http://testserver.example.net>
>     verify return:1
>     4499986028:error:14020410:SSL
>     routines:CONNECT_CR_SESSION_TICKET:sslv3 alert handshake
>     failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL
>     alert number 40
>     4499986028:error:140200E5:SSL
>     routines:CONNECT_CR_SESSION_TICKET:ssl handshake
>     failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:585:
>     ---
>     Certificate chain
>      0 s:/CN=testserver.example.net <http://testserver.example.net>
>      i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>      1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>      i:/O=Digital Signature Trust Co./CN=DST Root CA X3
>     ---
>     Server certificate
>     -----BEGIN CERTIFICATE-----
>     MIIFYjCCBEqgAwIBAgISAyIztk4mccb0A0k9XLOtFkGXMA0GCSqGSIb3DQEBCwUA
>     MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
>     ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMTIwOTU4MTRaFw0x
>     OTA1MTMwOTU4MTRaMB8xHTAbBgNVBAMTFHNpcDMtdjIuYnVsdXRmb24ubmV0MIIB
>     IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DSkfcRZcjjhsyrnH6i/xmM2
>     7q9GfkPopmj8+RzJemdqSK7fSsGodSZznsYDn+b+u9AhYwr01WS0HPeag3kEMA+S
>     Bn8cu1s/osa9Jipj4BnkPhU14T4/9x/Tvurt8v1BdS6uYLqFInV1LnGfTp7XhlRY
>     uF+SRve0vxtXOPtokS68xvjVRrWI4UNR+S+neDvZqsDQQ6q2hcdQ1aRoEt0wbKO+
>     k4jwZRf52cKscD2jfEniXCDUbawYq6CstzPqfx9+DYYS4NqRVtEUWeBI6MgR54QI
>     KorBHqv382rcf/cz0vFEccmuF6NFFZFM385hdlV9YMcCQUUpwWh3FSgWh2y65QID
>     AQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
>     BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQmc6fJQRbTaUerCJlz
>     W6gbPd0o5TAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
>     BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
>     cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
>     cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHNpcDMtdjIuYnVsdXRmb24ubmV0MEwGA1Ud
>     IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
>     dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADy
>     AHcAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFo4Vt4PQAABAMA
>     SDBGAiEAiKzASz3oQ1R8GCA77Hn7eBkLxncg4dBhAMQwobR3Oh4CIQD3r/+A9KpK
>     MzzvjLrw6ltN4RJt/9GAksjY7XJoHi+fRQB3AGPy283oO8wszwtyhCdXazOkjWF3
>     j711pjixx2hUS9iNAAABaOFbeoUAAAQDAEgwRgIhAN+Jvz1CVK7dACu8SLV3NYWQ
>     TpUIk3RlSnqbioXoLPeSAiEA/aRTstIBRApuPqi+9U2DdsIjBMPBEWvPC+Q6V95V
>     tWYwDQYJKoZIhvcNAQELBQADggEBADJCRG8rFR5v3wWaSZZlzRCOxNw992PjpoyE
>     WI9ba1NP4IAUq/ORc4eFKa6bnvhnlwGkKfivxviGJFZRBauf9ydqnbNSsSc0THEt
>     FMOMJ+fEZ6MIROmbz1ElWx8vO2crgIBMaOBjJdNEjLiKDIkwF67g7580A6ZplmN9
>     tMUg/qQlgx/ABL7AAqy12zoGYdB5gf4y8escm/7S2OJeMDAK122Lkxi/PjzUheAb
>     Zlrvxf862vd/ykdvcy8UjrJPTOt1CKlYuKgWIPR8Tb7BAIsIbAebXoqmvPN//Y72
>     VknQALQUXxpnTNLperhBibpfqOp2MLWwnDktDGxUQRjfba5jeaA=
>     -----END CERTIFICATE-----
>     subject=/CN=testserver.example.net <http://testserver.example.net>
>     issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>     ---
>     No client certificate CA names sent
>     Server Temp Key: ECDH, X25519, 253 bits
>     ---
>     SSL handshake has read 3008 bytes and written 105 bytes
>     ---
>     New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>     Server public key is 2048 bit
>     Secure Renegotiation IS supported
>     Compression: NONE
>     Expansion: NONE
>     No ALPN negotiated
>     SSL-Session:
>         Protocol : TLSv1.2
>         Cipher : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     EA79ADD7422068E3C79258F309B1D0772B5F11F3DB995DBB869BB68AA154D2827D781A57517CF8841E58F3EB9F18D656
>         Start Time: 1551272932
>         Timeout  : 7200 (sec)
>         Verify return code: 0 (ok)
>     ---
>
>
> Does anyone have an idea about the solution?
>
> Thanks in advance.
>
> -- 
> Volkan Oransoy
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190305/b74dd4d5/attachment-0001.html>

More information about the Users mailing list