[OpenSIPS-Users] TLS issue with WSS

Volkan Oransoy voransoy at gmail.com
Tue Mar 5 23:56:34 EST 2019


Hi Bogdan,

I have tried so many things to solve the issue and I can confirm that this
is a Chrome related one.  I use this js phone
https://collecttix.github.io/ctxSip/ to test my environment and it works
well on Firefox.

Thank you for your help.

Bogdan-Andrei Iancu <bogdan at opensips.org>, 5 Mar 2019 Sal, 18:59 tarihinde
şunu yazdı:

> Hi Volkan,
>
> The SSL_accept() fails (part of the SSL lib), meaning that the SSL
> handshake failed (maybe the incoming conn was not actually TLS??). I have
> to admit the log does not give more details on the error, but are you sure
> the incoming connection is a TLS valid one ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
> OpenSIPS Summit 2019
>   https://www.opensips.org/events/Summit-2019Amsterdam/
>
> On 02/27/2019 03:21 PM, Volkan Oransoy wrote:
>
> Hi all,
>
> I am trying to apply this tutorial to my test environment but I couldn't
> solve a problem with TLS handshake.
> https://www.opensips.org/Documentation/Tutorials-WebSocket-2-2
>
> My configuration is simply like that.
>
> listen=ws:10.10.10.10:8080
> listen=wss:10.10.10.10:443
> ...
> loadmodule "proto_tls.so"
> loadmodule "proto_wss.so"
> loadmodule "proto_ws.so"
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "certificate","/etc/letsencrypt/live/
> testserver.example.net/fullchain.pem")
> modparam("tls_mgm", "private_key","/etc/letsencrypt/live/
> testserver.example.net/privkey.pem")
>
>
>
> When I try to connect the server via a websocket client like SIP.js or
> jssip, I got this error.
>
> Feb 27 15:22:39 [26842] DBG:core:probe_max_sock_buff: getsockopt: snd is
> initially 425984
> Feb 27 15:22:39 [26842] INFO:core:probe_max_sock_buff: using snd buffer
> of 416 kb
> Feb 27 15:22:39 [26842] INFO:core:init_sock_keepalive: TCP keepalive
> enabled on socket 49
> Feb 27 15:22:39 [26842] DBG:core:print_ip: tcpconn_new: new tcp connection
> to: 192.168.100.100
> Feb 27 15:22:39 [26842] DBG:core:tcpconn_new: on port 34560, proto 6
> Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: entered: Creating a
> whole new ssl connection
> Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: looking up socket
> based TLS server domain [10.10.10.10:443]
> Feb 27 15:22:39 [26842] DBG:tls_mgm:tls_find_server_domain: virtual TLS
> server domain not found, Using default TLS server domain settings
> Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: found socket based
> TLS server domain [0.0.0.0:0]
> Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: Setting in ACCEPT
> mode (server)
> Feb 27 15:22:39 [26842] DBG:core:tcpconn_add: hashes: 607, 660
> Feb 27 15:22:39 [26842] DBG:core:handle_new_connect: new connection:
> 0x7fd6a55d8240 49 flags: 001c
> Feb 27 15:22:39 [26842] DBG:core:send2child: to tcp child 0 (26839),
> 0x7fd6a55d8240 rw 1
> Feb 27 15:22:39 [26839] DBG:core:handle_io: We have received conn
> 0x7fd6a55d8240 with rw 1 on fd 5
> Feb 27 15:22:39 [26839] DBG:core:io_watch_add: [TCP_worker] io_watch_add
> op (5 on 46) (0x563321968480, 5, 19, 0x7fd6a55d8240,1), fd_no=4/1024
> Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
> Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: Using the
> global ( per process ) buff
> Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
> Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: ws_read end
> Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
> Feb 27 15:22:39 [26839] ERROR:proto_wss:tls_accept: New TLS connection
> from 192.168.100.100:34560 failed to accept
> Feb 27 15:22:39 [26839] ERROR:proto_wss:wss_read_req: cannot fix read
> connection
> Feb 27 15:22:39 [26839] DBG:core:io_watch_del: [TCP_worker] io_watch_del
> op on index 0 5 (0x563321968480, 5, 0, 0x10,0x3) fd_no=5 called
> Feb 27 15:22:39 [26839] DBG:core:tcpconn_release:  releasing con
> 0x7fd6a55d8240, state -2, fd=-1, id=1151231636
> Feb 27 15:22:39 [26839] DBG:core:tcpconn_release:  extra_data
> 0x7fd6a55d8438
> Feb 27 15:22:39 [26842] DBG:core:handle_tcp_worker: response=
> 7fd6a55d8240, -2 from tcp worker 26839 (0)
> Feb 27 15:22:39 [26842] DBG:core:tcpconn_destroy: destroying connection
> 0x7fd6a55d8240, flags 001c
> Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_clean: entered
> Feb 27 15:22:39 [26842] DBG:proto_wss:tls_update_fd: New fd is 49
>
>
>
> I have tried to test my installation with openssl client and I think it
> has an issue with the setup because there is an error message.
>
> ➜ openssl s_client -connect testserver.example.net:443
> CONNECTED(00000005)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = testserver.example.net
> verify return:1
> 4499986028:error:14020410:SSL routines:CONNECT_CR_SESSION_TICKET:sslv3
> alert handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL
> alert number 40
> 4499986028:error:140200E5:SSL routines:CONNECT_CR_SESSION_TICKET:ssl
> handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:585:
> ---
> Certificate chain
>  0 s:/CN=testserver.example.net
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFYjCCBEqgAwIBAgISAyIztk4mccb0A0k9XLOtFkGXMA0GCSqGSIb3DQEBCwUA
> MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
> ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMTIwOTU4MTRaFw0x
> OTA1MTMwOTU4MTRaMB8xHTAbBgNVBAMTFHNpcDMtdjIuYnVsdXRmb24ubmV0MIIB
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DSkfcRZcjjhsyrnH6i/xmM2
> 7q9GfkPopmj8+RzJemdqSK7fSsGodSZznsYDn+b+u9AhYwr01WS0HPeag3kEMA+S
> Bn8cu1s/osa9Jipj4BnkPhU14T4/9x/Tvurt8v1BdS6uYLqFInV1LnGfTp7XhlRY
> uF+SRve0vxtXOPtokS68xvjVRrWI4UNR+S+neDvZqsDQQ6q2hcdQ1aRoEt0wbKO+
> k4jwZRf52cKscD2jfEniXCDUbawYq6CstzPqfx9+DYYS4NqRVtEUWeBI6MgR54QI
> KorBHqv382rcf/cz0vFEccmuF6NFFZFM385hdlV9YMcCQUUpwWh3FSgWh2y65QID
> AQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
> BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQmc6fJQRbTaUerCJlz
> W6gbPd0o5TAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
> BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
> cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
> cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHNpcDMtdjIuYnVsdXRmb24ubmV0MEwGA1Ud
> IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
> dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADy
> AHcAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFo4Vt4PQAABAMA
> SDBGAiEAiKzASz3oQ1R8GCA77Hn7eBkLxncg4dBhAMQwobR3Oh4CIQD3r/+A9KpK
> MzzvjLrw6ltN4RJt/9GAksjY7XJoHi+fRQB3AGPy283oO8wszwtyhCdXazOkjWF3
> j711pjixx2hUS9iNAAABaOFbeoUAAAQDAEgwRgIhAN+Jvz1CVK7dACu8SLV3NYWQ
> TpUIk3RlSnqbioXoLPeSAiEA/aRTstIBRApuPqi+9U2DdsIjBMPBEWvPC+Q6V95V
> tWYwDQYJKoZIhvcNAQELBQADggEBADJCRG8rFR5v3wWaSZZlzRCOxNw992PjpoyE
> WI9ba1NP4IAUq/ORc4eFKa6bnvhnlwGkKfivxviGJFZRBauf9ydqnbNSsSc0THEt
> FMOMJ+fEZ6MIROmbz1ElWx8vO2crgIBMaOBjJdNEjLiKDIkwF67g7580A6ZplmN9
> tMUg/qQlgx/ABL7AAqy12zoGYdB5gf4y8escm/7S2OJeMDAK122Lkxi/PjzUheAb
> Zlrvxf862vd/ykdvcy8UjrJPTOt1CKlYuKgWIPR8Tb7BAIsIbAebXoqmvPN//Y72
> VknQALQUXxpnTNLperhBibpfqOp2MLWwnDktDGxUQRjfba5jeaA=
> -----END CERTIFICATE-----
> subject=/CN=testserver.example.net
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, X25519, 253 bits
> ---
> SSL handshake has read 3008 bytes and written 105 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
> EA79ADD7422068E3C79258F309B1D0772B5F11F3DB995DBB869BB68AA154D2827D781A57517CF8841E58F3EB9F18D656
>     Start Time: 1551272932
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> ---
>
>
> Does anyone have an idea about the solution?
>
> Thanks in advance.
>
> --
> Volkan Oransoy
>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>

-- 
Volkan Oransoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190306/154fce00/attachment-0001.html>


More information about the Users mailing list