Antoine: Sorry for the trouble with Yahoo. I did test lots of client OS and browsers. I will send you summary of all testing using Gmail later today. Meanwhile, so I could summarize the results in a more meaningful manner, can you tell me some implementational differences between 1. bind-tcp (with ssl=*) and bind-ssl.2. the differences between ssl=Mode switches. Somehow they aren't very intuitive for me. 3. Is ssl encryption/protocol used between client and websockify Webserver only or is it also used between XPRA server socket and websockify as well? Thanks!
Mukul Sent from Yahoo Mail on Android On Tue, Jan 3, 2017 at 1:01 AM, Antoine Martin via shifter-users<[email protected]> wrote: On 03/01/17 02:39, Mukul Agrawal via shifter-users wrote: > OK, I tried something slightly different. I removed the "ssl=https" (seems > like I was not reading the wiki on https://xpra.org/trac/ticket/1213 > correctly). > Here is what I did :- Please always include all the details: the full OS version, the full xpra version, the full command or log output, the browser you used, etc. And you really should be testing with more than one browser. Since you are using a signed certificate, you should include how you generated the full chain. What CA you used, etc You may also want to enable "-d websocket,http" Or even adding "-d network" (this may be too verbose) Also, please try using a better email service. Yahoo makes a complete mess of the text formatting and your emails are a pain to parse. (and that's just one of many reasons to stay away from Yahoo) > xpra start :17 --bind-tcp=0.0.0.0:3001 --ssl=on --ssl-cert=./fullchain.pem > --ssl-key=./privkey.pem --start=xclock > => Simply hit the https://hostname.com. Web-browser says Secure Connection > Failed. The page you are trying to view cannot be shown because the > authenticity of the received data could not be verified.=> XPRA log is > showing:- Error: error in network packet reading/parsing^[[0m > ^[[31m2017-01-02 19:11:15,446 invalid_header() takes exactly 3 arguments (4 > given) Traceback (most recent call last): File > "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", line 682, in > _read_parse_thread_loop self.do_read_parse_thread_loop() File > "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", line 725, in > do_read_parse_thread_loop=> openssl s_client -connect host:443 -- this is > showing ssl is connect and is working fine > Any idea why browser is not connecting? Do I need to provide some parameters > on the address line on the browser? No. If openssl connects OK, so should the browser AFAIK. Cheers Antoine > > > Regards, > Mukul > > > On Monday, January 2, 2017 5:20 PM, Mukul Agrawal via shifter-users ><[email protected]> wrote: > > > I got a commercial SSL certificate installed on my ubuntu xenial machine.I >tested the setup using a simple "Hello World" python https server. Everything >is woorking good. I can hit the index page using https from anywhere from >outside world.Also checked with "openssl s_client -connect" and it confiorms >that certificate is using used properly. > Now I started the xpra server following instructions here - > Encryption/SSL – Xpra > > > | > | > | > | | | > > | > > | > | > | | > Encryption/SSL – Xpra > xpra - screen for X | | > > | > > | > > > > Used following command :- > xpra start :17 --start=xclock --bind-tcp=0.0.0.0:3001 --ssl=on > --ssl-cert=/path/to/fullchain.pem --ssl-key=/ > path/to/privatekey.pem ssl=https > > Now if I hit the webaddress from webbrowser with https, I get following error > on browser ;- > SSL received a record that exceeded the maximum permissible length. Error > code: SSL_ERROR_RX_RECORD_TOO_LONG > > "openssl s_client -connect" is showing "connected" but giving an error > 140770FC:SSL rountines:SSL23_GET_SERVER_HELLO:unknown_protocol:s23_clnt.c:794: > > XPRA server logs are showing "invalid packet header, SSL packet?" > > Any idea what is going on?I am doing iptable routing from 443 to 3001. This > works just fine with the above mentioned "Hello World" python https server. > It seems to me there is some problem with websockify's webserver is trying to > attach certificates to wrong port or network interface. Any advice on how to > debug this? > > Regards, > Mukul > > > > > > > _______________________________________________ > shifter-users mailing list > [email protected] > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > > > > _______________________________________________ > shifter-users mailing list > [email protected] > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > _______________________________________________ shifter-users mailing list [email protected] http://lists.devloop.org.uk/mailman/listinfo/shifter-users _______________________________________________ shifter-users mailing list [email protected] http://lists.devloop.org.uk/mailman/listinfo/shifter-users
