Hi Volkan,
The SSL_accept() fails (part of the SSL lib), meaning that the SSL
handshake failed (maybe the incoming conn was not actually TLS??). I
have to admit the log does not give more details on the error, but are
you sure the incoming connection is a TLS valid one ?
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/
On 02/27/2019 03:21 PM, Volkan Oransoy wrote:
Hi all,
I am trying to apply this tutorial to my test environment but I
couldn't solve a problem with TLS handshake.
https://www.opensips.org/Documentation/Tutorials-WebSocket-2-2
My configuration is simply like that.
listen=ws:10.10.10.10:8080 <http://10.10.10.10:8080>
listen=wss:10.10.10.10:443 <http://10.10.10.10:443>
...
loadmodule "proto_tls.so"
loadmodule "proto_wss.so"
loadmodule "proto_ws.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm",
"certificate","/etc/letsencrypt/live/testserver.example.net/fullchain.pem
<http://testserver.example.net/fullchain.pem>")
modparam("tls_mgm",
"private_key","/etc/letsencrypt/live/testserver.example.net/privkey.pem
<http://testserver.example.net/privkey.pem>")
When I try to connect the server via a websocket client like SIP.js or
jssip, I got this error.
Feb 27 15:22:39 [26842] DBG:core:probe_max_sock_buff: getsockopt:
snd is initially 425984
Feb 27 15:22:39 [26842] INFO:core:probe_max_sock_buff: using snd
buffer of 416 kb
Feb 27 15:22:39 [26842] INFO:core:init_sock_keepalive: TCP
keepalive enabled on socket 49
Feb 27 15:22:39 [26842] DBG:core:print_ip: tcpconn_new: new tcp
connection to: 192.168.100.100
Feb 27 15:22:39 [26842] DBG:core:tcpconn_new: on port 34560, proto 6
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: entered:
Creating a whole new ssl connection
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: looking up
socket based TLS server domain [10.10.10.10:443
<http://10.10.10.10:443>]
Feb 27 15:22:39 [26842] DBG:tls_mgm:tls_find_server_domain:
virtual TLS server domain not found, Using default TLS server
domain settings
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: found socket
based TLS server domain [0.0.0.0:0 <http://0.0.0.0:0>]
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: Setting in
ACCEPT mode (server)
Feb 27 15:22:39 [26842] DBG:core:tcpconn_add: hashes: 607, 660
Feb 27 15:22:39 [26842] DBG:core:handle_new_connect: new
connection: 0x7fd6a55d8240 49 flags: 001c
Feb 27 15:22:39 [26842] DBG:core:send2child: to tcp child 0
(26839), 0x7fd6a55d8240 rw 1
Feb 27 15:22:39 [26839] DBG:core:handle_io: We have received conn
0x7fd6a55d8240 with rw 1 on fd 5
Feb 27 15:22:39 [26839] DBG:core:io_watch_add: [TCP_worker]
io_watch_add op (5 on 46) (0x563321968480, 5, 19,
0x7fd6a55d8240,1), fd_no=4/1024
Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: Using
the global ( per process ) buff
Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: ws_read end
Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5
Feb 27 15:22:39 [26839] ERROR:proto_wss:tls_accept: New TLS
connection from 192.168.100.100:34560
<http://192.168.100.100:34560> failed to accept
Feb 27 15:22:39 [26839] ERROR:proto_wss:wss_read_req: cannot fix
read connection
Feb 27 15:22:39 [26839] DBG:core:io_watch_del: [TCP_worker]
io_watch_del op on index 0 5 (0x563321968480, 5, 0, 0x10,0x3)
fd_no=5 called
Feb 27 15:22:39 [26839] DBG:core:tcpconn_release: releasing con
0x7fd6a55d8240, state -2, fd=-1, id=1151231636
Feb 27 15:22:39 [26839] DBG:core:tcpconn_release: extra_data
0x7fd6a55d8438
Feb 27 15:22:39 [26842] DBG:core:handle_tcp_worker: response=
7fd6a55d8240, -2 from tcp worker 26839 (0)
Feb 27 15:22:39 [26842] DBG:core:tcpconn_destroy: destroying
connection 0x7fd6a55d8240, flags 001c
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_clean: entered
Feb 27 15:22:39 [26842] DBG:proto_wss:tls_update_fd: New fd is 49
I have tried to test my installation with openssl client and I think
it has an issue with the setup because there is an error message.
➜ openssl s_client -connect testserver.example.net:443
<http://testserver.example.net:443>
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = testserver.example.net <http://testserver.example.net>
verify return:1
4499986028:error:14020410:SSL
routines:CONNECT_CR_SESSION_TICKET:sslv3 alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL
alert number 40
4499986028:error:140200E5:SSL
routines:CONNECT_CR_SESSION_TICKET:ssl handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/CN=testserver.example.net <http://testserver.example.net>
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgISAyIztk4mccb0A0k9XLOtFkGXMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMTIwOTU4MTRaFw0x
OTA1MTMwOTU4MTRaMB8xHTAbBgNVBAMTFHNpcDMtdjIuYnVsdXRmb24ubmV0MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DSkfcRZcjjhsyrnH6i/xmM2
7q9GfkPopmj8+RzJemdqSK7fSsGodSZznsYDn+b+u9AhYwr01WS0HPeag3kEMA+S
Bn8cu1s/osa9Jipj4BnkPhU14T4/9x/Tvurt8v1BdS6uYLqFInV1LnGfTp7XhlRY
uF+SRve0vxtXOPtokS68xvjVRrWI4UNR+S+neDvZqsDQQ6q2hcdQ1aRoEt0wbKO+
k4jwZRf52cKscD2jfEniXCDUbawYq6CstzPqfx9+DYYS4NqRVtEUWeBI6MgR54QI
KorBHqv382rcf/cz0vFEccmuF6NFFZFM385hdlV9YMcCQUUpwWh3FSgWh2y65QID
AQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQmc6fJQRbTaUerCJlz
W6gbPd0o5TAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHNpcDMtdjIuYnVsdXRmb24ubmV0MEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADy
AHcAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFo4Vt4PQAABAMA
SDBGAiEAiKzASz3oQ1R8GCA77Hn7eBkLxncg4dBhAMQwobR3Oh4CIQD3r/+A9KpK
MzzvjLrw6ltN4RJt/9GAksjY7XJoHi+fRQB3AGPy283oO8wszwtyhCdXazOkjWF3
j711pjixx2hUS9iNAAABaOFbeoUAAAQDAEgwRgIhAN+Jvz1CVK7dACu8SLV3NYWQ
TpUIk3RlSnqbioXoLPeSAiEA/aRTstIBRApuPqi+9U2DdsIjBMPBEWvPC+Q6V95V
tWYwDQYJKoZIhvcNAQELBQADggEBADJCRG8rFR5v3wWaSZZlzRCOxNw992PjpoyE
WI9ba1NP4IAUq/ORc4eFKa6bnvhnlwGkKfivxviGJFZRBauf9ydqnbNSsSc0THEt
FMOMJ+fEZ6MIROmbz1ElWx8vO2crgIBMaOBjJdNEjLiKDIkwF67g7580A6ZplmN9
tMUg/qQlgx/ABL7AAqy12zoGYdB5gf4y8escm/7S2OJeMDAK122Lkxi/PjzUheAb
Zlrvxf862vd/ykdvcy8UjrJPTOt1CKlYuKgWIPR8Tb7BAIsIbAebXoqmvPN//Y72
VknQALQUXxpnTNLperhBibpfqOp2MLWwnDktDGxUQRjfba5jeaA=
-----END CERTIFICATE-----
subject=/CN=testserver.example.net <http://testserver.example.net>
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3008 bytes and written 105 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key:
EA79ADD7422068E3C79258F309B1D0772B5F11F3DB995DBB869BB68AA154D2827D781A57517CF8841E58F3EB9F18D656
Start Time: 1551272932
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Does anyone have an idea about the solution?
Thanks in advance.
--
Volkan Oransoy
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
