Hi Bogdan, I have tried so many things to solve the issue and I can confirm that this is a Chrome related one. I use this js phone https://collecttix.github.io/ctxSip/ to test my environment and it works well on Firefox.
Thank you for your help. Bogdan-Andrei Iancu <bog...@opensips.org>, 5 Mar 2019 Sal, 18:59 tarihinde şunu yazdı: > Hi Volkan, > > The SSL_accept() fails (part of the SSL lib), meaning that the SSL > handshake failed (maybe the incoming conn was not actually TLS??). I have > to admit the log does not give more details on the error, but are you sure > the incoming connection is a TLS valid one ? > > Regards, > > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer > https://www.opensips-solutions.com > OpenSIPS Summit 2019 > https://www.opensips.org/events/Summit-2019Amsterdam/ > > On 02/27/2019 03:21 PM, Volkan Oransoy wrote: > > Hi all, > > I am trying to apply this tutorial to my test environment but I couldn't > solve a problem with TLS handshake. > https://www.opensips.org/Documentation/Tutorials-WebSocket-2-2 > > My configuration is simply like that. > > listen=ws:10.10.10.10:8080 > listen=wss:10.10.10.10:443 > ... > loadmodule "proto_tls.so" > loadmodule "proto_wss.so" > loadmodule "proto_ws.so" > loadmodule "tls_mgm.so" > modparam("tls_mgm", "certificate","/etc/letsencrypt/live/ > testserver.example.net/fullchain.pem") > modparam("tls_mgm", "private_key","/etc/letsencrypt/live/ > testserver.example.net/privkey.pem") > > > > When I try to connect the server via a websocket client like SIP.js or > jssip, I got this error. > > Feb 27 15:22:39 [26842] DBG:core:probe_max_sock_buff: getsockopt: snd is > initially 425984 > Feb 27 15:22:39 [26842] INFO:core:probe_max_sock_buff: using snd buffer > of 416 kb > Feb 27 15:22:39 [26842] INFO:core:init_sock_keepalive: TCP keepalive > enabled on socket 49 > Feb 27 15:22:39 [26842] DBG:core:print_ip: tcpconn_new: new tcp connection > to: 192.168.100.100 > Feb 27 15:22:39 [26842] DBG:core:tcpconn_new: on port 34560, proto 6 > Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: entered: Creating a > whole new ssl connection > Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: looking up socket > based TLS server domain [10.10.10.10:443] > Feb 27 15:22:39 [26842] DBG:tls_mgm:tls_find_server_domain: virtual TLS > server domain not found, Using default TLS server domain settings > Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: found socket based > TLS server domain [0.0.0.0:0] > Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_init: Setting in ACCEPT > mode (server) > Feb 27 15:22:39 [26842] DBG:core:tcpconn_add: hashes: 607, 660 > Feb 27 15:22:39 [26842] DBG:core:handle_new_connect: new connection: > 0x7fd6a55d8240 49 flags: 001c > Feb 27 15:22:39 [26842] DBG:core:send2child: to tcp child 0 (26839), > 0x7fd6a55d8240 rw 1 > Feb 27 15:22:39 [26839] DBG:core:handle_io: We have received conn > 0x7fd6a55d8240 with rw 1 on fd 5 > Feb 27 15:22:39 [26839] DBG:core:io_watch_add: [TCP_worker] io_watch_add > op (5 on 46) (0x563321968480, 5, 19, 0x7fd6a55d8240,1), fd_no=4/1024 > Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5 > Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: Using the > global ( per process ) buff > Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5 > Feb 27 15:22:39 [26839] DBG:proto_wss:ws_server_handshake: ws_read end > Feb 27 15:22:39 [26839] DBG:proto_wss:tls_update_fd: New fd is 5 > Feb 27 15:22:39 [26839] ERROR:proto_wss:tls_accept: New TLS connection > from 192.168.100.100:34560 failed to accept > Feb 27 15:22:39 [26839] ERROR:proto_wss:wss_read_req: cannot fix read > connection > Feb 27 15:22:39 [26839] DBG:core:io_watch_del: [TCP_worker] io_watch_del > op on index 0 5 (0x563321968480, 5, 0, 0x10,0x3) fd_no=5 called > Feb 27 15:22:39 [26839] DBG:core:tcpconn_release: releasing con > 0x7fd6a55d8240, state -2, fd=-1, id=1151231636 > Feb 27 15:22:39 [26839] DBG:core:tcpconn_release: extra_data > 0x7fd6a55d8438 > Feb 27 15:22:39 [26842] DBG:core:handle_tcp_worker: response= > 7fd6a55d8240, -2 from tcp worker 26839 (0) > Feb 27 15:22:39 [26842] DBG:core:tcpconn_destroy: destroying connection > 0x7fd6a55d8240, flags 001c > Feb 27 15:22:39 [26842] DBG:proto_wss:tls_conn_clean: entered > Feb 27 15:22:39 [26842] DBG:proto_wss:tls_update_fd: New fd is 49 > > > > I have tried to test my installation with openssl client and I think it > has an issue with the setup because there is an error message. > > ➜ openssl s_client -connect testserver.example.net:443 > CONNECTED(00000005) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = testserver.example.net > verify return:1 > 4499986028:error:14020410:SSL routines:CONNECT_CR_SESSION_TICKET:sslv3 > alert handshake > failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL > alert number 40 > 4499986028:error:140200E5:SSL routines:CONNECT_CR_SESSION_TICKET:ssl > handshake > failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:585: > --- > Certificate chain > 0 s:/CN=testserver.example.net > i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIFYjCCBEqgAwIBAgISAyIztk4mccb0A0k9XLOtFkGXMA0GCSqGSIb3DQEBCwUA > MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD > ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMTIwOTU4MTRaFw0x > OTA1MTMwOTU4MTRaMB8xHTAbBgNVBAMTFHNpcDMtdjIuYnVsdXRmb24ubmV0MIIB > IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DSkfcRZcjjhsyrnH6i/xmM2 > 7q9GfkPopmj8+RzJemdqSK7fSsGodSZznsYDn+b+u9AhYwr01WS0HPeag3kEMA+S > Bn8cu1s/osa9Jipj4BnkPhU14T4/9x/Tvurt8v1BdS6uYLqFInV1LnGfTp7XhlRY > uF+SRve0vxtXOPtokS68xvjVRrWI4UNR+S+neDvZqsDQQ6q2hcdQ1aRoEt0wbKO+ > k4jwZRf52cKscD2jfEniXCDUbawYq6CstzPqfx9+DYYS4NqRVtEUWeBI6MgR54QI > KorBHqv382rcf/cz0vFEccmuF6NFFZFM385hdlV9YMcCQUUpwWh3FSgWh2y65QID > AQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB > BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQmc6fJQRbTaUerCJlz > W6gbPd0o5TAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF > BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j > cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j > cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHNpcDMtdjIuYnVsdXRmb24ubmV0MEwGA1Ud > IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0 > dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADy > AHcAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFo4Vt4PQAABAMA > SDBGAiEAiKzASz3oQ1R8GCA77Hn7eBkLxncg4dBhAMQwobR3Oh4CIQD3r/+A9KpK > MzzvjLrw6ltN4RJt/9GAksjY7XJoHi+fRQB3AGPy283oO8wszwtyhCdXazOkjWF3 > j711pjixx2hUS9iNAAABaOFbeoUAAAQDAEgwRgIhAN+Jvz1CVK7dACu8SLV3NYWQ > TpUIk3RlSnqbioXoLPeSAiEA/aRTstIBRApuPqi+9U2DdsIjBMPBEWvPC+Q6V95V > tWYwDQYJKoZIhvcNAQELBQADggEBADJCRG8rFR5v3wWaSZZlzRCOxNw992PjpoyE > WI9ba1NP4IAUq/ORc4eFKa6bnvhnlwGkKfivxviGJFZRBauf9ydqnbNSsSc0THEt > FMOMJ+fEZ6MIROmbz1ElWx8vO2crgIBMaOBjJdNEjLiKDIkwF67g7580A6ZplmN9 > tMUg/qQlgx/ABL7AAqy12zoGYdB5gf4y8escm/7S2OJeMDAK122Lkxi/PjzUheAb > Zlrvxf862vd/ykdvcy8UjrJPTOt1CKlYuKgWIPR8Tb7BAIsIbAebXoqmvPN//Y72 > VknQALQUXxpnTNLperhBibpfqOp2MLWwnDktDGxUQRjfba5jeaA= > -----END CERTIFICATE----- > subject=/CN=testserver.example.net > issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > --- > No client certificate CA names sent > Server Temp Key: ECDH, X25519, 253 bits > --- > SSL handshake has read 3008 bytes and written 105 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > Session-ID-ctx: > Master-Key: > EA79ADD7422068E3C79258F309B1D0772B5F11F3DB995DBB869BB68AA154D2827D781A57517CF8841E58F3EB9F18D656 > Start Time: 1551272932 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > > > Does anyone have an idea about the solution? > > Thanks in advance. > > -- > Volkan Oransoy > > > _______________________________________________ > Users mailing > listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > -- Volkan Oransoy
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
