Hi,

It might be a stupid question, but why you don't have WebSockets without TLS between HAProxy and Kamailio ?
I've a similar setup to enable us to have on the same 443 port regular Web server and SIP WebSockets, for now, it works pretty well.

--
Ludovic Gasc (GMLudo)
Lead Developer Architect at ALLOcloud

2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer@gmail.com>:
Hi Guys,

I am trying to setup the following flow:

Browser >> WSS >> HA Proxy >>> WSS >> Kamailio

But getting TLS errors in Kamailio logs:
[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330
[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Browser <-----wss---->Kamailio  works fine with same certs. 

Both HA Proxy and Kamilio are installed on separate servers, hosting on same port with different domain. Kamailio tls.conf has method = TLSv1

@HA Proxy:

openssl s_client -connect HA-PROXY-DOMAIN:10443

SSL-Session:
    Protocol  : TLSv1.2

@Kamailio :
openssl s_client -connect KAMAILIO-DOMAIN:10443

SSL-Session:
    Protocol  : TLSv1

So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10" But still I get the same TLS error in Kamailio. 

HA Proxy config looks like:

frontend public
  bind *:10443 ssl crt /etc/haproxy/certs/cert.pem
  acl is_websocket hdr_end(host) -i m1.some-domain.com
  use_backend wss if is_websocket
  default_backend wss

backend wss
  timeout server 600s


Need some direction, thanks in advance.


Regards,
Jade

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users