2 Feb
2017
2 Feb
'17
5:39 p.m.
Hi Guys,
I am trying to setup the following flow:
Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
But getting TLS errors in Kamailio logs:
*[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
*[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
Browser <-----wss---->Kamailio works fine with same certs.
Both HA Proxy and Kamilio are installed on separate servers, hosting on
same port with different domain. Kamailio tls.conf has method = TLSv1
*@HA Proxy:*
openssl s_client -connect HA-PROXY-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1.2
*@Kamailio :*
openssl s_client -connect KAMAILIO-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1
So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10"
But still I get the same TLS error in Kamailio.
*HA Proxy config looks like:*
*frontend public*
* bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
* acl is_websocket hdr_end(host) -i m1.some-domain.com
<http://m1.some-domain.com>*
* use_backend wss if is_websocket*
* default_backend wss*
*backend wss*
* timeout server 600s*
* server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
* server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
Need some direction, thanks in advance.
Regards,
Jade
2 Feb
2 Feb
9:34 p.m.
Hi,
It might be a stupid question, but why you don't have WebSockets without
TLS between HAProxy and Kamailio ?
I've a similar setup to enable us to have on the same 443 port regular Web
server and SIP WebSockets, for now, it works pretty well.
--
Ludovic Gasc (GMLudo)
Lead Developer Architect at ALLOcloud
https://be.linkedin.com/in/ludovicgasc
2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer(a)gmail.com>om>:
Hi Guys,
I am trying to setup the following flow:
Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
But getting TLS errors in Kamailio logs:
*[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
*[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
Browser <-----wss---->Kamailio works fine with same certs.
Both HA Proxy and Kamilio are installed on separate servers, hosting on
same port with different domain. Kamailio tls.conf has method = TLSv1
*@HA Proxy:*
openssl s_client -connect HA-PROXY-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1.2
*@Kamailio :*
openssl s_client -connect KAMAILIO-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1
So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10"
But still I get the same TLS error in Kamailio.
*HA Proxy config looks like:*
*frontend public*
* bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
* acl is_websocket hdr_end(host) -i m1.some-domain.com
<http://m1.some-domain.com>*
* use_backend wss if is_websocket*
* default_backend wss*
*backend wss*
* timeout server 600s*
* server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
* server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
Need some direction, thanks in advance.
Regards,
Jade
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
3 Feb
3 Feb
2:58 a.m.
Are you using self-signed certs? or public certs signed by public CA.
On Thu, Feb 2, 2017 at 1:34 PM, Ludovic Gasc <gmludo(a)gmail.com> wrote:
Hi,
It might be a stupid question, but why you don't have WebSockets without
TLS between HAProxy and Kamailio ?
I've a similar setup to enable us to have on the same 443 port regular Web
server and SIP WebSockets, for now, it works pretty well.
--
Ludovic Gasc (GMLudo)
Lead Developer Architect at ALLOcloud
https://be.linkedin.com/in/ludovicgasc
2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer(a)gmail.com>om>:
Hi Guys,
I am trying to setup the following flow:
Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
But getting TLS errors in Kamailio logs:
*[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
*[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
Browser <-----wss---->Kamailio works fine with same certs.
Both HA Proxy and Kamilio are installed on separate servers, hosting on
same port with different domain. Kamailio tls.conf has method = TLSv1
*@HA Proxy:*
openssl s_client -connect HA-PROXY-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1.2
*@Kamailio :*
openssl s_client -connect KAMAILIO-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1
So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10"
But still I get the same TLS error in Kamailio.
*HA Proxy config looks like:*
*frontend public*
* bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
* acl is_websocket hdr_end(host) -i m1.some-domain.com
<http://m1.some-domain.com>*
* use_backend wss if is_websocket*
* default_backend wss*
*backend wss*
* timeout server 600s*
* server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
* server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
Need some direction, thanks in advance.
Regards,
Jade
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
4:58 a.m.
Hi Guys,
Thanks for replying.
@Ludovic: Are you referring to this:
Browser >> WSS >> HA Proxy >>> *WS* >> Kamailio ?
I am trying to have minimum translation between HAproxy and Kamailio so
keeping it same. Just want it work then can decide on above.
@Gonzalo: Using public certs. When used only with Kamailio and any
WebRTC2SIP client like JsSIP/SIP.js/SIPml5 calls work fine.
Do you guys see anything wrong in HA Proxy Configs, as that part is new to
me. Where else should I look? One more info:
JsSIP is hosted on - some-other-domain with Apache on it. And the HA Proxy
is hosted on another server with it's cert, hosting wss port and then
load-balancing it to Kamailio web-sockets having same certs as HA Proxy (as
they are public and for whole domain)
On Fri, Feb 3, 2017 at 7:58 AM, Gonzalo Gasca Meza <gascagonzalo(a)gmail.com>
wrote:
Are you using self-signed certs? or public certs
signed by public CA.
On Thu, Feb 2, 2017 at 1:34 PM, Ludovic Gasc <gmludo(a)gmail.com> wrote:
Hi,
It might be a stupid question, but why you don't have WebSockets without
TLS between HAProxy and Kamailio ?
I've a similar setup to enable us to have on the same 443 port regular
Web server and SIP WebSockets, for now, it works pretty well.
--
Ludovic Gasc (GMLudo)
Lead Developer Architect at ALLOcloud
https://be.linkedin.com/in/ludovicgasc
2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer(a)gmail.com>om>:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Guys,
I am trying to setup the following flow:
Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
But getting TLS errors in Kamailio logs:
*[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
*[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
Browser <-----wss---->Kamailio works fine with same certs.
Both HA Proxy and Kamilio are installed on separate servers, hosting on
same port with different domain. Kamailio tls.conf has method = TLSv1
*@HA Proxy:*
openssl s_client -connect HA-PROXY-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1.2
*@Kamailio :*
openssl s_client -connect KAMAILIO-DOMAIN:*10443*
SSL-Session:
Protocol : TLSv1
So I made HA Proxy to be on TLSv1 "ssl-default-bind-options
force-tlsv10" But still I get the same TLS error in Kamailio.
*HA Proxy config looks like:*
*frontend public*
* bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
* acl is_websocket hdr_end(host) -i m1.some-domain.com
<http://m1.some-domain.com>*
* use_backend wss if is_websocket*
* default_backend wss*
*backend wss*
* timeout server 600s*
* server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
* server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
Need some direction, thanks in advance.
Regards,
Jade
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
8:20 a.m.
Hello,
can you try with debug=3 in kamailio.cfg, there should be more logs that
can provide hints on what happens.
Also, what are your settings for tls module? Do you require a specific
TLS version?
Cheers,
Daniel
On 02/02/2017 18:39, Jade SZ wrote:
Hi Guys,
I am trying to setup the following flow:
Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
But getting TLS errors in Kamailio logs:
*[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
*[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
Browser <-----wss---->Kamailio works fine with same certs.
Both HA Proxy and Kamilio are installed on separate servers, hosting
on same port with different domain. Kamailio tls.conf has method = TLSv1
*@HA Proxy:*
openssl s_client -connect HA-PROXY-DOMAIN:/10443/
SSL-Session:
Protocol : TLSv1.2
*@Kamailio :*
openssl s_client -connect KAMAILIO-DOMAIN:/10443/
SSL-Session:
Protocol : TLSv1
So I made HA Proxy to be on TLSv1 "ssl-default-bind-options
force-tlsv10" But still I get the same TLS error in Kamailio.
_HA Proxy config looks like:_
/frontend public/
/ bind *:10443 ssl crt /etc/haproxy/certs/cert.pem/
/ acl is_websocket hdr_end(host) -i m1.some-domain.com
<http://m1.some-domain.com>/
/ use_backend wss if is_websocket/
/ default_backend wss/
/
/
/backend wss/
/ timeout server 600s/
/ server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>/
/ server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>/
Need some direction, thanks in advance.
Regards,
Jade
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com
Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com
2906
days inactive
2907
days old
4 comments
4 participants
participants (4)
-
Daniel-Constantin Mierla -
Gonzalo Gasca Meza -
Jade SZ -
Ludovic Gasc