[SR-Users] Websocket TLS Issue

Ludovic Gasc gmludo at gmail.com
Thu Feb 2 22:34:25 CET 2017 

Hi,

It might be a stupid question, but why you don't have WebSockets without
TLS between HAProxy and Kamailio ?
I've a similar setup to enable us to have on the same 443 port regular Web
server and SIP WebSockets, for now, it works pretty well.

--
Ludovic Gasc (GMLudo)
Lead Developer Architect at ALLOcloud
https://be.linkedin.com/in/ludovicgasc

2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer at gmail.com>:

> Hi Guys,
>
> I am trying to setup the following flow:
>
> Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
>
> But getting TLS errors in Kamailio logs:
> *[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
> tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
> *[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
> accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
>
> Browser <-----wss---->Kamailio  works fine with same certs.
>
> Both HA Proxy and Kamilio are installed on separate servers, hosting on
> same port with different domain. Kamailio tls.conf has method = TLSv1
>
> *@HA Proxy:*
>
> openssl s_client -connect HA-PROXY-DOMAIN:*10443*
>
> SSL-Session:
>     Protocol  : TLSv1.2
>
> *@Kamailio :*
> openssl s_client -connect KAMAILIO-DOMAIN:*10443*
>
> SSL-Session:
>     Protocol  : TLSv1
>
> So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10"
> But still I get the same TLS error in Kamailio.
>
> *HA Proxy config looks like:*
>
> *frontend public*
> *  bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
> *  acl is_websocket hdr_end(host) -i m1.some-domain.com
> <http://m1.some-domain.com>*
> *  use_backend wss if is_websocket*
> *  default_backend wss*
>
> *backend wss*
> *  timeout server 600s*
> *  server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
> *  server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
>
>
> Need some direction, thanks in advance.
>
>
> Regards,
> Jade
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20170202/532e0b1c/attachment.html>

More information about the sr-users mailing list