[SR-Users] Websocket TLS Issue

Gonzalo Gasca Meza gascagonzalo at gmail.com
Fri Feb 3 03:58:18 CET 2017 

Are you using self-signed certs? or public certs signed by public CA.

On Thu, Feb 2, 2017 at 1:34 PM, Ludovic Gasc <gmludo at gmail.com> wrote:

> Hi,
>
> It might be a stupid question, but why you don't have WebSockets without
> TLS between HAProxy and Kamailio ?
> I've a similar setup to enable us to have on the same 443 port regular Web
> server and SIP WebSockets, for now, it works pretty well.
>
> --
> Ludovic Gasc (GMLudo)
> Lead Developer Architect at ALLOcloud
> https://be.linkedin.com/in/ludovicgasc
>
> 2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer at gmail.com>:
>
>> Hi Guys,
>>
>> I am trying to setup the following flow:
>>
>> Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
>>
>> But getting TLS errors in Kamailio logs:
>> *[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
>> tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
>> *[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
>> accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
>>
>> Browser <-----wss---->Kamailio  works fine with same certs.
>>
>> Both HA Proxy and Kamilio are installed on separate servers, hosting on
>> same port with different domain. Kamailio tls.conf has method = TLSv1
>>
>> *@HA Proxy:*
>>
>> openssl s_client -connect HA-PROXY-DOMAIN:*10443*
>>
>> SSL-Session:
>>     Protocol  : TLSv1.2
>>
>> *@Kamailio :*
>> openssl s_client -connect KAMAILIO-DOMAIN:*10443*
>>
>> SSL-Session:
>>     Protocol  : TLSv1
>>
>> So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10"
>> But still I get the same TLS error in Kamailio.
>>
>> *HA Proxy config looks like:*
>>
>> *frontend public*
>> *  bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
>> *  acl is_websocket hdr_end(host) -i m1.some-domain.com
>> <http://m1.some-domain.com>*
>> *  use_backend wss if is_websocket*
>> *  default_backend wss*
>>
>> *backend wss*
>> *  timeout server 600s*
>> *  server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
>> *  server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
>>
>>
>> Need some direction, thanks in advance.
>>
>>
>> Regards,
>> Jade
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20170202/5e8fca2e/attachment.html>

More information about the sr-users mailing list