[SR-Users] Websocket TLS Issue

Fri Feb 3 05:58:25 CET 2017

Hi Guys,

Thanks for replying.

@Ludovic: Are you referring to this:

Browser >> WSS >> HA Proxy >>> *WS* >> Kamailio ?

I am trying to have minimum translation between HAproxy and Kamailio so
keeping it same. Just want it work then can decide on above.

@Gonzalo: Using public certs. When used only with Kamailio and any
WebRTC2SIP client like JsSIP/SIP.js/SIPml5 calls work fine.

Do you guys see anything wrong in HA Proxy Configs, as that part is new to
me. Where else should I look? One more info:

JsSIP is hosted on - some-other-domain with Apache on it. And the HA Proxy
is hosted on another server with it's cert, hosting wss port and then
load-balancing it to Kamailio web-sockets having same certs as HA Proxy (as
they are public and for whole domain)

On Fri, Feb 3, 2017 at 7:58 AM, Gonzalo Gasca Meza <gascagonzalo at gmail.com>
wrote:

> Are you using self-signed certs? or public certs signed by public CA.
>
> On Thu, Feb 2, 2017 at 1:34 PM, Ludovic Gasc <gmludo at gmail.com> wrote:
>
>> Hi,
>>
>> It might be a stupid question, but why you don't have WebSockets without
>> TLS between HAProxy and Kamailio ?
>> I've a similar setup to enable us to have on the same 443 port regular
>> Web server and SIP WebSockets, for now, it works pretty well.
>>
>> --
>> Ludovic Gasc (GMLudo)
>> Lead Developer Architect at ALLOcloud
>> https://be.linkedin.com/in/ludovicgasc
>>
>> 2017-02-02 18:39 GMT+01:00 Jade SZ <jitterbuffer at gmail.com>:
>>
>>> Hi Guys,
>>>
>>> I am trying to setup the following flow:
>>>
>>> Browser >> WSS >> HA Proxy >>> WSS >> Kamailio
>>>
>>> But getting TLS errors in Kamailio logs:
>>> *[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR:
>>> tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330*
>>> *[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
>>> accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
>>>
>>> Browser <-----wss---->Kamailio  works fine with same certs.
>>>
>>> Both HA Proxy and Kamilio are installed on separate servers, hosting on
>>> same port with different domain. Kamailio tls.conf has method = TLSv1
>>>
>>> *@HA Proxy:*
>>>
>>> openssl s_client -connect HA-PROXY-DOMAIN:*10443*
>>>
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>
>>> *@Kamailio :*
>>> openssl s_client -connect KAMAILIO-DOMAIN:*10443*
>>>
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>
>>> So I made HA Proxy to be on TLSv1 "ssl-default-bind-options
>>> force-tlsv10" But still I get the same TLS error in Kamailio.
>>>
>>> *HA Proxy config looks like:*
>>>
>>> *frontend public*
>>> *  bind *:10443 ssl crt /etc/haproxy/certs/cert.pem*
>>> *  acl is_websocket hdr_end(host) -i m1.some-domain.com
>>> <http://m1.some-domain.com>*
>>> *  use_backend wss if is_websocket*
>>> *  default_backend wss*
>>>
>>> *backend wss*
>>> *  timeout server 600s*
>>> *  server ws1 k1.some-domain.com:10443 <http://k1.some-domain.com:10443>*
>>> *  server ws1 k2.some-domain.com:10443 <http://k2.some-domain.com:10443>*
>>>
>>>
>>> Need some direction, thanks in advance.
>>>
>>>
>>> Regards,
>>> Jade
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20170203/314a008e/attachment.html>