<div dir="ltr">Are you using self-signed certs? or public certs signed by public CA.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 2, 2017 at 1:34 PM, Ludovic Gasc <span dir="ltr"><<a href="mailto:gmludo@gmail.com" target="_blank">gmludo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>It might be a stupid question, but why you don't have WebSockets without TLS between HAProxy and Kamailio ?<br>I've a similar setup to enable us to have on the same 443 port regular Web server and SIP WebSockets, for now, it works pretty well.</div></div><div class="gmail_extra"><br clear="all"><div><div class="m_-5758917866083405108gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br><div style="font-size:small"><div>Ludovic Gasc (GMLudo)</div><div>Lead Developer Architect at ALLOcloud</div><div><a href="https://be.linkedin.com/in/ludovicgasc" target="_blank">https://be.linkedin.com/in/<wbr>ludovicgasc</a></div></div></div></div></div></div></div>
<br><div class="gmail_quote"><div><div class="h5">2017-02-02 18:39 GMT+01:00 Jade SZ <span dir="ltr"><<a href="mailto:jitterbuffer@gmail.com" target="_blank">jitterbuffer@gmail.com</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><font face="verdana, sans-serif">Hi Guys,</font><div><font face="verdana, sans-serif"><br></font></div><div><font face="verdana, sans-serif"><div>I am trying to setup the following flow:</div><div><br></div><div>Browser >> WSS >> HA Proxy >>> WSS >> Kamailio</div><div><br></div><div>But getting TLS errors in Kamailio logs:<br></div><div><div><b>[29634]: ERROR: <core> [tcp_read.c:1321]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f68ebe872b0 r: 0x7f68ebe87330</b></div><div><b>[29631]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number</b></div></div><div><br></div><div>Browser <-----wss---->Kamailio works fine with same certs. <br></div><div><br></div></font><font face="verdana, sans-serif"><div>Both HA Proxy and Kamilio are installed on separate servers, hosting on same port with different domain. Kamailio tls.conf has method = TLSv1</div><div><br></div><div><b>@HA Proxy:</b></div><div><br></div><div>openssl s_client -connect HA-PROXY-DOMAIN:<i>10443</i><br></div></font><font face="verdana, sans-serif"><div><br></div><div><div>SSL-Session:</div><div> Protocol : TLSv1.2</div></div><div><br></div><div><b>@Kamailio :</b></div><div><div>openssl s_client -connect KAMAILIO-DOMAIN:<i>10443</i><br></div><div><br></div><div>SSL-Session:</div><div> Protocol : TLSv1</div></div><div><br></div><div>So I made HA Proxy to be on TLSv1 "ssl-default-bind-options force-tlsv10" But still I get the same TLS error in Kamailio. </div><div><br></div><div><u>HA Proxy config looks like:</u></div></font><font face="verdana, sans-serif"><div><br></div><div><i>frontend public</i></div><div><i> bind *:10443 ssl crt /etc/haproxy/certs/cert.pem</i></div><div><i> acl is_websocket hdr_end(host) -i <a href="http://m1.some-domain.com" target="_blank">m1.some-domain.com</a></i></div><div><i> use_backend wss if is_websocket</i></div><div><i> default_backend wss</i></div><div><i><br></i></div><div><i>backend wss</i></div><div><i> timeout server 600s</i></div><div><i> server ws1 <a href="http://k1.some-domain.com:10443" target="_blank">k1.some-domain.com:10443</a></i></div><div><i> server ws1 <a href="http://k2.some-domain.com:10443" target="_blank">k2.some-domain.com:10443</a></i></div></font><font face="verdana, sans-serif"><div><br></div><div><br></div><div>Need some direction, thanks in advance.</div><div><br></div><div><br></div><div>Regards,</div><div>Jade</div></font></div></div>
<br></div></div>______________________________<wbr>_________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org" target="_blank">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">http://lists.sip-router.org/cg<wbr>i-bin/mailman/listinfo/sr-user<wbr>s</a><br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">http://lists.sip-router.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a><br>
<br></blockquote></div><br></div>