Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using WSS with WebRTC and Letsencrypt (Let's Encrypt) via sipML = "no shared cipher" #190

Open
chrischarles2002 opened this issue Dec 10, 2015 · 1 comment
Open

Using WSS with WebRTC and Letsencrypt (Let's Encrypt) via sipML = "no shared cipher" #190

chrischarles2002 opened this issue Dec 10, 2015 · 1 comment

Comments

@chrischarles2002
Copy link

Can anyone out there assist with this issue?
I’m thinking it’s just a config issue on my side (I am hoping).

Here is my environment:

CentOS: 6.7
WebRTC 2.7.0
sipML: https://www.doubango.org/sipml5/call.htm?svn=241
Apache: 2.2.15
Chrome: 47.0.2526.80 m

With

Let’s Encrypt Public Beta (from: “git clone https://github.com/letsencrypt/letsencrypt”)

Using the sipML website, I am trying to test using SSL certificates generated by Let’s Encrypt as the resource to connect over secured WebSocket (WSS) to WebRTC.
This would be for audio only.

Using the command “./letsencrypt-auto certonly “, Let’s Encrypt generates the following four (4) files:

cert.pem
chain.pem
fullchain.pem
privkey.pem

I have also generated another public key from my private key using the following command:

openssl rsa -in privkey.pem -pubout -out pubkey.pub

As a separate test, I confirmed that these certificates worked on a HTTPS website, on this same server.
Here is my Apache config for the test website:

<VirtualHost *:443>
        DocumentRoot /var/www/html/my_website
        ServerName my.domain.com

        SSLEngine  on
        SSLCertificateFile /etc/letsencrypt/archive/my.domain.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/archive/my.domain.com/privkey.pem
</VirtualHost>

The website leads in all browsers without any issues, so we know the certificate files are fine.

Here is the config.xml for WebRTC (also attached):
config.xml.txt

<?xml version="1.0" encoding="utf-8" ?>
<!-- Please check the technical guide (http://webrtc2sip.org/technical-guide-1.0.pdf) for more information on how to adjust this file -->
<config>

  <debug-level>INFO</debug-level>

  <transport>udp;*;*</transport>
  <transport>ws;*;5062</transport>
  <transport>wss;*;10062</transport>

  <enable-rtp-symetric>yes</enable-rtp-symetric>
  <enable-100rel>no</enable-100rel>
  <enable-media-coder>no</enable-media-coder>
  <enable-videojb>no</enable-videojb>
  <video-size-pref>vga</video-size-pref>
  <rtp-buffsize>65535</rtp-buffsize>
  <avpf-tail-length>100;400</avpf-tail-length>
  <srtp-mode>optional</srtp-mode>
  <srtp-type>sdes;dtls</srtp-type>
  <dtmf-type>rfc4733</dtmf-type>

  <codecs>opus;pcma;pcmu;gsm;</codecs>
  <codec-opus-maxrates>48000;48000</codec-opus-maxrates>

  <stun-server>stun.l.google.com;19302;stun_at_doubango.org;stun-user</stun-server>
  <enable-icestun>yes</enable-icestun>

  <max-fds>-1</max-fds>

  <ssl-certificates>
    /etc/letsencrypt/archive/my.domain.com/privkey.pem
    /etc/letsencrypt/archive/my.domain.com/pubkey.pem
    /etc/letsencrypt/archive/my.domain.com/cert.pem
    no
  </ssl-certificates>


  <database>sqlite;*</database>

</config>

Note: I have also interchanged the “pubkey.pem” file with the “fullchain.pem” with the exact same behavior.

In sipML, I have specified the “WebSocket Server URL” as “wss://my.domain.com:10062”

sipml_expert_settings

Upon clicking on the “Login” button on the sipML site, the plain text response is: “Disconnected: Failed to connet to the server”

The Chrome 47 Console, returns the following message for the event:

WebSocket connection to 'wss://my.domain.com:10062/' failed: Error in connection establishment: net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Alternatively, to eliminate the Let’s Encrypt certificate files and keys, I signed up for a trial SSL certificate from Comodo (https://ssl.comodo.com/free-ssl-certificate.php).

The files that Comodo produces are:

server.key
my.domain.com.crt
my.domain.com.ca-bundle

And the Apache config is also slightly different:

<VirtualHost *:443>
        DocumentRoot /var/www/html/my_website
        ServerName my.domain.com

        SSLEngine  on
        SSLCertificateKeyFile /etc/letsencrypt/comodo/server.key
        SSLCertificateFile /etc/letsencrypt/comodo/my.domain.com.crt
        SSLCertificateChainFile /etc/letsencrypt/comodo/my.domain.com.ca-bundle.ca-bundle

</VirtualHost>

This Apache setup also launches the associated website without any issues.
The alternative certification files would then yield the following in the “ssl-certificates” section of the WebRTC config.xml:

  <ssl-certificates>
    /etc/letsencrypt/comodo/server.key
    /etc/letsencrypt/comodo/my.domain.com.ca-bundle
        /etc/letsencrypt/comodo/ my.domain.com.crt
    no
  </ssl-certificates>

Using either signing authorities setups, yield the exact same result in the WebRTC console.

Mainly these are the messages:

***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher]

and

***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback]

Here’s the WebRTC console output:

user@ > /opt/webrtc2sip/sbin/webrtc2sip --config=/opt/webrtc2sip/sbin/config.xml
*******************************************************************
Copyright (C) 2012-2015 Doubango Telecom <http://www.doubango.org>
PRODUCT: webrtc2sip
HOME PAGE: http://webrtc2sip.org
LICENCE: GPLv3 or proprietary
VERSION: 2.7.0
'quit' to quit the application.
*******************************************************************

SSL is enabled :)
DTLS supported: yes
DTLS-SRTP supported: yes
*[DOUBANGO INFO]: transport = udp://*:*
*[DOUBANGO INFO]: transport = ws://*:5062
*[DOUBANGO INFO]: transport = wss://*:10062
*[DOUBANGO INFO]: enable-rtp-symetric = yes
*[DOUBANGO INFO]: enable-100rel = no
*[DOUBANGO INFO]: enable-media-coder = no
*[DOUBANGO INFO]: enable-videojb = no
*[DOUBANGO INFO]: video-size-pref = vga
*[DOUBANGO INFO]: rtp-buffsize = 65535
*[DOUBANGO INFO]: avpf-tail-length = [100-400]
*[DOUBANGO INFO]: srtp-mode = optional
*[DOUBANGO INFO]: srtp-type = sdes;dtls
*[DOUBANGO INFO]: dtmf-type = rfc4733
*[DOUBANGO INFO]: codecs = opus;pcma;pcmu;gsm;
*[DOUBANGO INFO]: UnRegister codec: PCMA, G.711a codec (native)
*[DOUBANGO INFO]: UnRegister codec: PCMU, G.711u codec (native)
*[DOUBANGO INFO]: UnRegister codec: GSM, GSM Full Rate (libgsm)
*[DOUBANGO INFO]: codec-opus-maxrates = 48000;48000
*[DOUBANGO INFO]: stun-server = stun.l.google.com;19302;-;-
*[DOUBANGO INFO]: enable-icestun = yes
*[DOUBANGO INFO]: max-fds = -1
*[DOUBANGO INFO]: database = sqlite;*
*[DOUBANGO INFO]: sqlite3_threadsafe = 1
*[DOUBANGO INFO]: Database opened = TRUE
*[DOUBANGO INFO]: Stack running in SERVER mode
*[DOUBANGO INFO]: tsk_timer_manager_start
*[DOUBANGO INFO]: Timer manager run()::enter
*[DOUBANGO INFO]: TIMER MANAGER -- START
*[DOUBANGO INFO]: Best source at 0: 10.10.10.10
*[DOUBANGO INFO]: Best source at 4: 10.10.10.10
*[DOUBANGO INFO]: Best source at 5: 10.10.10.10
*[DOUBANGO INFO]: SIP STACK::run -- START
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: setsockopt(SO_REUSEPORT, fd=7) have failed
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: (SYSTEM)NETWORK ERROR ==>Protocol not available
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: setsockopt(SO_REUSEPORT, fd=8) have failed
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: (SYSTEM)NETWORK ERROR ==>Protocol not available
*[DOUBANGO INFO]: tnet_transport_prepare()
*[DOUBANGO INFO]: pipeR fd=9, pipeW=10
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=9, tail.count=1
*[DOUBANGO INFO]: master fd=6
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=6, tail.count=2
*[DOUBANGO INFO]: tnet_transport_prepare()
*[DOUBANGO INFO]: Transport::run(SIP transport) - enter
*[DOUBANGO INFO]: pipeR fd=11, pipeW=12
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=11, tail.count=1
*[DOUBANGO INFO]: master fd=7
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=7, tail.count=2
*[DOUBANGO INFO]: tnet_transport_prepare()
*[DOUBANGO INFO]: pipeR fd=13, pipeW=14
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=13, tail.count=1
*[DOUBANGO INFO]: master fd=8
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=8, tail.count=2
*[DOUBANGO INFO]: Starting [SIP transport] server with IP {10.10.10.10} on port {50642} using fd {6} with type {2}...
*[DOUBANGO INFO]: Transport::run(SIP transport) - enter
*[DOUBANGO INFO]: SIP STACK -- START
*[DOUBANGO INFO]: Starting [SIP transport] server with IP {10.10.10.10} on port {10062} using fd {8} with type {128}...
*[DOUBANGO INFO]: Transport::run(SIP transport) - enter
*[DOUBANGO INFO]: Starting [SIP transport] server with IP {10.10.10.10} on port {5062} using fd {7} with type {64}...
*[DOUBANGO INFO]: ioctlt(8), len=0 returned zero or failed
*[DOUBANGO INFO]: NETWORK EVENT FOR SERVER [SIP transport] -- FD_ACCEPT(fd=15)
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=15, tail.count=3
*[DOUBANGO INFO]: WebSocket Peer accepted/connected with fd = 15
***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher]
*[DOUBANGO INFO]: Removing socket 15
*[DOUBANGO INFO]: Socket to remove: fd=15, index=2, tail.count=3
*[DOUBANGO INFO]: CloseSocket(15)
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: SSL_accept() failed
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: (SYSTEM)NETWORK ERROR ==>Success
*[DOUBANGO INFO]: PipeR event = 1
*[DOUBANGO INFO]: #1 peers in the 'SIP transport' transport
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: #0 peers in the 'SIP transport' transport
*[DOUBANGO INFO]: *** Stream Peer destroyed ***
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: ioctlt(8), len=0 returned zero or failed
*[DOUBANGO INFO]: NETWORK EVENT FOR SERVER [SIP transport] -- FD_ACCEPT(fd=15)
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=15, tail.count=3
***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher]
*[DOUBANGO INFO]: Removing socket 15
*[DOUBANGO INFO]: Socket to remove: fd=15, index=2, tail.count=3
*[DOUBANGO INFO]: CloseSocket(15)
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: SSL_accept() failed
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: (SYSTEM)NETWORK ERROR ==>Success
*[DOUBANGO INFO]: PipeR event = 1
*[DOUBANGO INFO]: WebSocket Peer accepted/connected with fd = 15
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: TNET_GET_SOCKADDR has failed with status code: -1
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: (SYSTEM)NETWORK ERROR ==>Bad file descriptor
***[DOUBANGO ERROR]: function: "tsip_transport_add_stream_peer_2()"
file: "src/transports/tsip_transport.c"
line: "661"
MSG: Failed to get remote peer ip and address for local fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: ioctlt(8), len=0 returned zero or failed
*[DOUBANGO INFO]: NETWORK EVENT FOR SERVER [SIP transport] -- FD_ACCEPT(fd=15)
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=15, tail.count=3
***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback]
*[DOUBANGO INFO]: Removing socket 15
*[DOUBANGO INFO]: Socket to remove: fd=15, index=2, tail.count=3
*[DOUBANGO INFO]: CloseSocket(15)
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: SSL_accept() failed
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: (SYSTEM)NETWORK ERROR ==>Success
*[DOUBANGO INFO]: PipeR event = 1
*[DOUBANGO INFO]: WebSocket Peer accepted/connected with fd = 15
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: TNET_GET_SOCKADDR has failed with status code: -1
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: (SYSTEM)NETWORK ERROR ==>Bad file descriptor
***[DOUBANGO ERROR]: function: "tsip_transport_add_stream_peer_2()"
file: "src/transports/tsip_transport.c"
line: "661"
MSG: Failed to get remote peer ip and address for local fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
@chrischarles2002 chrischarles2002 changed the title Using WSS with WebRTC and Letsencrypt (Let's Encrypt) via sipML Using WSS with WebRTC and Letsencrypt (Let's Encrypt) via sipML = "no shared cipher" Dec 11, 2015
@chrischarles2002
Copy link
Author

Found my own issue.
Pretty Stupid.
Missing semi-colon (;) at the end of each line in in the webrtc2sip config.xml.

So the section of the file went from this:

  <ssl-certificates>
    /etc/letsencrypt/comodo/server.key
    /etc/letsencrypt/comodo/my.domain.com.ca-bundle
    /etc/letsencrypt/comodo/my.domain.com.crt
    no
  </ssl-certificates>

To this:

  <ssl-certificates>
    /etc/letsencrypt/comodo/server.key;
    /etc/letsencrypt/comodo/my.domain.com.crt;
    *;
        no
  </ssl-certificates>

And everything works now.

You can close this thread as "INVALID".
Sorry about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chrischarles2002