I'd like to know if it is possible to configure a certificate for wss when using restcomm sipservlets with a keystoretype PKCS12
I found this post:
SIPML 5 Client and SipServlets not works Using WSS
and looked to modify the suggestion to :
gov.nist.javax.sip.TLS_CLIENT_AUTH_TYPE=Disabled
javax.net.ssl.keystoreFile="conf/STAR_domain.pfx"
javax.net.ssl.keyStorePassword="pkcspass"
javax.net.ssl.keystoreType="PKCS12"
my connector config:
<Connector port="10443"
ipAddress = "ip.address"
protocol="org.mobicents.servlet.sip.startup.SipProtocolHandler"
signalingTransport="wss"/>
When opening a socket to this port I don't get a server hello. Meaning the cert wasn't loaded?
Please Read and follow the steps at http://docs.telestax.com/sip-servlets-security/
Related
I have been learning with WebSocket++ and built some of the server examples (Windows 10 Visual Studio 2019). The non-TLS examples work without issues, however, the TLS-enabled examples (echo_server_both.cpp and echo_server_tls.cpp) can't do the handshake. I am very new to web development in general so I know I must be doing something wrong with regards to the certificate and keys.
I am testing the servers with WebSocket King client, an extension of Google Chrome that connects correctly to other websocket servers like wss://echo.websocket.org and to my own localhost when I don't use TLS.
The echo_server_both example comes with a server.pem file, and the echo_server_tls example comes with server.pem and dh.pem. I have used the same files that come with the samples, and I have also tried generating and registering my own .pem files using openSSL. In both cases I get this when the client tries to connect:
[2021-06-29 20:51:21] [error] handle_transport_init received error: sslv3 alert certificate unknown
[2021-06-29 20:51:21] [fail] WebSocket Connection [::1]:63346 - "" - 0 asio.ssl:336151574 sslv3 alert certificate unknown
[2021-06-29 20:51:21] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
I discovered these errors after I edited handle_init() in tls.hpp, following a suggestion in another site, to look like this:
void handle_init(init_handler callback,lib::asio::error_code const & ec) {
if (ec) {
//m_ec = socket::make_error_code(socket::error::tls_handshake_failed);
m_ec = ec;
} else {
m_ec = lib::error_code();
}
callback(m_ec);
}
This change let the actual openSSL error to show in the console, otherwise it would show a generic "handshake failed" error.
I know I'm not doing what I should with the certificates, but I have no idea where else to look or what to do next. Can anyone here help please? Should I use the .pem files that come with the examples, or should I generate my own? in case I should generate my own, what would be the openSSL command to do that correctly and how do I tell my PC to recognize these as valid so that the server works?
Found the problem: WebSocket++ will not accept a self-signed certificate (the ones you can create directly in your own PC using OpenSSL or the Windows utilities). There is no way around it. You must have a valid, authority-validated and endorsed certificate. You can get such a certificate for free (valid only for 90 days) from https://zerossl.com/. The site has detailed instructions on how to request, obtain and install a certificate. After getting a valid certificate and installing it on my server, everything worked as it should.
I try to configure my Kafka brokers to work under ssl. I have the following configuration in all brokers:
listeners=PLAINTEXT://0.0.0.0:9092, SSL://0.0.0.0:9093
advertised.host.name=my_host_ip
port=9092
ssl.truststore.location=/opt/kafka/kafka.server.truststore.jks
ssl.keystore.location=/opt/kafka/kafka.server.keystore.jks
ssl.key.password=123456
ssl.keystore.password=123456
ssl.truststore.password=123456
And some other definitions which are not related to my ssl configuration.
In the client configuration I have the following:
security.protocol=SSL
ssl.truststore.location=/opt/kafka_2.12-0.10.2.0/config/ssl/kafka/client.truststore.jks
ssl.truststore.password=123456
With port 9092 (no ssl) everything works well, but when I try to use port 9093 - I got the following error, and I can't post message to the Kafka topic:
2017-04-25T16:59:19.945801000Z [2017-04-25 16:59:19,857] ERROR [KafkaApi-2] Error when handling request {topics=null} (kafka.server.KafkaApis)
2017-04-25T16:59:19.945991000Z kafka.common.BrokerEndPointNotAvailableException: Broker `2` does not have listener with name `ListenerName(SSL)’
I have ssl connection between the machines (checked with openssl)
What can be the reason?
I think you're exposing port 9092, but your SSL is configured to listen to 9093. Also, if I remember correctly, advertised.host.name is a deprecated parameter in kafka 0.10.x
I'll suggest commenting out advertised.host.name=my_host_ip and port=9092 and putting advertised.listeners=PLAINTEXT://<ip>:9092, SSL://<ip>:9093
Need your help in setting the SSL manager in Jmeter for performance testing with IBM datapower.
I tried the below steps to Add cert.
• Added (* .jks /*.p12 ) file in the jmeter GUI > Options > SSL Manager.
• I tried the setting the jks file in system.properties file too.
Path : *\jMETER\apache-jmeter-3.0\apache-jmeter-3.0\bin\system.properties
# Truststore properties (trusted certificates)
#javax.net.ssl.trustStore=/path/to/[jsse]cacerts
#javax.net.ssl.trustStorePassword
#javax.net.ssl.trustStoreProvider
#javax.net.ssl.trustStoreType [default = KeyStore.getDefaultType()]
# Keystore properties (client certificates)
# Location
javax.net.ssl.keyStore=****.jks -- Added
#
#The password to your keystore
javax.net.ssl.keyStorePassword=****-- Added
#
#javax.net.ssl.keyStoreProvider
#javax.net.ssl.keyStoreType [default = KeyStore.getDefaultType()]
I dont see the SSL handshake jMETER and datapower even after i followed ablove steps. Getting below error from datapower.
12:47:26 AM ssl error 51751363 10.123.98.73 0x806000ca valcred (###_CVC_Reverse_Server): SSL Proxy Profile '###_SSLPP_Reverse_Server': connection error: peer did not send a certificate
12:47:26 AM mpgw error 51751363 10.123.98.73 0x80e00161 source-https (###_HTTPS_FSH_CON_****): Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: 10.123.98.73:58394
12:47:26 AM ssl error 51751363 10.123.98.73 0x8120002f sslproxy (####_SSLPP_Reverse_Server): SSL library error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
Can you please advice how to send the cert(.jks/ .p12) file from jmeter.
Change "Implementation" of your HTTP Request sampler(s) to Java. The fastest and the easiest way of doing this is using HTTP Request Defaults.
If you're using .p12 keystores you will need an extra line in the system.properties file like:
javax.net.ssl.keyStoreType=pkcs12
JMeter restart is required to pick the properties up.
See How to Set Your JMeter Load Test to Use Client Side Certificates article for more information.
I Have Tomcat run on HTTPS.
I have tried to deploy SIPML5 WebSocket Application To into my tomcat.
When I tried to connect Sip Servlets using ws :
ws://192.168.X.Y:5082
And Sip Servlets Config looks like :
<Connector port="5082"
ipAddress = "192.168.X.Y"
protocol="org.mobicents.servlet.sip.startup.SipProtocolHandler"
signalingTransport="ws"/>
I got an error :
SIPml-api.js:4 Mixed Content: The page at 'https://192.168.X1.X2:8443/CallCenterBK/CallCenterBK.jsp?sip=1' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://192.168.X.Y:5082/'. This request has been blocked; this endpoint must be available over WSS.
When I have changes my SIPML 5 Client to wss :
wss://192.168.X.Y:5082
And my sip servlets config looks like :
<Connector port="5082"
ipAddress = "192.168.X.Y"
protocol="org.mobicents.servlet.sip.startup.SipProtocolHandler"
signalingTransport="wss"/>
I got another error :
WebSocket connection to 'wss://192.168.X.Y:5082/' failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED
And when I have set to sipml 5 client : wss://192.168.X.Y:5082
and config changed to :
<Connector port="5082"
ipAddress = "192.168.X.Y"
protocol="org.mobicents.servlet.sip.startup.SipProtocolHandler"
signalingTransport="ws"/>
I got an error :
WebSocket connection to 'wss://192.168.1.3:5082/' failed: Error in connection establishment: net::ERR_TIMED_OUT
What I did incorrectly ?
Any idea will be appreciated.
You configured the HTTPs connector with the certificate information, you need to do the same thing for the WSS connector. Unfortunately the configuration for that is located at the SIP Stack level, so you need to edit your standalone/configuration/mss-sip-stack.properties and add
gov.nist.javax.sip.TLS_CLIENT_AUTH_TYPE=Disabled
javax.net.ssl.keyStore=$TRUSTSTORE_FILE
javax.net.ssl.keyStorePassword=$TRUSTSTORE_PASSWORD
javax.net.ssl.trustStorePassword=$TRUSTSTORE_PASSWORD
javax.net.ssl.trustStore=$TRUSTSTORE_FILE
javax.net.ssl.keyStoreType=JKS
SIPML5 works fine with wss for sure. The problem is on your server side.
Make sure that 5082 port is listening (telnet)
Make sure that you have installed a valid SSL certificate to your
server
Make sure that 5082 is the secure (wss) port (On most servers the ws
unsecured and wss secured are listening on different ports)
I am trying to setup the certificate verification in opensips along with the blink sip client. I followed the tutorial:
https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki
My config look like so:
[opensips.cfg]
disable_tls = no
listen = tls:my_ip:5061
tls_verify_server= 0
tls_verify_client = 1
tls_require_client_certificate = 1
#tls_method = TLSv1
tls_method = SSLv23
tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"
So i generated the rootCA and the server certificate. Then i took the server-calist.pem added the server-privkey.pem in there (otherwise blink sip client won't load it) and set it in client. I also set the server-calist.pem as a certificate authority in the blink. But when i try to login to my server i get:
Feb 4 21:02:42 user /usr/local/sbin/opensips[28065]: DBG:core:tcp_read_req: Using the global ( per process ) buff
Feb 4 21:02:42 user /usr/local/sbin/opensips[28065]: DBG:core:tls_update_fd: New fd is 17
Feb 4 21:02:42 user /usr/local/sbin/opensips[28065]: ERROR:core:tls_accept: New TLS connection from 130.85.9.114:48253 failed to accept: rejected by client
So i assume that the client doesn't accept the server certificate for some reason, although i have the "Verify server" checkbox turned off in my blink sip client! I think i have the wrong certificate authority file.
./user/user-cert.pem
./user/user-cert_req.pem
./user/user-privkey.pem
./user/user-calist.pem <- this 4 are for using opensips as a client i think
./rootCA/certs/01.pem
./rootCA/private/cakey.pem
./rootCA/cacert.pem
./server/server-privkey.pem
./server/server-calist.pem
./server/server-cert.pem
./server/server-cert_req.pem
./calist.pem
Can anybody help, did i do something wrong i the config or did i use the wrong certificate chain? What certificate exactly should be used by the client as a client cert, and ca authority cert?
Allright, i'm still not sure if it is working or not, because the authorization behaviour became weird, but after it's hanging for 5-6 minutes i get the success authorization, so this is a solution:
Generate rootCA:
opensipsctl tls rootCA
then edit server.conf file in your tls opensips folder and set the commonName = xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is your server ip address. Other variables can be edited in any way. Generate the certificates signed by CA
opensipsctl tls userCERT server
This will produce 4 files. Download the server-calist.pem, server-cert.pem, server-privkey.pem. Open the server-privkey.pem, copy it's content and paste in the file server-cert.pem, before the actual certificate. If you are using blink, the produced server-cert.pem goes in the preferences->account->advanced. And server-calist.pem goes into the preferences->advanced. After that restart blink and after 5-6 minutes your account is gonna be logged in. But i'v observed a weird behaviour, if you run another copy of blink and try to log into the other existing account after your logged from the first one with the certificates, you can log in from other account without providing the certificates. So i don't know, but i think it's working.
P.S. I asked about the certificates in the opensips mailing list, but i guess they found my question too lame, so i didn't get the response. If you have the same problem and got better results or an answer from opensips support let me know please.