Unknown opened 4 years ago
-
- I've tried to connect from the "Tigase Web Client" and from the nodejs code using stanza library both the same.
- I have not tried with proper certificate, to be honest I don't think it is the problem and I need to be able to run it with self-signed certificate anyway.
I switched to Tigase 8.1.1 but the issue is still here.
Here is the full communication log of connection, client is Tigase web client (browser console just says it can't establish connection to the server)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.585 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension ( "session_ticket (35)": { } ) javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.591 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension ( "key_share (51)": { 0000: 00 69 00 1D 00 20 34 45 70 C1 EC C6 6B D4 0E 24 .i... 4Ep...k..$ 0010: CA 72 37 03 63 3A 48 51 B3 9D 47 D7 62 9F 02 C8 .r7.c:HQ..G.b... 0020: CB BB D4 85 13 52 00 17 00 41 04 05 D5 7A B1 76 .....R...A...z.v 0030: 76 4D B5 9E 3A 13 93 4E CA D4 0B 0F A5 50 A6 40 vM..:..N.....P.@ 0040: B9 7D FF CF 00 5A 58 41 30 94 33 90 C2 CC 99 D2 .....ZXA0.3..... 0050: 93 23 51 DF 53 97 4A 74 69 B0 10 5B CD B7 C6 92 .#Q.S.Jti..[.... 0060: EF 5B 86 FF D7 73 81 56 61 2B D2 .[...s.Va+. } ) javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.592 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension ( "psk_key_exchange_modes (45)": { 0000: 01 01 .. } ) javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.593 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension ( "unknown extension (28)": { 0000: 40 01 @. } ) javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.595 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension ( "client_certificate_type (21)": { 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00A0: 00 00 00 00 00 00 00 00 00 00 00 ........... } ) javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.604 UTC|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.604 UTC|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.617 UTC|ClientHello.java:809|Consuming ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "1A 07 7D F7 22 F9 90 0C 1A CC FF C6 C9 9A 11 F2 C4 B4 DA 34 96 09 FF C8 80 20 40 9B DC E4 AB 86", "session id" : "74 7B F8 EF 11 0A 9A A6 C0 8C 8B 51 1A B4 C5 B7 7B 2F 09 3D D3 DC DB A3 23 43 83 1E FA DE 89 0F", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)]", "compression methods" : "00", "extensions" : [ "extended_master_secret (23)": { <empty> }, "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiated connection>] }, "supported_groups (10)": { "versions": [x25519, secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "session_ticket (35)": { }, "application_layer_protocol_negotiation (16)": { [h2, http/1.1] }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": <empty> "request extensions": { <empty> } } }, "key_share (51)": { "client_shares": [ { "named group": x25519 "key_exchange": { 0000: 34 45 70 C1 EC C6 6B D4 0E 24 CA 72 37 03 63 3A 4Ep...k..$.r7.c: 0010: 48 51 B3 9D 47 D7 62 9F 02 C8 CB BB D4 85 13 52 HQ..G.b........R } }, { "named group": secp256r1 "key_exchange": { 0000: 04 05 D5 7A B1 76 76 4D B5 9E 3A 13 93 4E CA D4 ...z.vvM..:..N.. 0010: 0B 0F A5 50 A6 40 B9 7D FF CF 00 5A 58 41 30 94 ...P.@.....ZXA0. 0020: 33 90 C2 CC 99 D2 93 23 51 DF 53 97 4A 74 69 B0 3......#Q.S.Jti. 0030: 10 5B CD B7 C6 92 EF 5B 86 FF D7 73 81 56 61 2B .[.....[...s.Va+ 0040: D2 } }, ] }, "supported_versions (43)": { "versions": [TLSv1.3, TLSv1.2] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1] }, "psk_key_exchange_modes (45)": { "ke_modes": [psk_dhe_ke] }, "unknown extension (28)": { 0000: 40 01 @. }, "client_certificate_type (21)": { 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00A0: 00 00 00 00 00 00 00 00 00 00 00 ........... } ] } ) javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.618 UTC|SSLExtensions.java:192|Consumed extension: supported_versions javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.623 UTC|ClientHello.java:839|Negotiated protocol version: TLSv1.2 javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.623 UTC|SSLExtensions.java:173|Ignore unavailable extension: server_name javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.627 UTC|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.630 UTC|SSLExtensions.java:192|Consumed extension: status_request javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.631 UTC|SSLExtensions.java:192|Consumed extension: supported_groups javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.631 UTC|SSLExtensions.java:192|Consumed extension: ec_point_formats javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.635 UTC|SSLExtensions.java:192|Consumed extension: signature_algorithms javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.635 UTC|SSLExtensions.java:173|Ignore unavailable extension: signature_algorithms_cert javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.636 UTC|AlpnExtension.java:277|Ignore server unenabled extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.636 UTC|SSLExtensions.java:192|Consumed extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.636 UTC|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2 javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.637 UTC|SSLExtensions.java:192|Consumed extension: extended_master_secret javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.637 UTC|SSLExtensions.java:192|Consumed extension: supported_versions javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.637 UTC|SSLExtensions.java:192|Consumed extension: renegotiation_info javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.639 UTC|SSLSessionImpl.java:210|Session initialized: Session(1611870784639|SSL_NULL_WITH_NULL_NULL) javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.639 UTC|SSLExtensions.java:207|Ignore unavailable extension: server_name javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.640 UTC|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.641 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.641 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_groups javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.642 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: ec_point_formats javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.642 UTC|SSLExtensions.java:224|Populated with extension: signature_algorithms javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.643 UTC|SSLExtensions.java:207|Ignore unavailable extension: signature_algorithms_cert javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.644 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.644 UTC|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2 javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.645 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.645 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.646 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.649 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.655 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.655 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.656 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.656 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.656 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.657 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.657 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.657 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.658 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.659 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.659 UTC|X509Authentication.java:303|default is not a private key entry javax.net.ssl|ERROR|01 3C|pool-32-thread-1|2021-01-28 21:53:04.661 UTC|TransportContext.java:341|Fatal (HANDSHAKE_FAILURE): no cipher suites in common ( "throwable" : { javax.net.ssl.SSLHandshakeException: no cipher suites in common at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:460) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:295) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1102) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:854) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) at tigase.io.JcaTLSWrapper.doTasks(JcaTLSWrapper.java:304) at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:261) at tigase.io.TLSIO.decodeData(TLSIO.java:345) at tigase.io.TLSIO.read(TLSIO.java:172) at tigase.net.IOService.readBytes(IOService.java:670) at tigase.server.websocket.WebSocketXMPPIOService.readData(WebSocketXMPPIOService.java:155) at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:458) at tigase.server.websocket.WebSocketXMPPIOService.processSocketData(WebSocketXMPPIOService.java:135) at tigase.net.IOService.call(IOService.java:200) at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:146) at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:51) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)} ) javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.667 UTC|SSLSessionImpl.java:784|Invalidated session: Session(1611870784533|SSL_NULL_WITH_NULL_NULL) javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.667 UTC|SSLSessionImpl.java:784|Invalidated session: Session(1611870784639|SSL_NULL_WITH_NULL_NULL) -
By the way, when you set SSL certificate via web admin UI it checks domain name in CN, so for default certificate (which is in use for wss connections afaiu) it must be "*.default" to be accepted, don't think I can sign such a certificate.
How do you set "default"? By selecting "default" vhost? In the newest, development version there is a checkbox to mark particular domain certificate as the default as the 'default' vhost shouldn't be used for it. At any rate, as an admin you still should be able to upload the certificate. Or you can place it directly to
certs/directory.As for the issue with WSS connectivity - as unusual as it seems, using correct certificate (not self-signed) actually fixes the issue (i checked with sure.im client in Firefox and using websocat). Most likely you would somehow add your certificate/CA to the trust store of the client and then it would allow conneciton.
-
At first, thanks for your concern. I've realized that I can put proxy, kind of nginx, in front to do ssl stuff and avoid enabling it in the Tigase. Right? Anyway the problem with self-signed certificates is odd, I'm pretty familiar with restrictions of self-signed certificates and it doesn't look like a case. FYI I was able to build and run latest release version 8.1.1 from sources and can debug it, so If you point me to the place to look at to investigate and resolve it, then I could.
-
I've realized that I can put proxy, kind of nginx, in front to do ssl stuff and avoid enabling it in the Tigase. Right?
Yes, that's correct. We are using it in similar setup at tigase.im service.
Anyway the problem with self-signed certificates is odd, I'm pretty familiar with restrictions of self-signed certificates and it doesn't look like a case. FYI I was able to build and run latest release version 8.1.1 from sources and can debug it, so If you point me to the place to look at to investigate and resolve it, then I could.
Following classes are mainly responsible for handling encryption: JcaTLSWrapper, SSLContextContainer, TLSIO
I use Tigase 8.1.0 as Docker image.
I've added to the config.tdsl following:
and uncommented TLS_DEBUG in the tigase.conf Clients successfully connect via
ws:/localhost:5290but when I try to connect a client viawss:/localhost:5291I get in logs (extracted most significant lines I believe)It happens no matter whether I remove default.pem allowing it to generate new one or generating self-signed byself with
openssl req -x509 -newkey rsa:4096 -keyout default.key.pem -out default.pem -days 365 -nodes -subj '/CN=*.default'So far a question is: "How to enable wss? What I'm doing wrong?" Thanks in advance.