vpn-ws icon indicating copy to clipboard operation
vpn-ws copied to clipboard

Published 20 hours ago verified publisher icon unbit

SSL error

Open nutinshell opened this issue 10 years ago • 7 comments 

./vpn-ws-client vpn-ws0 wss://cctrs.net:943/vpn
[Sun Jul 19 18:51:25 2015] connecting to cctrs.net port 943 (transport: wss)
[Sun Jul 19 18:51:25 2015] vpn_ws_ssl_handshake(): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[Sun Jul 19 18:51:25 2015] disconnected
[Sun Jul 19 18:51:26 2015] connecting to cctrs.net port 943 (transport: wss)
[Sun Jul 19 18:51:26 2015] vpn_ws_ssl_handshake(): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[Sun Jul 19 18:51:26 2015] disconnected

curl tested https://cctrs.net:943/vpn is OK

Any suggestion? Could vpn-ws-client use tls 1.2 with alpn/npn?

nutinshell avatar Jul 19 '15 11:07 nutinshell

Hi, you can add the --no-verify option to avoid certificate verification.

Which webserver are you using ? are curl and the vpn-ws-client using the same libssl version ?

npn is supported, but alpn requires a bit of work.

unbit avatar Jul 19 '15 13:07 unbit

added --no-verify it works, but looks not so stable like log:

[Sun Jul 19 22:24:21 2015] connected to cctrs.net port 943 (transport: wss)
[Sun Jul 19 22:24:21 2015] disconnected
[Sun Jul 19 22:24:40 2015] connecting to cctrs.net port 943 (transport: wss)
[Sun Jul 19 22:25:41 2015] connected to cctrs.net port 943 (transport: wss)
[Sun Jul 19 22:25:41 2015] disconnected
[Sun Jul 19 22:26:01 2015] connecting to cctrs.net port 943 (transport: wss)
[Sun Jul 19 22:27:01 2015] connected to cctrs.net port 943 (transport: wss)
[Sun Jul 19 22:27:01 2015] disconnected

curl and vpn-ws-client using the same libssl, ssl terminator is nginx.

./vpn-ws-client --no-verify vpn0 --exec "ifconfig vpn0 192.168.173.2 netmask 255.255.255.0" ./vpn-ws --tuntap vpn0 --exec "ifconfig vpn0 192.168.173.1 netmask 255.255.255.0"

In the client side, can't ping 192.168.173.1, any thing I missed?

Thanks :)

nutinshell avatar Jul 19 '15 14:07 nutinshell

do you have logs of the vpn-ws server ? are you sure nginx is correctly communicating with it ?

unbit avatar Jul 19 '15 15:07 unbit

It looks not correctly..

2015/07/19 23:38:48 [error] 15658#0: *36 upstream timed out (110: Connection timed out) while reading upstream, client: x.x.x.x, server: localhost, request: "GET /vpn HTTP/1.1", upstream: "uwsgi://unix:/run/vpn.sock:", host: "cctrs.net:943"

The socket path is right.

nutinshell avatar Jul 19 '15 15:07 nutinshell

you should post nginx configuration and the full comand line of the vpn-ws server

unbit avatar Jul 19 '15 16:07 unbit 

./vpn-ws --tuntap vpn0 /run/vpn.sock

server {
    listen 943;
    server_name cctrs.net;

    ssl on;
    ssl_certificate cert.pem;
    ssl_certificate_key key.pem;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    location /vpn {
          include uwsgi_params;
          uwsgi_pass unix:/run/vpn.sock;
    }
}

nutinshell avatar Jul 19 '15 16:07 nutinshell

ensure nginx has write access over /run/vpn.sock, eventually strace the vpn-ws process to udnerstand what is going on

unbit avatar Jul 19 '15 16:07 unbit