Using WSS with WebRTC and Letsencrypt (Let's Encrypt) via sipML = "no shared cipher"

[chrischarles2002]

Can anyone out there assist with this issue? I’m thinking it’s just a config issue on my side (I am hoping).

Here is my environment:

CentOS: 6.7 WebRTC 2.7.0 sipML: https://www.doubango.org/sipml5/call.htm?svn=241 Apache: 2.2.15 Chrome: 47.0.2526.80 m

With

Let’s Encrypt Public Beta (from: “git clone https://github.com/letsencrypt/letsencrypt”)

Using the sipML website, I am trying to test using SSL certificates generated by Let’s Encrypt as the resource to connect over secured WebSocket (WSS) to WebRTC. This would be for audio only.

Using the command “./letsencrypt-auto certonly “, Let’s Encrypt generates the following four (4) files:

cert.pem
chain.pem
fullchain.pem
privkey.pem

I have also generated another public key from my private key using the following command:

openssl rsa -in privkey.pem -pubout -out pubkey.pub

As a separate test, I confirmed that these certificates worked on a HTTPS website, on this same server. Here is my Apache config for the test website:

<VirtualHost *:443>
        DocumentRoot /var/www/html/my_website
        ServerName my.domain.com

        SSLEngine  on
        SSLCertificateFile /etc/letsencrypt/archive/my.domain.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/archive/my.domain.com/privkey.pem
</VirtualHost>

The website leads in all browsers without any issues, so we know the certificate files are fine.

Here is the config.xml for WebRTC (also attached): config.xml.txt

<?xml version="1.0" encoding="utf-8" ?>
<!-- Please check the technical guide (http://webrtc2sip.org/technical-guide-1.0.pdf) for more information on how to adjust this file -->
<config>

  <debug-level>INFO</debug-level>

  <transport>udp;*;*</transport>
  <transport>ws;*;5062</transport>
  <transport>wss;*;10062</transport>

  <enable-rtp-symetric>yes</enable-rtp-symetric>
  <enable-100rel>no</enable-100rel>
  <enable-media-coder>no</enable-media-coder>
  <enable-videojb>no</enable-videojb>
  <video-size-pref>vga</video-size-pref>
  <rtp-buffsize>65535</rtp-buffsize>
  <avpf-tail-length>100;400</avpf-tail-length>
  <srtp-mode>optional</srtp-mode>
  <srtp-type>sdes;dtls</srtp-type>
  <dtmf-type>rfc4733</dtmf-type>

  <codecs>opus;pcma;pcmu;gsm;</codecs>
  <codec-opus-maxrates>48000;48000</codec-opus-maxrates>

  <stun-server>stun.l.google.com;19302;stun_at_doubango.org;stun-user</stun-server>
  <enable-icestun>yes</enable-icestun>

  <max-fds>-1</max-fds>

  <ssl-certificates>
    /etc/letsencrypt/archive/my.domain.com/privkey.pem
    /etc/letsencrypt/archive/my.domain.com/pubkey.pem
    /etc/letsencrypt/archive/my.domain.com/cert.pem
    no
  </ssl-certificates>

  <database>sqlite;*</database>

</config>

Note: I have also interchanged the “pubkey.pem” file with the “fullchain.pem” with the exact same behavior.

In sipML, I have specified the “WebSocket Server URL” as “wss://my.domain.com:10062”

Upon clicking on the “Login” button on the sipML site, the plain text response is: “Disconnected: Failed to connet to the server”

The Chrome 47 Console, returns the following message for the event:

WebSocket connection to 'wss://my.domain.com:10062/' failed: Error in connection establishment: net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Alternatively, to eliminate the Let’s Encrypt certificate files and keys, I signed up for a trial SSL certificate from Comodo (https://ssl.comodo.com/free-ssl-certificate.php).

The files that Comodo produces are:

server.key
my.domain.com.crt
my.domain.com.ca-bundle

And the Apache config is also slightly different:

<VirtualHost *:443>
        DocumentRoot /var/www/html/my_website
        ServerName my.domain.com

        SSLEngine  on
        SSLCertificateKeyFile /etc/letsencrypt/comodo/server.key
        SSLCertificateFile /etc/letsencrypt/comodo/my.domain.com.crt
        SSLCertificateChainFile /etc/letsencrypt/comodo/my.domain.com.ca-bundle.ca-bundle

</VirtualHost>

This Apache setup also launches the associated website without any issues. The alternative certification files would then yield the following in the “ssl-certificates” section of the WebRTC config.xml:

  <ssl-certificates>
    /etc/letsencrypt/comodo/server.key
    /etc/letsencrypt/comodo/my.domain.com.ca-bundle
        /etc/letsencrypt/comodo/ my.domain.com.crt
    no
  </ssl-certificates>

Using either signing authorities setups, yield the exact same result in the WebRTC console.

Mainly these are the messages:

***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher]

and

***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback]

Here’s the WebRTC console output:

user@ > /opt/webrtc2sip/sbin/webrtc2sip --config=/opt/webrtc2sip/sbin/config.xml
*******************************************************************
Copyright (C) 2012-2015 Doubango Telecom <http://www.doubango.org>
PRODUCT: webrtc2sip
HOME PAGE: http://webrtc2sip.org
LICENCE: GPLv3 or proprietary
VERSION: 2.7.0
'quit' to quit the application.
*******************************************************************

SSL is enabled :)
DTLS supported: yes
DTLS-SRTP supported: yes
*[DOUBANGO INFO]: transport = udp://*:*
*[DOUBANGO INFO]: transport = ws://*:5062
*[DOUBANGO INFO]: transport = wss://*:10062
*[DOUBANGO INFO]: enable-rtp-symetric = yes
*[DOUBANGO INFO]: enable-100rel = no
*[DOUBANGO INFO]: enable-media-coder = no
*[DOUBANGO INFO]: enable-videojb = no
*[DOUBANGO INFO]: video-size-pref = vga
*[DOUBANGO INFO]: rtp-buffsize = 65535
*[DOUBANGO INFO]: avpf-tail-length = [100-400]
*[DOUBANGO INFO]: srtp-mode = optional
*[DOUBANGO INFO]: srtp-type = sdes;dtls
*[DOUBANGO INFO]: dtmf-type = rfc4733
*[DOUBANGO INFO]: codecs = opus;pcma;pcmu;gsm;
*[DOUBANGO INFO]: UnRegister codec: PCMA, G.711a codec (native)
*[DOUBANGO INFO]: UnRegister codec: PCMU, G.711u codec (native)
*[DOUBANGO INFO]: UnRegister codec: GSM, GSM Full Rate (libgsm)
*[DOUBANGO INFO]: codec-opus-maxrates = 48000;48000
*[DOUBANGO INFO]: stun-server = stun.l.google.com;19302;-;-
*[DOUBANGO INFO]: enable-icestun = yes
*[DOUBANGO INFO]: max-fds = -1
*[DOUBANGO INFO]: database = sqlite;*
*[DOUBANGO INFO]: sqlite3_threadsafe = 1
*[DOUBANGO INFO]: Database opened = TRUE
*[DOUBANGO INFO]: Stack running in SERVER mode
*[DOUBANGO INFO]: tsk_timer_manager_start
*[DOUBANGO INFO]: Timer manager run()::enter
*[DOUBANGO INFO]: TIMER MANAGER -- START
*[DOUBANGO INFO]: Best source at 0: 10.10.10.10
*[DOUBANGO INFO]: Best source at 4: 10.10.10.10
*[DOUBANGO INFO]: Best source at 5: 10.10.10.10
*[DOUBANGO INFO]: SIP STACK::run -- START
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: setsockopt(SO_REUSEPORT, fd=7) have failed
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: (SYSTEM)NETWORK ERROR ==>Protocol not available
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: setsockopt(SO_REUSEPORT, fd=8) have failed
***[DOUBANGO ERROR]: function: "tnet_sockfd_reuseaddr()"
file: "src/tnet_utils.c"
line: "1756"
MSG: (SYSTEM)NETWORK ERROR ==>Protocol not available
*[DOUBANGO INFO]: tnet_transport_prepare()
*[DOUBANGO INFO]: pipeR fd=9, pipeW=10
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=9, tail.count=1
*[DOUBANGO INFO]: master fd=6
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=6, tail.count=2
*[DOUBANGO INFO]: tnet_transport_prepare()
*[DOUBANGO INFO]: Transport::run(SIP transport) - enter
*[DOUBANGO INFO]: pipeR fd=11, pipeW=12
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=11, tail.count=1
*[DOUBANGO INFO]: master fd=7
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=7, tail.count=2
*[DOUBANGO INFO]: tnet_transport_prepare()
*[DOUBANGO INFO]: pipeR fd=13, pipeW=14
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=13, tail.count=1
*[DOUBANGO INFO]: master fd=8
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=8, tail.count=2
*[DOUBANGO INFO]: Starting [SIP transport] server with IP {10.10.10.10} on port {50642} using fd {6} with type {2}...
*[DOUBANGO INFO]: Transport::run(SIP transport) - enter
*[DOUBANGO INFO]: SIP STACK -- START
*[DOUBANGO INFO]: Starting [SIP transport] server with IP {10.10.10.10} on port {10062} using fd {8} with type {128}...
*[DOUBANGO INFO]: Transport::run(SIP transport) - enter
*[DOUBANGO INFO]: Starting [SIP transport] server with IP {10.10.10.10} on port {5062} using fd {7} with type {64}...
*[DOUBANGO INFO]: ioctlt(8), len=0 returned zero or failed
*[DOUBANGO INFO]: NETWORK EVENT FOR SERVER [SIP transport] -- FD_ACCEPT(fd=15)
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=15, tail.count=3
*[DOUBANGO INFO]: WebSocket Peer accepted/connected with fd = 15
***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher]
*[DOUBANGO INFO]: Removing socket 15
*[DOUBANGO INFO]: Socket to remove: fd=15, index=2, tail.count=3
*[DOUBANGO INFO]: CloseSocket(15)
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: SSL_accept() failed
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: (SYSTEM)NETWORK ERROR ==>Success
*[DOUBANGO INFO]: PipeR event = 1
*[DOUBANGO INFO]: #1 peers in the 'SIP transport' transport
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: #0 peers in the 'SIP transport' transport
*[DOUBANGO INFO]: *** Stream Peer destroyed ***
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: ioctlt(8), len=0 returned zero or failed
*[DOUBANGO INFO]: NETWORK EVENT FOR SERVER [SIP transport] -- FD_ACCEPT(fd=15)
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=15, tail.count=3
***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher]
*[DOUBANGO INFO]: Removing socket 15
*[DOUBANGO INFO]: Socket to remove: fd=15, index=2, tail.count=3
*[DOUBANGO INFO]: CloseSocket(15)
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: SSL_accept() failed
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: (SYSTEM)NETWORK ERROR ==>Success
*[DOUBANGO INFO]: PipeR event = 1
*[DOUBANGO INFO]: WebSocket Peer accepted/connected with fd = 15
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: TNET_GET_SOCKADDR has failed with status code: -1
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: (SYSTEM)NETWORK ERROR ==>Bad file descriptor
***[DOUBANGO ERROR]: function: "tsip_transport_add_stream_peer_2()"
file: "src/transports/tsip_transport.c"
line: "661"
MSG: Failed to get remote peer ip and address for local fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: ioctlt(8), len=0 returned zero or failed
*[DOUBANGO INFO]: NETWORK EVENT FOR SERVER [SIP transport] -- FD_ACCEPT(fd=15)
*[DOUBANGO INFO]: Socket added[SIP transport]: fd=15, tail.count=3
***[DOUBANGO ERROR]: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback]
*[DOUBANGO INFO]: Removing socket 15
*[DOUBANGO INFO]: Socket to remove: fd=15, index=2, tail.count=3
*[DOUBANGO INFO]: CloseSocket(15)
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: SSL_accept() failed
***[DOUBANGO ERROR]: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "726"
MSG: (SYSTEM)NETWORK ERROR ==>Success
*[DOUBANGO INFO]: PipeR event = 1
*[DOUBANGO INFO]: WebSocket Peer accepted/connected with fd = 15
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: TNET_GET_SOCKADDR has failed with status code: -1
***[DOUBANGO ERROR]: function: "tnet_get_ip_n_port()"
file: "src/tnet_utils.c"
line: "1247"
MSG: (SYSTEM)NETWORK ERROR ==>Bad file descriptor
***[DOUBANGO ERROR]: function: "tsip_transport_add_stream_peer_2()"
file: "src/transports/tsip_transport.c"
line: "661"
MSG: Failed to get remote peer ip and address for local fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15
*[DOUBANGO INFO]: WebSocket Peer closed with fd = 15

[chrischarles2002]

Found my own issue. Pretty Stupid. Missing semi-colon (;) at the end of each line in in the webrtc2sip config.xml.

So the section of the file went from this:

  <ssl-certificates>
    /etc/letsencrypt/comodo/server.key
    /etc/letsencrypt/comodo/my.domain.com.ca-bundle
    /etc/letsencrypt/comodo/my.domain.com.crt
    no
  </ssl-certificates>

To this:

  <ssl-certificates>
    /etc/letsencrypt/comodo/server.key;
    /etc/letsencrypt/comodo/my.domain.com.crt;
    *;
        no
  </ssl-certificates>

And everything works now.

You can close this thread as "INVALID". Sorry about that.