Ying-metaswitch
commented
6 years ago Project Clearwater doesn't currently support secured websockets. Would you like to contribute to Clearwater by helping to add the support for this?
Open isaldarriaga opened 6 years ago
Ying-metaswitch
commented
6 years ago Project Clearwater doesn't currently support secured websockets. Would you like to contribute to Clearwater by helping to add the support for this?
isaldarriaga
commented
6 years ago Yes i would.
Please pinpoint me to whatever is needed to proceed:
isaldarriaga
commented
6 years ago ok. I did follow the sprout dev doc. now have the source code. src/websockets.cpp look like a good starting point.
building C baseline on 16.04. no problems found so far. Probably 14.04 checks will be upon integration unless dictated before.
@Ying-metaswitch If you have design specs for this topic in the project just let me know.
isaldarriaga
commented
6 years ago well, receiving this error in a late stage of the make:
sent 158,484,545 bytes received 24,946 bytes 105,672,994.00 bytes/sec
total size is 158,333,810 speedup is 1.00
# Now update the install dir. First remove the old one with later timestamps
rm -rf /home/ivan/sprout/usr
# Copy the backup into it's place. This has the same files, but with earlier
# timestamps
cp -r --preserve=timestamps /home/ivan/sprout/build/module-install/usr/ /home/ivan/sprout/usr/
make -C /home/ivan/sprout/src
make[1]: Entering directory '/home/ivan/sprout/src'
g++ -MMD -MP -O2 -ggdb3 -std=c++11 -Wall -Werror -Wno-write-strings -I../include -I../modules/cpp-common/include -I../modules/app-servers/include -I../usr/include -I../modules/rapidjson/include `PKG_CONFIG_PATH=../usr/lib/pkgconfig pkg-config --cflags libpjproject` -c ../modules/cpp-common/src/logger.cpp -o ../build/sprout/logger.o
g++ -MMD -MP -O2 -ggdb3 -std=c++11 -Wall -Werror -Wno-write-strings -I../include -I../modules/cpp-common/include -I../modules/app-servers/include -I../usr/include -I../modules/rapidjson/include `PKG_CONFIG_PATH=../usr/lib/pkgconfig pkg-config --cflags libpjproject` -c ../modules/cpp-common/src/saslogger.cpp -o ../build/sprout/saslogger.o
g++ -MMD -MP -O2 -ggdb3 -std=c++11 -Wall -Werror -Wno-write-strings -I../include -I../modules/cpp-common/include -I../modules/app-servers/include -I../usr/include -I../modules/rapidjson/include `PKG_CONFIG_PATH=../usr/lib/pkgconfig pkg-config --cflags libpjproject` -c ../modules/cpp-common/src/utils.cpp -o ../build/sprout/utils.o
g++ -MMD -MP -O2 -ggdb3 -std=c++11 -Wall -Werror -Wno-write-strings -I../include -I../modules/cpp-common/include -I../modules/app-servers/include -I../usr/include -I../modules/rapidjson/include `PKG_CONFIG_PATH=../usr/lib/pkgconfig pkg-config --cflags libpjproject` -c analyticslogger.cpp -o ../build/sprout/analyticslogger.o
g++ -MMD -MP -O2 -ggdb3 -std=c++11 -Wall -Werror -Wno-write-strings -I../include -I../modules/cpp-common/include -I../modules/app-servers/include -I../usr/include -I../modules/rapidjson/include `PKG_CONFIG_PATH=../usr/lib/pkgconfig pkg-config --cflags libpjproject` -c stack.cpp -o ../build/sprout/stack.o
In file included from stack.cpp:37:0:
../include/constants.h:185:27: error: ‘METHOD_UPDATE’ defined but not used [-Werror=unused-variable]
const static pjsip_method METHOD_UPDATE = { PJSIP_OTHER_METHOD, pj_str((char*)"UPDATE") };
^
../include/constants.h:186:27: error: ‘METHOD_INFO’ defined but not used [-Werror=unused-variable]
const static pjsip_method METHOD_INFO = { PJSIP_OTHER_METHOD, pj_str((char*)"INFO") };
^
cc1plus: all warnings being treated as errors
../build-infra/cpp.mk:224: recipe for target '../build/sprout/stack.o' failed
make[1]: *** [../build/sprout/stack.o] Error 1
make[1]: Leaving directory '/home/ivan/sprout/src'
/home/ivan/sprout/mk/sprout.mk:14: recipe for target 'sprout' failed
make: *** [sprout] Error 2
I managed to make it work in dockerized ubuntu 14.04
Build script (handy for anyone interested):
#!/usr/bin/env bash
# docker rm -f sprout-builder && docker run --name=sprout-builder -v ~/sprout:/root/sprout -it ubuntu:14.04 bash -c "apt-get update && apt-get install -y openssh-client git git-svn && echo && echo 'Generating a new SSH key..' && echo && mkdir /root/.ssh && cd /root/.ssh && ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N "" && echo && echo 'Key to copy/paste in github/Settings/SSH Keys/New SSH Key:' && echo && cat /root/.ssh/id_rsa.pub && echo && read -p 'Press ENTER to continue (after SSH key registration in Github) ' && cd / && echo && git clone --recursive git@github.com:Metaswitch/sprout.git sprout && apt-get install -y ntp build-essential autoconf scons pkg-config libtool libcloog-ppl1 gdb pstack dpkg-dev devscripts dh-make python-setuptools python-virtualenv python-dev libcurl4-openssl-dev libmysqlclient-dev libgmp10 libgmp-dev libc-ares-dev ncurses-dev libxml2-dev libxslt1-dev libboost-all-dev libzmq3-dev valgrind libxml2-utils ruby libevent-dev libevent-pthreads-2.0-5 cmake flex bison libboost-filesystem-dev libsnmp-dev && cd /sprout && make"
echo "Removing container" && \
docker rm -f sprout-builder && echo && \
echo "Creating sprout-builder container.." && echo && \
docker run --name=sprout-builder -v /home/$USER/sprout:/sprout -itd ubuntu:14.04 bash -c "apt-get update && apt-get install -y openssh-client git git-svn && echo && echo 'Generating a new SSH key..' && echo && mkdir /root/.ssh && cd /root/.ssh && ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N '' && echo && echo 'Key to copy/paste in github/Settings/SSH Keys/New SSH Key:' && echo && cat /root/.ssh/id_rsa.pub && sleep infinity"
sleep 3s
while true; do
echo && echo "Showing sprout-builder's log.." && echo && \
docker logs sprout-builder | tail -n 100
echo && read -p "SSH key already generated AND uploaded to github? " yn
case $yn in
[Yy]* ) echo && echo "OK you answered yes" && echo && break;;
[Nn]* ) echo && echo "Checking docker logs.." && echo ;;
* ) echo "Please answer yes or no.";;
esac
done
echo && echo "Completing sprout installation in docker .." && echo && \
docker exec -it sprout-builder bash -c "cd / && echo && git clone --recursive git@github.com:Metaswitch/sprout.git sprout && apt-get install -y ntp build-essential autoconf scons pkg-config libtool libcloog-ppl1 gdb pstack dpkg-dev devscripts dh-make python-setuptools python-virtualenv python-dev libcurl4-openssl-dev libmysqlclient-dev libgmp10 libgmp-dev libc-ares-dev ncurses-dev libxml2-dev libxslt1-dev libboost-all-dev libzmq3-dev valgrind libxml2-utils ruby libevent-dev libevent-pthreads-2.0-5 cmake flex bison libboost-filesystem-dev libsnmp-dev"
while true; do
echo && read -p "Do you want to build sprout in docker? " yn
case $yn in
[Yy]* ) echo && echo "OK you answered yes" && echo && \
echo && echo "Building sprout in docker .." && echo && \
docker exec -it sprout-builder bash -c "cd /sprout && make" && \
break;;
[Nn]* ) echo && echo "Skippping .. You answered NO" && echo && break;;
* ) echo "Please answer yes or no.";;
esac
done
echo "Configuring sprout's source code permissions .." && \
sudo chmod -R 777 /home/$USER/sprout
Run Unit Tests:
#!/usr/bin/env bash
while true; do
echo && read -p "Do you want to test sprout in docker? " yn
case $yn in
[Yy]* ) echo && echo "OK you answered yes" && echo && \
echo && echo "Testing sprout in docker .." && echo && \
docker exec -it sprout-builder bash -c "cd /sprout && make test" && \
break;;
[Nn]* ) echo && echo "Skippping .. You answered NO" && echo && break;;
* ) echo "Please answer yes or no.";;
esac
doneEdit the files at container's host:
<editor> ~/sprout/<whatever>
Rebuild:
#!/usr/bin/env bash
while true; do
echo && read -p "Do you want to re-build sprout in docker? " yn
case $yn in
[Yy]* ) echo && echo "OK you answered yes" && echo && \
echo && echo "Re-Building sprout in docker .." && echo && \
docker exec -it sprout-builder bash -c "cd /sprout && make" && \
break;;
[Nn]* ) echo && echo "Skippping .. You answered NO" && echo && break;;
* ) echo "Please answer yes or no.";;
esac
done@isaldarriaga Thanks for sharing your work! The question about web socket has been raised to us often, unfortunately it's not a core functionality for us to schedule time for. Your work is really handy for future reference.
isaldarriaga
commented
6 years ago as soon as i add the following sentence in my new websockets_secure.cpp (similar to sprout/modules/websocketpp/examples/echo_server_tls):
using websocketpp::server_tls;
i get error on compilation:
g++ -MMD -MP -O2 -ggdb3 -std=c++11 -Wall -Werror -Wno-write-strings -I../include -I../modules/cpp-common/include -I../modules/app-servers/include -I../usr/include -I../modules/rapidjson/include `PKG_CONFIG_PATH=../usr/lib/pkgconfig pkg-config --cflags libpjproject` -c websockets_secure.cpp -o ../build/sprout/websockets_secure.o
websockets_secure.cpp:30:20: error: **'websocketpp::server_tls' has not been declared**
using websocketpp::server_tls;
^
make[1]: *** [../build/sprout/websockets_secure.o] Error 1
make[1]: Leaving directory `/sprout/src'
make: *** [sprout] Error 2I couldn't find a reference to this declaration in the source code neither at sprout nor websocket++
Do you know how to add this reference correctly?
Ying-metaswitch
commented
6 years ago I found it defined in sprout/modules/websocketpp/src/websocketpp.hpp, as there’s include "../../src/websocketpp.hpp" at the start of the echo_server_tls file
Symptoms
Error reported by Chrome when attempting to connect a webRTC client (JSSIP) to Clearwater's webrtc endpoint over WS://:
VM688701:164 Mixed Content: The page at 'https://www.example.com/path/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://example.com:5062/'. This request has been blocked; this endpoint must be available over WSS.
Impact
WebRTC calls blocked because the default implementation of webrtc is not secured in clearwater
There's no documentation related to making webrtc calls with WSS://, but WS://
The caller website requires HTTPS to operate (due to service workers)
Release and environment
Kubernetes deployment on GKE (website + IMS)
The deployment uses let's encrypt to get the certificates for the main website, api, ELLIS site, etc. by using the TRAEFIK reverse proxy configured to work with ACME.
Steps to reproduce
no special steps to perform in clearwater apart from basic configuration.
How to secure WebRTC with certificates coming from letsencrypt?