search

erebe / wstunnel

Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
Other
3.16k stars 287 forks source link

--tls-verify-certificate option doesn't works #245

Closed hantagu closed 1 month ago

hantagu commented 1 month ago

A wstunnel server was started with --tls-certificate and --tls-private-key options with the command below:

/opt/wstunnel/wstunnel server --tls-certificate "/opt/wstunnel/public.pem" --tls-private-key "/opt/wstunnel/private.pem" wss://0.0.0.0:443/

Files /opt/wstunnel/public.pem and /opt/wstunnel/private.pem contain valid TLS certificate and private key respectively

The certificate was issued by ZeroSSL to an static IP address of my VDS (the address is contained in Common Name and Subject Alt Names of the certificate)

The wstunnel server runs successfully with this logs:

INFO wstunnel::tls: Loading tls certificate from "/opt/wstunnel/public.pem"
INFO wstunnel::tls: Loading tls private key from "/opt/wstunnel/private.pem"
WARN hickory_resolver::system_conf::unix: no nameservers found in config
INFO wstunnel: Starting wstunnel server v9.2.4 with config WsServerConfig { socket_so_mark: None, bind: 0.0.0.0:443, restrict_to: None, restrict_http_upgrade_path_prefix: None, websocket_ping_frequency: None, timeout_connect: 10s, websocket_mask_frame: false, tls: true }
INFO wstunnel::tunnel::server: Starting wstunnel server listening on 0.0.0.0:443
INFO wstunnel::tunnel::tls_reloader: Starting to watch tls certificate and private key for changes to reload them

After this a wstunnel client was started on another machine (my laptop) with this command:

./wstunnel client -L tcp://127.0.0.1:8080:127.0.0.1:80 --tls-verify-certificate wss://<server IP>/

Logs:

INFO wstunnel::tcp: Starting TCP server listening cnx on 127.0.0.1:8080

After this the http://127.0.0.1:8080/ is not accessible in browser (Firefox) with this logs on the client side:

INFO wstunnel::tcp: Opening TCP connection to <server IP>:443
INFO wstunnel::tls: Doing TLS handshake using SNI IpAddress(<server IP>) with the server <server IP>:443
ERROR tunnel{id="018e57fb-8821-7cf2-bca6-0f980b432a3a" remote="127.0.0.1:80"}: wstunnel::tunnel::client: failed to get a connection to the server from the pool: User(failed to do TLS handshake with the server <server IP>:443

Caused by:
    invalid peer certificate: UnknownIssuer)

and this logs on the server side:

INFO wstunnel::tunnel::server: Accepting connection
INFO tunnel{peer="<client IP>:3101"}: wstunnel::tunnel::server: Doing TLS handshake
ERROR tunnel{peer="<client IP>:3101"}: wstunnel::tunnel::server: error while accepting TLS connection received fatal alert: UnknownCA

When I open https://[server IP]/ (wstunnel's server "Invalid upgrade request" page) in the browser it says that

Connection security for [server IP]

You are securely connected to this site Verified by ZeroSSL

erebe commented 1 month ago

Hello,

The option is working, I just checked. Most likely, the issue is that you are using the IP address to connect to your server. Your certificate must be valid only for some specific domain names, and does not contain the IP address in its SAN

Either use the domain name to contact your server or use the --tls-sni-override to specify your domain during the tls handshake

hantagu commented 1 month ago

The problem has been solved. File /opt/stunnel/public.pem contained only the server certificate, without intermediate CA certificate.

It helped to replace it with ca_bundle.crt, which contains the server certificate and the issuer Sub-CA certificate