Closed alvinlal closed 4 months ago
Hi @alvinlal. The module
option you shared is only valid for c2s
listeners, and not for http
. See the complete list of allowed TLS options for HTTP listeners:
The options accepted here are:
verify_mode
,certfile
,cacertfile
,ciphers
,keyfile
,password
,versions
, dhfile. They have the same semantics as the corresponding c2s options forjust_tls
.
What it means is that there is no module
option because the module used for HTTP is always just_tls
- so you can simply omit this option.
One thing to note is that MongooseIM does not close WebSocket connections if peer verification fails. Only the pki
authentication method can change this behaviour. We are planning to address this in the future.
thanks @chrzaszcz for the clarification. But i am still having trouble connecting to secure websocket endpoint of mongooseim. I am using the javascript websocket api to connect to mongooseim and i am getting websocket connection failed error on the browser. i have obtained a valid certificate-key pair from letsencrypt and specified its path in the mongooseim.toml
file. This is my config for the secure websocket endpoint (wss) in mongooseim.toml
file👇
[[listen.http]]
port = 5285
transport.num_acceptors = 10
transport.max_connections = 1024
tls.verify_mode = "peer"
tls.certfile = "/etc/letsencrypt/live/myxmppsite.com/fullchain.pem"
tls.keyfile = "/etc/letsencrypt/live/myxmppsite.com/privkey.pem"
tls.cacertfile = "/etc/letsencrypt/live/myxmppsite.com/fullchain.pem"
[[listen.http.handlers.mod_bosh]]
host = "_"
path = "/http-bind"
[[listen.http.handlers.mod_websockets]]
host = "_"
path = "/ws-xmpp"
This is what is being logged to the latest mongooseim log file in /var/log/mongooseim
folder when the browser attempts the connection.
when=2023-12-23T18:06:51.557669+00:00 level=info pid=<0.7470.0> at=supervisor:report_progress/2:1563 report="[{supervisor,{<0.7470.0>,tls_dyn_connection_sup}},{started,[{pid,<0.7472.0>},{id,receiver},{mfargs,{ssl_gen_statem,start_link,[server,<0.7471.0>,\"localhost\",5285,#Port<0.60>,{#{next_protocols_advertised => [<<\"h2\">>,<<\"http/1.1\">>],
sni_fun => #Fun<ssl.11.44732120>,cookie => true,psk_identity => undefined,protocol => tls,supported_groups => {supported_groups,[x25519,x448,secp256r1,secp384r1]},renegotiate_at => 268435456,crl_cache => {ssl_crl_cache,{internal,[]}},fail_if_no_peer_cert => true,verify => verify_peer,secure_renegotiate => true,certs_keys => [#{certfile => <<\"/etc/letsencrypt/live/myxmppsite.com/fullchain.pem\">>,
keyfile => <<\"/etc/letsencrypt/live/myxmppsite.com/privkey.pem\">>}],stateless_tickets_seed => undefined,session_tickets => disabled,signature_algs => [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256,{sha512,ecdsa},{sha384,ecdsa},
{sha256,ecdsa}],honor_cipher_order => false,user_lookup_fun => undefined
,cacerts => undefined,log_level => notice,partial_chain => #Fun<ssl.5.44732120>,customize_hostname_check => [],eccs => {elliptic_curves,[{1,3,132,0,39},{1,3,132,0,38},{1,3,132,0,35},{1,3,36,3,3,2,8,1,1,13},{1,3,132,0,36},{1,3,132,0,37},{1,3,36,3,3,2,8,1,1,11},{1,3,132,0,34},{1,3,132,0,16},{1,3,132,0,17},{1,3,36,3,3,2,8,1,1,7},{1,3,132,0,10},{1,2,840,10045,3,1,7}]},versions => [{3,4},{3,3}],
crl_check => false,alpn_preferred_protocols => [<<\"h2\">>,<<\"http/1.1\">>],handshake => full,anti_replay => undefined,signature_algs_cert => undefined,client_renegotiation => true,ciphers => [<<19,2>>,<<19,1>>,<<19,3>>,<<19,4>>,<<19,5>>,<<\"À,\">>,<<\"À0\">>,<<\"À\">>,<<\"À¯\">>,<<\"À$\">>,<<\"À(\">>,<<204,169>>,<<204,168>>,<<\"À+\">>,<<\"À/\">>,<<\"À¬\">>,<<\"À®\">>,<<\"À.\">>,<<\"À2\">>,<<\"À&\">>,<<\"À*\">>,<<\"À-\">>,<<\"À1\">>,<<\"À#\">>,<<\"À'\">>,<<\"À%\">>,<<\"À)\">>,<<0,...>>,<<...>>|...],...}
,{socket_options,binary,raw,0,0,false},[{option_tracker,<0.1961.0>},{session_tickets_tracker,disabled},{session_id_tracker,<0.1962.0>}]},<0.1969.0>,{gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
{restart_type,temporary},{significant,true},{shutdown,5000},{child_type,worker}]}]" label={supervisor,progress}
I am using this line of code in javascript to connect to the endpoint
const socket = new WebSocket('wss://myxmppsite.com:5285/ws-xmpp');
I am getting this error in browser 👇
WebSocket connection to 'wss://myxmppsite.com:5285/ws-xmpp' failed:
Connection to the ws://
(non-secure) endpoint works fine though , Could you point me in the right direction for wss
?
WebSocket connection to 'wss://myxmppsite.com:5285/ws-xmpp' failed:
This error message gives me no information.
tls.cacertfile = "/etc/letsencrypt/live/myxmppsite.com/fullchain.pem"
This is wrong, because fullchain.pem
is not the CA certificate. You could start with verify_mode = "none"
for now.
thank you so much @chrzaszcz , verify_mode = "none" worked, i guess i misread the documentation
MongooseIM version: 6.1.0 Installed from: pkg Erlang/OTP version:
i want to use wss with a self signed certificate, but if i use the
just_tls
module as specified here , the server doesn't start and says the node is malformed and the keymodule
is unexpectedError while running
sudo mongooseimctl live
when=2023-12-22T18:41:52.808577+00:00 level=error what=toml_processing_failed reason=unexpected_key pid=<0.415.0> at=mongoose_config_parser:halt_with_msg/2:161 stacktrace="mongoose_config_parser_toml:get_spec_for_key/2:116 mongoose_config_parser_toml:'-parse_section/3-fun-1-'/4:102 maps:map_1/3:441 maps:map_1/3:441 maps:map/2:426 mongoose_config_parser_toml:parse_section/3:102 mongoose_config_parser_toml:handle_step/4:155 mongoose_config_parser_toml:try_step/5:264" text="TOML configuration error: Malformed node" toml_path=listen.http.tls key=module toml_value="#{<<\"cacertfile\">> => <<\"/home/ubuntu/mongooseim_wss_files/cacert.pem\">>,<<\"certfile\">> => <<\"/home/ubuntu/mongooseim_wss_files/certificate.pem\">>,<<\"keyfile\">> => <<\"/home/ubuntu/mongooseim_wss_files/private_key.pem\">>,<<\"module\">> => <<\"just_tls\">>,<<\"password\">> => <<>>,<<\"verify_mode\">> => <<\"selfsigned_peer\">>,<<\"versions\">> => [<<\"tlsv1.2\">>,<<\"tlsv1.3\">>]}" items_versions={list,{option,atom,any,undefined,default},any,list,undefined,default} items_verify_mode={option,atom,{enum,[peer,selfsigned_peer,none]},undefined,default} items_password={option,string,any,undefined,default} items_keyfile={option,string,filename,undefined,default} items_dhfile={option,string,filename,undefined,default} items_ciphers={option,string,any,undefined,default} items_certfile={option,string,filename,undefined,default} items_cacertfile={option,string,filename,undefined,default} Could not read the TOML configuration file
the server gets connected fine with just
ws
though