search

esl / MongooseIM

MongooseIM is Erlang Solutions' robust, scalable and efficient XMPP server, aimed at large installations. Specifically designed for enterprise purposes, it is fault-tolerant and can utilise the resources of multiple clustered machines.
Other
1.64k stars 422 forks source link

How to use wss ? #4199

Closed alvinlal closed 4 months ago

alvinlal commented 4 months ago

MongooseIM version: 6.1.0 Installed from: pkg Erlang/OTP version:

i want to use wss with a self signed certificate, but if i use the just_tls module as specified here , the server doesn't start and says the node is malformed and the key module is unexpected 

[[listen.http]]
  port = 5285
  transport.num_acceptors = 10
  transport.max_connections = 1024
  tls.verify_mode = "selfsigned_peer"
  tls.module = "just_tls" # this causes error
  tls.certfile = "/home/ubuntu/mongooseim_wss_files/certificate.pem"
  tls.keyfile = "/home/ubuntu/mongooseim_wss_files/private_key.pem"
  tls.cacertfile = "/home/ubuntu/mongooseim_wss_files/cacert.pem"
  tls.versions = ["tlsv1.2", "tlsv1.3"]
  tls.password = ""

Error while running sudo mongooseimctl live

when=2023-12-22T18:41:52.808577+00:00 level=error what=toml_processing_failed reason=unexpected_key pid=<0.415.0> at=mongoose_config_parser:halt_with_msg/2:161 stacktrace="mongoose_config_parser_toml:get_spec_for_key/2:116 mongoose_config_parser_toml:'-parse_section/3-fun-1-'/4:102 maps:map_1/3:441 maps:map_1/3:441 maps:map/2:426 mongoose_config_parser_toml:parse_section/3:102 mongoose_config_parser_toml:handle_step/4:155 mongoose_config_parser_toml:try_step/5:264" text="TOML configuration error: Malformed node" toml_path=listen.http.tls key=module toml_value="#{<<\"cacertfile\">> => <<\"/home/ubuntu/mongooseim_wss_files/cacert.pem\">>,<<\"certfile\">> => <<\"/home/ubuntu/mongooseim_wss_files/certificate.pem\">>,<<\"keyfile\">> => <<\"/home/ubuntu/mongooseim_wss_files/private_key.pem\">>,<<\"module\">> => <<\"just_tls\">>,<<\"password\">> => <<>>,<<\"verify_mode\">> => <<\"selfsigned_peer\">>,<<\"versions\">> => [<<\"tlsv1.2\">>,<<\"tlsv1.3\">>]}" items_versions={list,{option,atom,any,undefined,default},any,list,undefined,default} items_verify_mode={option,atom,{enum,[peer,selfsigned_peer,none]},undefined,default} items_password={option,string,any,undefined,default} items_keyfile={option,string,filename,undefined,default} items_dhfile={option,string,filename,undefined,default} items_ciphers={option,string,any,undefined,default} items_certfile={option,string,filename,undefined,default} items_cacertfile={option,string,filename,undefined,default} Could not read the TOML configuration file

the server gets connected fine with just ws though

chrzaszcz commented 4 months ago

Hi @alvinlal. The module option you shared is only valid for c2s listeners, and not for http. See the complete list of allowed TLS options for HTTP listeners:

The options accepted here are: verify_mode, certfile, cacertfile, ciphers, keyfile, password, versions, dhfile. They have the same semantics as the corresponding c2s options for just_tls.

What it means is that there is no module option because the module used for HTTP is always just_tls - so you can simply omit this option.

One thing to note is that MongooseIM does not close WebSocket connections if peer verification fails. Only the pki authentication method can change this behaviour. We are planning to address this in the future.

alvinlal commented 4 months ago

thanks @chrzaszcz for the clarification. But i am still having trouble connecting to secure websocket endpoint of mongooseim. I am using the javascript websocket api to connect to mongooseim and i am getting websocket connection failed error on the browser. i have obtained a valid certificate-key pair from letsencrypt and specified its path in the mongooseim.toml file. This is my config for the secure websocket endpoint (wss) in mongooseim.toml file👇 

[[listen.http]]
  port = 5285
  transport.num_acceptors = 10
  transport.max_connections = 1024
  tls.verify_mode = "peer"
  tls.certfile = "/etc/letsencrypt/live/myxmppsite.com/fullchain.pem"
  tls.keyfile = "/etc/letsencrypt/live/myxmppsite.com/privkey.pem"
  tls.cacertfile = "/etc/letsencrypt/live/myxmppsite.com/fullchain.pem"

  [[listen.http.handlers.mod_bosh]]
    host = "_"
    path = "/http-bind"

  [[listen.http.handlers.mod_websockets]]
    host = "_"
    path = "/ws-xmpp"

This is what is being logged to the latest mongooseim log file in /var/log/mongooseim folder when the browser attempts the connection.

when=2023-12-23T18:06:51.557669+00:00 level=info pid=<0.7470.0> at=supervisor:report_progress/2:1563 report="[{supervisor,{<0.7470.0>,tls_dyn_connection_sup}},{started,[{pid,<0.7472.0>},{id,receiver},{mfargs,{ssl_gen_statem,start_link,[server,<0.7471.0>,\"localhost\",5285,#Port<0.60>,{#{next_protocols_advertised => [<<\"h2\">>,<<\"http/1.1\">>],
sni_fun => #Fun<ssl.11.44732120>,cookie => true,psk_identity => undefined,protocol => tls,supported_groups => {supported_groups,[x25519,x448,secp256r1,secp384r1]},renegotiate_at => 268435456,crl_cache => {ssl_crl_cache,{internal,[]}},fail_if_no_peer_cert => true,verify => verify_peer,secure_renegotiate => true,certs_keys => [#{certfile => <<\"/etc/letsencrypt/live/myxmppsite.com/fullchain.pem\">>,
keyfile => <<\"/etc/letsencrypt/live/myxmppsite.com/privkey.pem\">>}],stateless_tickets_seed => undefined,session_tickets => disabled,signature_algs => [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256,{sha512,ecdsa},{sha384,ecdsa},
{sha256,ecdsa}],honor_cipher_order => false,user_lookup_fun => undefined
,cacerts => undefined,log_level => notice,partial_chain => #Fun<ssl.5.44732120>,customize_hostname_check => [],eccs => {elliptic_curves,[{1,3,132,0,39},{1,3,132,0,38},{1,3,132,0,35},{1,3,36,3,3,2,8,1,1,13},{1,3,132,0,36},{1,3,132,0,37},{1,3,36,3,3,2,8,1,1,11},{1,3,132,0,34},{1,3,132,0,16},{1,3,132,0,17},{1,3,36,3,3,2,8,1,1,7},{1,3,132,0,10},{1,2,840,10045,3,1,7}]},versions => [{3,4},{3,3}],
crl_check => false,alpn_preferred_protocols => [<<\"h2\">>,<<\"http/1.1\">>],handshake => full,anti_replay => undefined,signature_algs_cert => undefined,client_renegotiation => true,ciphers => [<<19,2>>,<<19,1>>,<<19,3>>,<<19,4>>,<<19,5>>,<<\"À,\">>,<<\"À0\">>,<<\"À­\">>,<<\"À¯\">>,<<\"À$\">>,<<\"À(\">>,<<204,169>>,<<204,168>>,<<\"À+\">>,<<\"À/\">>,<<\"À¬\">>,<<\"À®\">>,<<\"À.\">>,<<\"À2\">>,<<\"À&\">>,<<\"À*\">>,<<\"À-\">>,<<\"À1\">>,<<\"À#\">>,<<\"À'\">>,<<\"À%\">>,<<\"À)\">>,<<0,...>>,<<...>>|...],...}
,{socket_options,binary,raw,0,0,false},[{option_tracker,<0.1961.0>},{session_tickets_tracker,disabled},{session_id_tracker,<0.1962.0>}]},<0.1969.0>,{gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
{restart_type,temporary},{significant,true},{shutdown,5000},{child_type,worker}]}]" label={supervisor,progress}

I am using this line of code in javascript to connect to the endpoint

const socket = new WebSocket('wss://myxmppsite.com:5285/ws-xmpp');

I am getting this error in browser 👇 

WebSocket connection to 'wss://myxmppsite.com:5285/ws-xmpp' failed:

Connection to the ws:// (non-secure) endpoint works fine though , Could you point me in the right direction for wss ?

chrzaszcz commented 4 months ago

WebSocket connection to 'wss://myxmppsite.com:5285/ws-xmpp' failed:

This error message gives me no information.

tls.cacertfile = "/etc/letsencrypt/live/myxmppsite.com/fullchain.pem"

This is wrong, because fullchain.pem is not the CA certificate. You could start with verify_mode = "none" for now.

alvinlal commented 4 months ago

thank you so much @chrzaszcz , verify_mode = "none" worked, i guess i misread the documentation