@jazzl0ver wrote:
One more issue just found out after upgrading from 1.9.5 to 2.0.3.
One of the haproxy backends proxies webrtc connection to a freeswitch:
backend 86_fs_backend # Remove the ACL header reqdel ^X-Haproxy-ACL option httpchk GET /testpage_fs.html http-check expect string OK balance roundrobin cookie appcoookie insert nocache indirect httponly secure server sp-useast-001 sp-useast-001.dom.com:8380 ssl ca-file /mnt/s3vol-common/crt/_.86.com.freeswitch-wss.pem cookie sp-useast-001 weight 10 check port 80 server sp-useast-006 sp-useast-006.dom.com:8380 ssl ca-file /mnt/s3vol-common/crt/_.86.com.freeswitch-wss.pem cookie sp-useast-006 weight 10 check port 80The certificate is just a simple self-signed one:
Certificate: Data: Version: 1 (0x0) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, CN=FreeSWITCH Validity Not Before: Aug 22 11:11:34 2017 GMT Not After : Aug 5 11:11:34 2117 GMT Subject: C=US, CN=FreeSWITCH Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryptionBrowser’s SIPML js code is set to use this websocket url:
s_websocket_server_url=wss://86.dom:443/fs
(86.dom is a frontend domain for AWS ELB which sends traffic to haproxy instances)It used to work well for version 1.9.5:
Jul 31 10:08:32 31.41.x.y:47401 [31/Jul/2019:10:08:24.898] lb-useast~ 86_fs_backend/sp-useast-006 117/1/0/0/3/10/7747 --VN 106/92/7/3/0 0/0 "GET /fs HTTP/1.1" 101 {|||Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770} ireq_size=3398 resp_size=3291 172.30.1.30:443 54.172.x.y:8380 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2After upgrading to 2.0.3 haproxy is not able to setup connection to the freeswitch:
Jul 31 10:08:19 31.41.x.y:47369 [31/Jul/2019:10:08:19.521] lb-useast~ 86_fs_backend/sp-useast-006 117/1/0/0/1/1/120 --VN 51/51/0/0/0 0/0 "GET /fs HTTP/1.1" 400 {|||Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770} ireq_size=757 resp_size=70 172.30.1.30:443 54.172.x.y:8380 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2openssl connects to the server without issues:
# echo | openssl s_client -connect 54.172.68.75:8380 -CAfile /mnt/s3vol-common/crt/_.86.com.freeswitch-wss.pem CONNECTED(00000003) depth=0 C = US, CN = FreeSWITCH verify return:1 --- Certificate chain 0 s:/C=US/CN=FreeSWITCH i:/C=US/CN=FreeSWITCH --- Server certificate ... subject=/C=US/CN=FreeSWITCH issuer=/C=US/CN=FreeSWITCH --- No client certificate CA names sent --- SSL handshake has read 759 bytes and written 479 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: E8FA7347E6C44E85F0A132C5AA234F31B3CEC3AF77520CB113F6A4EDF9E075ED Session-ID-ctx: Master-Key: 0E2548DD7E2B2C77B8FB3955EED52D60F9EF577E80C026ED8827554200308CB2A6D495CDFBDB54C4B4582D314B953C71 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: ... Start Time: 1564569086 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONEAny ideas why that happens?
Posts: 1
Participants: 1