0

I have an ancient socket server script, which can only use unsecure ws:// sockets.

I upgraded my site to use https:// , and websocket connections to ws:// are not possible anymore, browsers generate an error message, that the connection is blocked and that i have to use wss://

I am using linux(centos). Is there any easy was to setup a tunnel from wss:// to ws:// on 2 ports?

I have found stunnel, but i can't get it to work properly, is there maybe an other way to do this?

What i tried to far with stunnel:

[websocket]
accept = 9301
connect = localhost:9300

and i also tried:

[https]
accept  = www.flirtzo.eu:9001
connect = localhost:9000

But i have not been successfull. I hope anyone knows a proper solution or fix. Thank you very much.

[edit] This is the logfiles from stunnel:

2014.09.04 12:45:33 LOG7[52433:139838877431744]: Snagged 64 random bytes from /root/.rnd
2014.09.04 12:45:33 LOG7[52433:139838877431744]: Wrote 1024 new random bytes to /root/.rnd
2014.09.04 12:45:33 LOG7[52433:139838877431744]: RAND_status claims sufficient entropy for the PRNG
2014.09.04 12:45:33 LOG7[52433:139838877431744]: PRNG seeded successfully
2014.09.04 12:45:33 LOG7[52433:139838877431744]: Certificate: /home/flirtzo/ssl.cert
2014.09.04 12:45:33 LOG7[52433:139838877431744]: Certificate loaded
2014.09.04 12:45:33 LOG7[52433:139838877431744]: Key file: /home/flirtzo/ssl.key
2014.09.04 12:45:33 LOG7[52433:139838877431744]: Private key loaded
2014.09.04 12:45:33 LOG7[52433:139838877431744]: SSL context initialized for service websocket
2014.09.04 12:45:33 LOG5[52433:139838877431744]: stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.0-fips 29 Mar 2010
2014.09.04 12:45:33 LOG5[52433:139838877431744]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2014.09.04 12:45:33 LOG6[52433:139838877431744]: file ulimit = 1024 (can be changed with 'ulimit -n')
2014.09.04 12:45:33 LOG6[52433:139838877431744]: poll() used - no FD_SETSIZE limit for file descriptors
2014.09.04 12:45:33 LOG5[52433:139838877431744]: 500 clients allowed
2014.09.04 12:45:33 LOG7[52433:139838877431744]: FD 10 in non-blocking mode
2014.09.04 12:45:33 LOG7[52433:139838877431744]: FD 11 in non-blocking mode
2014.09.04 12:45:33 LOG7[52433:139838877431744]: FD 12 in non-blocking mode
2014.09.04 12:45:33 LOG7[52433:139838877431744]: SO_REUSEADDR option set on accept socket
2014.09.04 12:45:33 LOG7[52433:139838877431744]: websocket bound to 0.0.0.0:9301
2014.09.04 12:45:33 LOG7[52433:139838877431744]: Created pid file /var/run/stunnel_websocket.pid
2014.09.04 12:45:36 LOG7[52433:139838877431744]: websocket accepted FD=13 from 78.165.105.183:58507
2014.09.04 12:45:36 LOG7[52433:139838877427456]: websocket started
2014.09.04 12:45:36 LOG7[52433:139838877427456]: FD 13 in non-blocking mode
2014.09.04 12:45:36 LOG7[52433:139838877427456]: Waiting for a libwrap process
2014.09.04 12:45:36 LOG7[52433:139838877427456]: Acquired libwrap process #0
2014.09.04 12:45:36 LOG7[52433:139838877427456]: Releasing libwrap process #0
2014.09.04 12:45:36 LOG7[52433:139838877427456]: Released libwrap process #0
2014.09.04 12:45:36 LOG7[52433:139838877427456]: websocket permitted by libwrap from 78.165.105.183:58507
2014.09.04 12:45:36 LOG5[52433:139838877427456]: websocket accepted connection from 78.165.105.183:58507
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): before/accept initialization
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 read client hello A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 write server hello A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 write certificate A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 write server done A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 flush data
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 read client key exchange A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 read finished A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 write session ticket A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 write change cipher spec A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 write finished A
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL state (accept): SSLv3 flush data
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 items in the session cache
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 client connects (SSL_connect())
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 client connects that finished
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 client renegotiations requested
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    1 server connects (SSL_accept())
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    1 server connects that finished
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 server renegotiations requested
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 session cache hits
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 external session cache hits
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 session cache misses
2014.09.04 12:45:36 LOG7[52433:139838877427456]:    0 session cache timeouts
2014.09.04 12:45:36 LOG6[52433:139838877427456]: SSL accepted: new session negotiated
2014.09.04 12:45:36 LOG6[52433:139838877427456]: Negotiated ciphers: AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
2014.09.04 12:45:36 LOG7[52433:139838877427456]: FD 14 in non-blocking mode
2014.09.04 12:45:36 LOG6[52433:139838877427456]: connect_blocking: connecting 127.0.0.1:9300
2014.09.04 12:45:36 LOG7[52433:139838877427456]: connect_blocking: s_poll_wait 127.0.0.1:9300: waiting 10 seconds
2014.09.04 12:45:36 LOG5[52433:139838877427456]: connect_blocking: connected 127.0.0.1:9300
2014.09.04 12:45:36 LOG5[52433:139838877427456]: websocket connected remote server from 127.0.0.1:39519
2014.09.04 12:45:36 LOG7[52433:139838877427456]: Remote FD=14 initialized
2014.09.04 12:45:36 LOG7[52433:139838877427456]: SSL socket closed on SSL_read
2014.09.04 12:45:36 LOG7[52433:139838877427456]: Socket write shutdown
2014.09.04 12:45:36 LOG5[52433:139838877427456]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2014.09.04 12:45:36 LOG7[52433:139838877427456]: websocket finished (0 left)

[tcpdump on the port stunnel is listening 9301]

13:25:18.853411 IP 78.165.105.183.dynamic.ttnet.com.tr.60291 > s1.flirtzo.eu.9301: Flags [S], seq 3851820594, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
    0x0000:  4500 0034 5921 4000 7406 b390 4ea5 69b7
    0x0010:  5fd3 e1e2 eb83 2455 e596 1e32 0000 0000
    0x0020:  8002 2000 4164 0000 0204 05ac 0103 0308
    0x0030:  0101 0402
13:25:18.853430 IP s1.flirtzo.eu.9301 > 78.165.105.183.dynamic.ttnet.com.tr.60291: Flags [S.], seq 3606802872, ack 3851820595, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    0x0000:  4500 0034 0000 4000 4006 40b2 5fd3 e1e2
    0x0010:  4ea5 69b7 2455 eb83 d6fb 71b8 e596 1e33
    0x0020:  8012 3908 df8f 0000 0204 05b4 0101 0402
    0x0030:  0103 0307
13:25:18.925957 IP 78.165.105.183.dynamic.ttnet.com.tr.60291 > s1.flirtzo.eu.9301: Flags [.], ack 1, win 64, length 0
    0x0000:  4500 0028 592b 4000 7406 b392 4ea5 69b7
    0x0010:  5fd3 e1e2 eb83 2455 e596 1e33 d6fb 71b9
    0x0020:  5010 0040 592a 0000 0000 0000 0000
13:25:18.929145 IP 78.165.105.183.dynamic.ttnet.com.tr.60291 > s1.flirtzo.eu.9301: Flags [P.], seq 1:157, ack 1, win 64, length 156
    0x0000:  4500 00c4 592c 4000 7406 b2f5 4ea5 69b7
    0x0010:  5fd3 e1e2 eb83 2455 e596 1e33 d6fb 71b9
    0x0020:  5018 0040 aac7 0000 1603 0100 9701 0000
    0x0030:  9303 03ca 462a f6f4 8c02 b904 a7bb 6bcc
    0x0040:  7031 a59d 2763 dc72 e3b6 3990 6490 442d
    0x0050:  af33 a200 0028 c02b c02f 009e cc14 cc13
    0x0060:  c00a c009 c013 c014 c007 c011 0033 0032
    0x0070:  0039 009c 002f 0035 000a 0005 0004 0100
    0x0080:  0042 ff01 0001 0000 0a00 0800 0600 1700
    0x0090:  1800 1900 0b00 0201 0000 2300 0075 5000
    0x00a0:  0000 0500 0501 0000 0000 0012 0000 000d
    0x00b0:  0012 0010 0401 0501 0201 0403 0503 0203
    0x00c0:  0402 0202
13:25:18.929162 IP s1.flirtzo.eu.9301 > 78.165.105.183.dynamic.ttnet.com.tr.60291: Flags [.], ack 157, win 123, length 0
    0x0000:  4500 0028 c34b 4000 4006 7d72 5fd3 e1e2
    0x0010:  4ea5 69b7 2455 eb83 d6fb 71b9 e596 1ecf
    0x0020:  5010 007b 5853 0000
13:25:18.932573 IP s1.flirtzo.eu.9301 > 78.165.105.183.dynamic.ttnet.com.tr.60291: Flags [.], seq 1:1453, ack 157, win 123, length 1452
    0x0000:  4500 05d4 c34c 4000 4006 77c5 5fd3 e1e2
    0x0010:  4ea5 69b7 2455 eb83 d6fb 71b9 e596 1ecf
    0x0020:  5010 007b ffd8 0000 1603 0300 3d02 0000
    0x0030:  3903 0354 084c 1ec7 2b57 eac5 c7bc 4747
    0x0040:  6cc9 bb68 3450 2af1 348c 6287 fa30 efec
    0x0050:  b734 f400 c02f 0000 11ff 0100 0100 000b
    0x0060:  0004 0300 0102 0023 0000 1603 0305 380b
    0x0070:  0005 3400 0531 0005 2e30 8205 2a30 8204
    0x0080:  12a0 0302 0102 0203 14f7 2030 0d06 092a
    0x0090:  8648 86f7 0d01 0105 0500 303c 310b 3009
    0x00a0:  0603 5504 0613 0255 5331 1730 1506 0355
    0x00b0:  040a 130e 4765 6f54 7275 7374 2c20 496e
    0x00c0:  632e 3114 3012 0603 5504 0313 0b52 6170
    0x00d0:  6964 5353 4c20 4341 301e 170d 3134 3039
    0x00e0:  3031 3037 3533 3231 5a17 0d31 3530 3930
    0x00f0:  3332 3330 3031 305a 3081 bb31 2930 2706
    0x0100:  0355 0405 1320 6d74 4e70 776d 682d 474b
    0x0110:  3745 506b 756d 4750 7247 3771 6b62 6778
    0x0120:  3151 4b66 3249 3113 3011 0603 5504 0b13
    0x0130:  0a47 5431 3233 3733 3831 3731 3130 2f06
    0x0140:  0355 040b 1328 5365 6520 7777 772e 7261
    0x0150:  7069 6473 736c 2e63 6f6d 2f72 6573 6f75
    0x0160:  7263 6573 2f63 7073 2028 6329 3134 312f
    0x0170:  302d 0603 5504 0b13 2644 6f6d 6169 6e20
    0x0180:  436f 6e74 726f 6c20 5661 6c69 6461 7465
    0x0190:  6420 2d20 5261 7069 6453 534c 2852 2931
    0x01a0:  1530 1306 0355 0403 0c0c 2a2e 666c 6972
    0x01b0:  747a 6f2e 6575 3082 0122 300d 0609 2a86
    0x01c0:  4886 f70d 0101 0105 0003 8201 0f00 3082
    0x01d0:  010a 0282 0101 00a0 563b 974b d126 329b
    0x01e0:  7b13 d82c f848 f21f 810c dd7e a8f6 f971
    0x01f0:  406c 8f1f 04c0 23de a16d eccc 9093 ae76
    0x0200:  c4db afab abfa 0a38 e18e a56d 998b 6355
    0x0210:  a7dd f4a1 e3d1 0009 4e01 9e6a fb45 016c
    0x0220:  0701 8968 efa3 8ae2 8931 2a5a d560 f6a4
    0x0230:  e5f9 04f6 4bac d20b 5045 9991 453d 1ddd
    0x0240:  2c6f 119a 604d df10 a5a0 37c4 c906 6f5c
    0x0250:  27dc a9ce b44d 1286 4ef1 16d7 885d d468
    0x0260:  b3ff 5f68 b9d0 addf 856f 9b37 655f 85cc
    0x0270:  2553 11f9 b791 a1d6 a97d 4b7b f79c 2cf4
    0x0280:  9965 b353 efb5 219e 9ad5 30cc 4a9f 8572
    0x0290:  6a11 82d7 d5d6 e53b 45e1 9b77 a905 129c
    0x02a0:  7818 30fd 0bc6 b26d 4f0b 8f43 81bb 3f46
    0x02b0:  6c53 c4a3 69ba e6e5 8697 d82f aa33 8c03
    0x02c0:  0f67 7188 110d 2641 dc8e 860c 8170 dd47
    0x02d0:  c3a6 11dc 2434 e502 0301 0001 a382 01b3
    0x02e0:  3082 01af 301f 0603 551d 2304 1830 1680
    0x02f0:  146b 693d 6a18 424a dd8f 0265 39fd 3524
    0x0300:  8678 9116 3030 0e06 0355 1d0f 0101 ff04
    0x0310:  0403 0205 a030 1d06 0355 1d25 0416 3014
    0x0320:  0608 2b06 0105 0507 0301 0608 2b06 0105
    0x0330:  0507 0302 3023 0603 551d 1104 1c30 1a82
    0x0340:  0c2a 2e66 6c69 7274 7a6f 2e65 7582 0a66
    0x0350:  6c69 7274 7a6f 2e65 7530 4306 0355 1d1f
    0x0360:  043c 303a 3038 a036 a034 8632 6874 7470
    0x0370:  3a2f 2f72 6170 6964 7373 6c2d 6372 6c2e
    0x0380:  6765 6f74 7275 7374 2e63 6f6d 2f63 726c
    0x0390:  732f 7261 7069 6473 736c 2e63 726c 301d
    0x03a0:  0603 551d 0e04 1604 1431 c610 096f ea04
    0x03b0:  6ab1 6307 e138 3f01 65e3 6f3b 6c30 0c06
    0x03c0:  0355 1d13 0101 ff04 0230 0030 7806 082b
    0x03d0:  0601 0505 0701 0104 6c30 6a30 2d06 082b
    0x03e0:  0601 0505 0730 0186 2168 7474 703a 2f2f
    0x03f0:  7261 7069 6473 736c 2d6f 6373 702e 6765
    0x0400:  6f74 7275 7374 2e63 6f6d 3039 0608 2b06
    0x0410:  0105 0507 3002 862d 6874 7470 3a2f 2f72
    0x0420:  6170 6964 7373 6c2d 6169 612e 6765 6f74
    0x0430:  7275 7374 2e63 6f6d 2f72 6170 6964 7373
    0x0440:  6c2e 6372 7430 4c06 0355 1d20 0445 3043
    0x0450:  3041 060a 6086 4801 86f8 4501 0736 3033
    0x0460:  3031 0608 2b06 0105 0507 0201 1625 6874
    0x0470:  7470 3a2f 2f77 7777 2e67 656f 7472 7573
    0x0480:  742e 636f 6d2f 7265 736f 7572 6365 732f
    0x0490:  6370 7330 0d06 092a 8648 86f7 0d01 0105
    0x04a0:  0500 0382 0101 000d ec47 3465 2a34 27d8
    0x04b0:  9662 8b8b d5fa 0086 ebdd 78c4 1a27 08b4
    0x04c0:  8701 fc9a a99e cc09 f16e 9a40 c6e3 533a
    0x04d0:  1f40 d317 3c25 51ba cec3 0da5 d448 71ee
    0x04e0:  d156 a7a0 4bbf a374 da73 0cd7 1996 2464
    0x04f0:  2ece 1a64 c53f ea6f 5e32 4d9c 0cb0 e527
    0x0500:  4c9b 7eba ba1e 1557 1b07 f848 421f 750c
    0x0510:  fcab 4a0e afac 29c0 499e f0d9 acd9 52e4
    0x0520:  6209 974f 042d 1f03 ccbc 5004 f21a b775
    0x0530:  a11f 12f4 1f4a 11c5 ebd1 8f73 39c6 de45
    0x0540:  64f3 512b d3bc 697e 6240 f118 a11b b9ce
    0x0550:  5100 00d2 0880 0179 7e0b a884 04c7 d7e5
    0x0560:  bfa2 dbab d8a9 4f7a 17f8 7bd8 1a0e cf67
    0x0570:  9680 878c a566 ad4e 5983 f4a8 a73b c58b
    0x0580:  db4a 1b18 eae0 9070 68f1 ade4 c7a2 c68b
    0x0590:  4c8e 9fc3 06e2 6833 fdd0 f4e1 98d3 5c54
    0x05a0:  112f 2a51 9d1f 8a16 0303 014d 0c00 0149
    0x05b0:  0300 1741 04e2 a5a0 5820 ab18 426c 6f74
    0x05c0:  4783 0203 40c6 33eb 97b5 5f0b eaef cab5
    0x05d0:  45fe 3242
13:25:18.932580 IP s1.flirtzo.eu.9301 > 78.165.105.183.dynamic.ttnet.com.tr.60291: Flags [P.], seq 1453:1755, ack 157, win 123, length 302
    0x0000:  4500 0156 c34d 4000 4006 7c42 5fd3 e1e2
    0x0010:  4ea5 69b7 2455 eb83 d6fb 7765 e596 1ecf
    0x0020:  5018 007b fb5a 0000 9644 7c9c d18f c2e0
    0x0030:  0ff8 8ae7 6f8a 1b13 d88d 81fe a956 e8f9
    0x0040:  a382 cd4e f34f 4775 a904 0101 006b 4e33
    0x0050:  d907 216b cf2e 2c7d 138c df69 3e51 a902
    0x0060:  8382 c6df a26f 6c00 b716 b2ae ea76 e47c
    0x0070:  a377 3684 0fc8 ee33 5d57 24cb 0243 4f94
    0x0080:  bea6 1019 5a3a 2966 a3d3 9bc8 191c c7eb
    0x0090:  5402 a886 4365 2bfc 2abd 59c6 97a6 70d1
    0x00a0:  02e3 a1b3 7356 89e4 bbe4 c5fe 4e03 764c
    0x00b0:  5315 2e75 cb29 4167 a42c e2c6 6362 317d
    0x00c0:  ac86 1e40 d8af dbb4 021d 1216 4fc4 72f6
    0x00d0:  772c 214f c1f6 204c a673 634d 141f 221d
    0x00e0:  039f 729c 03e9 250a 10d1 134a 7047 0fa9
    0x00f0:  9180 3664 92da c4ed 19bb 9e4f 66f8 90fb
    0x0100:  f52c 1d79 dc47 5a84 73e5 8871 cca4 0ce2
    0x0110:  ecc8 db69 f4f0 515f 228e 5549 9b64 99ff
    0x0120:  1d5b 3865 0df0 a836 97d5 171a 100c cb55
    0x0130:  3639 0f52 7fd0 7526 ebb6 067d 1752 245f
    0x0140:  9dea c068 02ee 8ada 57b1 4f6e a616 0303
    0x0150:  0004 0e00 0000
13:25:19.028901 IP 78.165.105.183.dynamic.ttnet.com.tr.60291 > s1.flirtzo.eu.9301: Flags [.], ack 1755, win 64, length 0
    0x0000:  4500 0028 5936 4000 7406 b387 4ea5 69b7
    0x0010:  5fd3 e1e2 eb83 2455 e596 1ecf d6fb 7893
    0x0020:  5010 0040 51b4 0000 0000 0000 0000
13:25:19.032832 IP 78.165.105.183.dynamic.ttnet.com.tr.60291 > s1.flirtzo.eu.9301: Flags [P.], seq 157:283, ack 1755, win 64, length 126
    0x0000:  4500 00a6 5938 4000 7406 b307 4ea5 69b7
    0x0010:  5fd3 e1e2 eb83 2455 e596 1ecf d6fb 7893
    0x0020:  5018 0040 d8e2 0000 1603 0300 4610 0000
    0x0030:  4241 0480 e743 b4ca d486 fc66 f233 d481
    0x0040:  1466 d2c6 132c b9de 696d 69fc b6bb efee
    0x0050:  812d bb41 7bf7 5420 888a 6fc6 868a ca1a
    0x0060:  cebf 0730 5d93 4e83 c00f ae8e 0bb1 6daa
    0x0070:  24d5 3414 0303 0001 0116 0303 0028 0000
    0x0080:  0000 0000 0000 f000 d80d c829 2d20 3a03
    0x0090:  e4ca db9c a9d5 0048 6248 716b 171d 4313
    0x00a0:  90fb 13db 1c30
13:25:19.033946 IP s1.flirtzo.eu.9301 > 78.165.105.183.dynamic.ttnet.com.tr.60291: Flags [P.], seq 1755:1981, ack 283, win 123, length 226
    0x0000:  4500 010a c34e 4000 4006 7c8d 5fd3 e1e2
    0x0010:  4ea5 69b7 2455 eb83 d6fb 7893 e596 1f4d
    0x0020:  5018 007b fb0e 0000 1603 0300 aa04 0000
    0x0030:  a600 0038 4000 a07f 78f8 6c03 ba30 68aa
    0x0040:  2525 c10a c48c b360 cc25 1cb2 8d9c ce45
    0x0050:  7127 e55f fefc bb06 6c9f c57e b486 5f50
    0x0060:  3c28 78fa ffc4 baf8 89bc fede 25ce 5f23
    0x0070:  13f4 8ce8 f6dd 6619 f953 44bc d22f 7249
    0x0080:  1041 0c7e be77 5334 df33 5060 242f 2938
    0x0090:  8c7c 4949 760b f290 4224 96a3 04a6 f2ce
    0x00a0:  c415 f804 d0e8 fb80 9cb3 4e82 a231 c65f
    0x00b0:  2089 2244 3456 8162 6abd 6a3b 9301 f4c4
    0x00c0:  2228 2cfa 06e8 b996 418b c2ee fdc9 600f
    0x00d0:  4050 09f1 98c8 3914 0303 0001 0116 0303
    0x00e0:  0028 3078 fb0a 85ce bd8c 8fb1 e4c3 5e2c
    0x00f0:  aaf4 4d69 765e d151 66fb 3550 ff7f f688
    0x0100:  9ea1 0e08 3558 090d eb61
13:25:19.034498 IP s1.flirtzo.eu.9301 > 78.165.105.183.dynamic.ttnet.com.tr.60291: Flags [R.], seq 1981, ack 283, win 123, length 0
    0x0000:  4500 0028 c34f 4000 4006 7d6e 5fd3 e1e2
    0x0010:  4ea5 69b7 2455 eb83 d6fb 7975 e596 1f4d
    0x0020:  5014 007b 5015 0000

[edit2] new tcpdump: https://www.cloudshark.org/captures/255d70134527

Config file for stunnel:

foreground = yes
key = /home/flirtzo/ssl.key
cert =  /home/flirtzo/ssl.cert
CAfile = /home/flirtzo/ssl.cert
debug = 7
output = /var/log/stunnel_websocket.log
[websocket]
accept = www.flirtzo.eu:9301
connect = 9300

Regards Arjan

user1978645
  • 23
  • 1
  • 8
  • "I have an ancient socket server script..." - if this is a plain socket it will not work with WebSockets, no matter if ws:// or wss://. See also http://stackoverflow.com/questions/24033792/html5-web-sockets-how-to-communicate-with-them/24045588#24045588 – Steffen Ullrich Sep 03 '14 at 13:04
  • I am sorry, it should have said "Websocket server script", the script is fully functional on a ws:// websocket, but it fails when using wss:// – user1978645 Sep 03 '14 at 13:06
  • In this case it should be enough to use [stunnel](http://www.stunnel.org) in front of the ws:// script. – Steffen Ullrich Sep 03 '14 at 13:58
  • After some more effort, I now see that the socket server is receiving an connection through stunnel , but it immidiately disconnects/removes the client after it connects, it almost looks like the socket script cannot send messages back, i am not sure. Something is gooing wrong somewhere, and i havent got the slightest clue what. – user1978645 Sep 03 '14 at 14:18
  • Hard to say whats going on without packet dump. Are you sure that the client accepts the certificate of stunnel? – Steffen Ullrich Sep 03 '14 at 14:29
  • Yes, when i enter a wrong certificate it actually throws an error which is very nice. Do you have any clue if i should use the [websocket] of the [https] part of my config? – user1978645 Sep 03 '14 at 14:51
  • You should use the section which connects to your ws:// server. Since I don't know on which port this server listens I don't know which section you need. You should not enable any kind of application protocol. – Steffen Ullrich Sep 03 '14 at 15:04
  • It's not working. I tried stunnel in combination with Ratchet, and the same thing happens. I see a connection, then the connection directly disconnects. – user1978645 Sep 04 '14 at 10:38
  • See few comments above: "Hard to say whats going on without packet dump." – Steffen Ullrich Sep 04 '14 at 10:53
  • I added the logfiles of stunnel, basicly there are 0 bytes beeing sent. Any ideas? – user1978645 Sep 04 '14 at 11:00
  • "SSL socket closed on SSL_read" - looks like your client closed connection after the SSL handshake. Check logs etc at the client side (browser console?) – Steffen Ullrich Sep 04 '14 at 11:05
  • There are no error messages in the browser console. I think its an issue with centos/stunnel. – user1978645 Sep 04 '14 at 11:11
  • If you want help please make full packet captures (`tcpdump -s0 -wfile.pcap ...`) on both sides of the tunnel. – Steffen Ullrich Sep 04 '14 at 11:15
  • I put the output of "tcpdump -x -s0 port 9301" in the post. tcpdump does not register any data on port 9300 where the data is supposed to be tunneled to by stunnel. – user1978645 Sep 04 '14 at 11:40
  • Could you please upload the real pcap somewhere so that one could look at it with wireshark or post it to [cloudshark](https://appliance.cloudshark.org/upload/)? – Steffen Ullrich Sep 04 '14 at 12:30
  • I've uploaded it here https://www.cloudshark.org/captures/4725016c51a8 , please let me know if you need anything else – user1978645 Sep 04 '14 at 13:20
  • One sees a successful SSL handshake but after that stunnel immediately closes connection with RST. This indicates either a problem in stunnel or a close by the websocket application. Could you please reduce your stunnel configuration to the minimum (certificate, connect, accept) and post it in full here? And please make a packet capture of the traffic between stunnel and the websocket app too. – Steffen Ullrich Sep 04 '14 at 13:37
  • I have put the details of the bare config of stunnel at the bottom of the post. New tcpdump with bare config is located at: https://www.cloudshark.org/captures/255d70134527 . The Socket server indicates that no bytes are received. There is no packets send to the socket server, so i dont have a tcpdump for that. – user1978645 Sep 04 '14 at 13:58
  • This pcap looks different: the client simply closes the connection after a successful handshake without sending any data. Since I don't see a server name extension in the ClientHello I assume you access the server as IP and not hostname, in which case the client will probably not accept the certificate (because name does not match). Although I would expect the browser to log such things to console. – Steffen Ullrich Sep 04 '14 at 14:08
  • Thank you!! It seems i indeed was using the ip instead of the hostname, and crome did not throw any error. When using internet explorer it specified an error that the hostname did not match (which i was sure i did update, but it appears that was for another section, and not for the socket connection ). I you care, please submit an answer like "check that you use hostname and not ip" and i will approve it. – user1978645 Sep 04 '14 at 14:38

1 Answers1

2

Answer based on the last pcap, for details see discussion at the question:

The client simply closes the connection after a successful handshake without sending any data. Since I don't see a server name extension in the ClientHello I assume you access the server as IP and not hostname, in which case the client will probably not accept the certificate (because name does not match). Although I would expect the browser to log such things to console.

So it looks like hostname validation was the real issue and changing from wss://ip to wss://hostname solved the problem.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172