1

I built a php websocket server javascript clients to connect to it. It's working fine without SSL. My next Step is to improve security with using wss instead of ws (an so enabling https on the website).

My intention is to decrypt incoming traffic and redirect it to the websocketserver using stunnel on CentOS 6.

The first step is to simply redirect the requests from the clients to the server:

client-request: ws://soundjack.eu:9030/wsServer2.php

server: socket created listening on 144.76.81.210:9090 running php -q wsServer2.php

coresponding stunnel config:

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel/
;setuid = nobody
;setgid = nobody
; PID is created inside the chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration
[wsServer]
accept = 127.0.0.1:9030
connect = 127.0.0.1:9090

stunnel starts correct and is listening to port 9030.

Every request that is sendet by a client gehts abortet (checked firebug console). On Chrome it says status: finished, without any further information.

I quite don't know what the error is, so any help would be great. Thanks!

DrakeBlack
  • 73
  • 1
  • 8

2 Answers2

2

It finaly works!!! Even with SSL it works great.

The clue was to chance the config of stunnel to work correct (Update using SSL now):

/etc/stunnel/stunnel.conf:

; Certificate/key is needed in server mode and optional in client mode
cert = /path/to/<myCert>.pem
key = /path/to/<myKey>.key

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel/

; PID is created inside the chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log
;foreground = yes

; Use it for client mode
;client = yes                     !! turn to server mode

; Service-level configuration
[wsServer]
accept = 0.0.0.0:9030             !! listen to all addresses
connect = 127.0.0.1:9090

Note: marks with !! are no valid comments! I inserted them only to show the changes.

DrakeBlack
  • 73
  • 1
  • 8
  • I tried this myself but it keeps nagging me with this error that makes totally no sense. [Failed: /etc/stunnel/stunnel.conf] You should check that you have specified the pid= in you configuration file – Gilles Lesire Feb 14 '16 at 18:51
  • Although it's 7 years old, still working. – eRIZ Aug 18 '21 at 13:29
0

I just ran into this same problem and I wanted to add to this answer for someone else googling around because it was killing me. In my php I wrote a websocket using ratchet that I was invoking with a laravel artisan command. If you're developing locally, I believe you can add the stunnel.pem and CAFile to your keychain (if on a mac... on second thought I don't even think you necessarily need the CAFile if working locally) and you should be able to access your websocket with stunnel over wss. However, if you are working on your live webserver you need to get your keys certified. In my case I generated my stunnel keys for the stunnel.pem using openSSL and got them certified using positive SSL. I then added the CAFile option and linked the crt file they sent me back. If you are getting "stunnel vision", use the option foreground =yes in your stunnel.conf and remember as DrakeBlack pointed out DO NOT USE client = yes. You are not the client in this case you are the server.

Jamie
  • 90
  • 1
  • 3