I recently changed my site to use SSL. What I have is an old websocket server script listening on port 9300 which is then called by the client’s browser using javascript through ws. Now that my site has changed to https I have to call a wss but it’s not working. So I just want to redirect a secure wss to an unsercure ws version of the socket so I don’t have to change the script.
I tried to fix this by using stunnels. But I don’t get it right.
There seems to be an issue in the handshake being performed.
The PHP Websocket server script I have is based on this git https://github.com/Flynsarmy/PHPWebSocket-Chat
server prints
Restarting SSL tunnels: 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Clients allowed=500 2016.02.14 13:44:20 LOG5[4173:140328635270912]: stunnel 4.53 on x86_64-pc-linux-gnu platform 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Reading configuration from file /etc/stunnel/stunnel.conf 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Compression not enabled 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Snagged 64 random bytes from /root/.rnd 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Wrote 1024 new random bytes to /root/.rnd 2016.02.14 13:44:20 LOG7[4173:140328635270912]: PRNG seeded successfully 2016.02.14 13:44:20 LOG6[4173:140328635270912]: Initializing service section [websocket] 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate: /etc/apache2/ssl/ssl-cert-businessgame.pem 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate loaded 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Key file: /etc/apache2/ssl/ssl-cert-businessgame.key 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Private key loaded 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Could not load DH parameters from /etc/apache2/ssl/ssl-cert-businessgame.pem 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Using hardcoded DH parameters 2016.02.14 13:44:20 LOG7[4173:140328635270912]: DH initialized with 2048-bit key 2016.02.14 13:44:20 LOG7[4173:140328635270912]: ECDH initialized with curve prime256v1 2016.02.14 13:44:20 LOG7[4173:140328635270912]: SSL options set: 0x00000004 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Configuration successful 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Service [websocket] (FD=12) bound to 94.198.160.29:9301 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Created pid file /var/run/stunnel4.pid 2016.02.14 13:44:47 LOG7[4173:140328635270912]: Service [websocket] accepted (FD=3) from 81.83.185.230:49718 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] started 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Waiting for a libwrap process 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Acquired libwrap process #0 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Releasing libwrap process #0 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Released libwrap process #0 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] permitted by libwrap from 81.83.185.230:49718 2016.02.14 13:44:47 LOG5[4173:140328635262720]: Service [websocket] accepted connection from 81.83.185.230:49718 2016.02.14 13:44:47 LOG6[4173:140328635262720]: SSL accepted: new session negotiated 2016.02.14 13:44:47 LOG6[4173:140328635262720]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2016.02.14 13:44:47 LOG6[4173:140328635262720]: Compression: null, expansion: null 2016.02.14 13:44:47 LOG6[4173:140328635262720]: connect_blocking: connecting 127.0.0.1:9300 2016.02.14 13:44:47 LOG7[4173:140328635262720]: connect_blocking: s_poll_wait 127.0.0.1:9300: waiting 10 seconds 2016.02.14 13:44:47 LOG3[4173:140328635262720]: connect_blocking: connect 127.0.0.1:9300: Connection refused (111) 2016.02.14 13:44:47 LOG5[4173:140328635262720]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Local socket (FD=3) closed 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] finished (0 left)
My stunnel.conf
foreground = yes key = /etc/apache2/ssl/ssl-cert-businessgame.key cert = /etc/apache2/ssl/ssl-cert-businessgame.pem CAfile = /etc/apache2/ssl/ssl-cert-businessgame.pem debug = 7 output = /var/log/stunnel_websocket.log [websocket] accept = businessgame.be:9301 connect = 9300
Client browser console:
WebSocket connection to 'wss://businessgame.be:9301/socket/server.php' failed: Error in connection establishment: net::ERR_SOCKET_NOT_CONNECTED
I am using the same cert as I use for my SSL. I also tried it with a self generated key and cert file but no luck. I get the same error and the handshake fails.
Advertisement
Answer
So the problem wasn’t in the stunnel but I had to change the way the socket was setup by the server. I used to create it as domain:port but had to change it to localhost:port
So in the server.php file I had to change
// start the server $Server = new PHPWebSocket(); $Server->bind('message', 'wsOnMessage'); $Server->bind('open', 'wsOnOpen'); $Server->bind('close', 'wsOnClose'); // for other computers to connect, you will probably need to change this to your LAN IP or external IP, // alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME'])) $Server->wsStartServer('businessgame.be', 9300);
to
// start the server $Server = new PHPWebSocket(); $Server->bind('message', 'wsOnMessage'); $Server->bind('open', 'wsOnOpen'); $Server->bind('close', 'wsOnClose'); // for other computers to connect, you will probably need to change this to your LAN IP or external IP, // alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME'])) $Server->wsStartServer('localhost', 9300);