Skip to content
Advertisement

Stunnel secure wss websocket to unsecure ws socket

I recently changed my site to use SSL. What I have is an old websocket server script listening on port 9300 which is then called by the client’s browser using javascript through ws. Now that my site has changed to https I have to call a wss but it’s not working. So I just want to redirect a secure wss to an unsercure ws version of the socket so I don’t have to change the script.

I tried to fix this by using stunnels. But I don’t get it right.

There seems to be an issue in the handshake being performed.

The PHP Websocket server script I have is based on this git https://github.com/Flynsarmy/PHPWebSocket-Chat

server prints

Restarting SSL tunnels: 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Clients allowed=500
2016.02.14 13:44:20 LOG5[4173:140328635270912]: stunnel 4.53 on x86_64-pc-linux-gnu platform
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Reading configuration from file /etc/stunnel/stunnel.conf
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Compression not enabled
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Snagged 64 random bytes from /root/.rnd
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Wrote 1024 new random bytes to /root/.rnd
2016.02.14 13:44:20 LOG7[4173:140328635270912]: PRNG seeded successfully
2016.02.14 13:44:20 LOG6[4173:140328635270912]: Initializing service section [websocket]
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate: /etc/apache2/ssl/ssl-cert-businessgame.pem
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate loaded
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Key file: /etc/apache2/ssl/ssl-cert-businessgame.key
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Private key loaded
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Could not load DH parameters from /etc/apache2/ssl/ssl-cert-businessgame.pem
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Using hardcoded DH parameters
2016.02.14 13:44:20 LOG7[4173:140328635270912]: DH initialized with 2048-bit key
2016.02.14 13:44:20 LOG7[4173:140328635270912]: ECDH initialized with curve prime256v1
2016.02.14 13:44:20 LOG7[4173:140328635270912]: SSL options set: 0x00000004
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Configuration successful
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Service [websocket] (FD=12) bound to 94.198.160.29:9301
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Created pid file /var/run/stunnel4.pid
2016.02.14 13:44:47 LOG7[4173:140328635270912]: Service [websocket] accepted (FD=3) from 81.83.185.230:49718
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] started
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Waiting for a libwrap process
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Acquired libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Releasing libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Released libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] permitted by libwrap from 81.83.185.230:49718
2016.02.14 13:44:47 LOG5[4173:140328635262720]: Service [websocket] accepted connection from 81.83.185.230:49718
2016.02.14 13:44:47 LOG6[4173:140328635262720]: SSL accepted: new session negotiated
2016.02.14 13:44:47 LOG6[4173:140328635262720]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2016.02.14 13:44:47 LOG6[4173:140328635262720]: Compression: null, expansion: null
2016.02.14 13:44:47 LOG6[4173:140328635262720]: connect_blocking: connecting 127.0.0.1:9300
2016.02.14 13:44:47 LOG7[4173:140328635262720]: connect_blocking: s_poll_wait 127.0.0.1:9300: waiting 10 seconds
2016.02.14 13:44:47 LOG3[4173:140328635262720]: connect_blocking: connect 127.0.0.1:9300: Connection refused (111)
2016.02.14 13:44:47 LOG5[4173:140328635262720]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Local socket (FD=3) closed
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] finished (0 left)

My stunnel.conf

 foreground = yes
    key = /etc/apache2/ssl/ssl-cert-businessgame.key
    cert =  /etc/apache2/ssl/ssl-cert-businessgame.pem
    CAfile = /etc/apache2/ssl/ssl-cert-businessgame.pem
    debug = 7
    output = /var/log/stunnel_websocket.log
    [websocket]
    accept = businessgame.be:9301
    connect = 9300

Client browser console:

WebSocket connection to 'wss://businessgame.be:9301/socket/server.php' failed: Error in connection establishment: net::ERR_SOCKET_NOT_CONNECTED

I am using the same cert as I use for my SSL. I also tried it with a self generated key and cert file but no luck. I get the same error and the handshake fails.

Advertisement

Answer

So the problem wasn’t in the stunnel but I had to change the way the socket was setup by the server. I used to create it as domain:port but had to change it to localhost:port

So in the server.php file I had to change

 // start the server
$Server = new PHPWebSocket();
$Server->bind('message', 'wsOnMessage');
$Server->bind('open', 'wsOnOpen');
$Server->bind('close', 'wsOnClose');
// for other computers to connect, you will probably need to change this to your LAN IP or external IP,
// alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME']))
$Server->wsStartServer('businessgame.be', 9300);

to 

 // start the server
$Server = new PHPWebSocket();
$Server->bind('message', 'wsOnMessage');
$Server->bind('open', 'wsOnOpen');
$Server->bind('close', 'wsOnClose');
// for other computers to connect, you will probably need to change this to your LAN IP or external IP,
// alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME']))
$Server->wsStartServer('localhost', 9300);
User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement