Re: [reSIProcate-users] TLS Handshake failure on debian 8

[Scott Godin <sgodin@xxxxxxxxxxxxxxx>]

Hi Florent,

Things to look for:

1.  Was there any errors in the logs when reTurn started surrounding the loading of certificates?  Conversely, do you see success messages reading your certificate file?

2.  Does the client have the root certificate installed?

3.  Is the client connecting using the domain that matches the Common Name in the certificate?

4.  Take a wireshark capture of the TLS handshake to try to get more information on why the connection is closing.  Is is the client or server disconnecting?  Do the certificates presented from the server to the client look valid?

Some other general notes from the wiki (http://www.resiprocate.org/Certificates):

 "Certificates in the this file should be specified from top down. Ie. Highest level certificate first and root certificate last."

I'll let someone more linux savey answer your other questions about file permissions, etc.  :)

Scott

On Mon, Jan 30, 2017 at 5:22 AM, Florent SCHILDKNECHT <florent.schildknecht@xxxxxxxxx> wrote:

Hey,

I am trying to set-up reTurn server for a project requiring SSL/TLS encryption,

On a debian 8 server (installed with the official packets, apt-get install resiprocate-turn-server)

The server seems to work fine on unencrypted port, but I have troubles with TLS.

I am using letsencrypt to generate certificates, not with the certbot utility but another client.

I have the following valid certificates for my subdomain (turn.my-domain.com) ;

(Regenerated automatically every 3 months)

cert.pem (certificate part only)

chain.pem (chain part only)

combined.pem (combines the full-chain and the certificate private key)

fullchain.pem (it includes all the issuers chain)

Plus I of course have the keys

public.pem

private.pem

All those files are set in a specific location on my server, and are 0600, owned by a specific user (let say « acme »)

Few informations about my /etc/reTurn/reTurnServer.config :

TurnPort = 3478

TlsTurnPort = 5349

I am running the server with the user who owns the certificates (so they can be read) :

RunAsUser = acme

RunAsGroup = acme

And settings the absolute paths of the certificates

TlsServerCertificateFilename = /[...]/fullchain.pem

TlsServerPrivateKeyFilename = /[...]/private.pem

Authentication is working fine on port 3478, with the test user I’ve set ;

However, it doesn’t work on port 5349 (got some kind of timeout).

In the log file, I can see a "TlsConnection handshake failure error » :

WARNING | 20170130-105917.582 | reTurnServer | RETURN | 140414884460288 | TlsConnection.cxx:80 | TlsConnection handshake failure, error=335544539-short read

But I don’t understand what’s going on exactly ;

Do you know if there is something specific to check about TLS configuration, certificates or whatever ?

Am I supposed to provide the « fullchain.pem » certificate, or another one ?

(I’ve already tested with the four differente certificates, without success)

I’m also interested to know if there would be a better practice that running the server with my « acme » user,

But how to access the certificates ?

Best regards,

Florent Schildknecht

UX-designer et développeur web auto-entrepreneur

http://floschild.me/

+33 6 78 41 74 79 (France)

+46 7 64 15 32 64 (Sweden)

_______________________________________________
resiprocate-users mailing list
resiprocate-users@resiprocate.org
List Archive: http://list.resiprocate.org/archive/resiprocate-users/