Client-Server communication using a secure WebSocket (wss)

[Casamajor]

Hi team,

I moved the client side of this tutorial (http://builds.kurento.org/dev/latest/docs/tutorials/java/tutorial-3-one2many.html) to a separate server accessed via HTTPS, so now I need to secure the WebSocket connection (i.e. ws to wss) so that it could be used from HTTPS and with a different server. I did these changes:

1. src/main/java/org/kurento/tutorial/one2manycall/One2ManyCallApp.java
• Changed the protocol of the URI from ws to wss, replaced localhost with <KMS_IP> and port 8888 with 443:
  
• final static String DEFAULT_KMS_WS_URI = "wss://<KMS_IP>:443/kurento";
2. js/index.js
• Changed the protocol of the WebSocket URI from ws to wss and location.host to the IP of the KMS:
• var ws = new WebSocket('wss://<KMS_IP>/call');
  
• Should I add :443 after <KMS_IP>?

After these changes and mvn, the connection still can't be established; console logs "WebSocket is already in CLOSING or CLOSED state." at the Student's end.

What else should I modify/add in order to establish a secure WebSocket?

Thanks in advance!

Agustín

[Jose Antonio Santos Cadenas]

Hi,

You also have to configure the mediaserver to listen in a wss, to do
so edit /etc/kurento/kurento.conf.json

And uncomment this part.

//"secure": {
// "port": 8433,
// "certificate": "defaultCertificate.pem",
// "password": ""
//},

You will also need a pem certificate that should be in the same path
or the config file or you may need to specify the full path on
"certificate" field

You can generate a self signed certificate by doing this:

certtool --generate-privkey --outfile certificate.pem
echo 'organization = your organization name' > certtool.tmpl
certtool --generate-self-signed --load-privkey certificate.pem
--template certtool.tmpl >> certificate.pem

As this is a self signed certificate, browsers will reject it by
default, you can ignore this by accessing via https in your browser to
the wss port (https://localhost:8433/ with the above config) and
acceptting the certificate temporally. Then you'll be able to connect
to the websocket from the browser. If you are using the websocket from
the server side I'm not sure how you can trust self signed
certificates, maybe someone on the list can help you with this.

Hope this helps.

Regards

Jose

> --
> You received this message because you are subscribed to the Google Groups
> "kurento" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kurento+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Casamajor]

Thank you José! I do have an official pem certificate already, so that part won't be a problem.

Regards,

Agustín

[ta...@eightt.us]

Hi, thanks for this helpful information. Using the group-call example project, I've followed the above steps, but I'm still unable to establish a secure connection. Everything works fine when I'm not using secure sockets.

I've opened ports 8433 and 443 in addition to all the usual ones. I've also enabled security for the SpringBoot container, by providing an EmbeddedServletContainerCustomizer—and it is able to serve the static resources over HTTPS just fine. (Chrome complains about the certificate not matching the domain, but that's because I'm running this on a test server that's not on the production domain; so I instructed the browser to allow it.)

What goes wrong is when I try to enter into the group call: no video appears.

In media-server.log, the following is reported:

[2014-10-14 15:40:30.348537] [0x1d4b2880] [info]    KurentoModuleManager ModuleManager.cpp:119 loadModules() Looking for modules in /usr/lib/x86_64-linux-gnu/kurento/modules
[2014-10-14 15:40:30.348840] [0x1d4b2880] [debug]   KurentoModuleManager ModuleManager.cpp:78 loadModule() Module loaded from /usr/lib/x86_64-linux-gnu/kurento/modules/libkmscoremodule.so
[2014-10-14 15:40:30.348858] [0x1d4b2880] [info]    KurentoModuleManager ModuleManager.cpp:94 loadModule() Loaded core version 5.0.4
[2014-10-14 15:40:30.349234] [0x1d4b2880] [debug]   KurentoModuleManager ModuleManager.cpp:78 loadModule() Module loaded from /usr/lib/x86_64-linux-gnu/kurento/modules/libkmsfiltersmodule.so
[2014-10-14 15:40:30.349246] [0x1d4b2880] [info]    KurentoModuleManager ModuleManager.cpp:94 loadModule() Loaded filters version 5.0.4
[2014-10-14 15:40:30.351302] [0x1d4b2880] [debug]   KurentoModuleManager ModuleManager.cpp:78 loadModule() Module loaded from /usr/lib/x86_64-linux-gnu/kurento/modules/libkmselementsmodule.so
[2014-10-14 15:40:30.351316] [0x1d4b2880] [info]    KurentoModuleManager ModuleManager.cpp:94 loadModule() Loaded elements version 5.0.4
[2014-10-14 15:40:30.351397] [0x1d4b2880] [info]    KurentoMediaServer main.cpp:232 main() Kmsc version: 5.0.4
[2014-10-14 15:40:30.351404] [0x1d4b2880] [info]    KurentoMediaServer main.cpp:64 load_config() Reading configuration from: /etc/kurento/kurento.conf.json
[2014-10-14 15:40:30.351665] [0x1d4b2880] [info]    KurentoMediaServer main.cpp:77 load_config() Configuration loaded successfully
[2014-10-14 15:40:30.351781] [0x1d4b2880] [info]    KurentoWebSocketTransport WebSocketTransport.cpp:197 WebSocketTransport() Secure websocket server not enabled
[2014-10-14 15:40:30.351929] [0x1d4b2880] [info]    KurentoMediaServer main.cpp:239 main() Mediaserver started
[2014-10-14 15:41:41.500176] [0x1d4b2880] [debug]   KurentoMediaServer main.cpp:98 signal_handler() Terminating.
[2014-10-14 15:41:41.500228] [0x1d4b2880] [debug]   KurentoWebSocketTransport WebSocketTransport.cpp:270 stop() stop transport
libdc1394 error: Failed to initialize libdc1394

 The "secure websocket server not enabled" is what's suspicious to me. This is despite the kms configuration:

{
  "mediaServer" : {
    "net" : {
      "websocket": {
        "port": 8888,
        "secure": {
          "port": 8433,
          "certificate": "/etc/ssl/certs/mycompany.com.public.crt",
          "password": ""
        },
        "path": "kurento",
        "threads": 10
      }
    }
  },
  "modules": {
    "kurento": {
      "SdpEndpoint" : {
        "sdpPattern" : "sdp_pattern.txt"
      },
      "HttpEndpoint" : {
        // commented out
      },
      "WebRtcEndpoint" : {
        "turnURL" : "kuruntu:super...@69.54.251.31:3478"
      },
      "PlumberEndpoint" : {
        // commented out
      }
    }
  }
}

 

(don't worry, that's not the actual password.)

Additionally, at the same moment I try to enter the group chat, the Spring app reports:

16:02:01.567 [080-exec-1] DEBUG - o.k.tutorial.groupcall.RoomManager       - Room test not existent. Will create now!
16:02:01.627 [Executor-1] ERROR - o.s.w.s.c.WebSocketConnectionManager     - Failed to connect
javax.websocket.DeploymentException: The HTTP request to initiate the WebSocket connection failed 
at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServer(WsWebSocketContainer.java:361) ~[tomcat-embed-websocket-7.0.52.jar!/:7.0.52]
at org.springframework.web.socket.client.standard.StandardWebSocketClient$1.call(StandardWebSocketClient.java:125) ~[spring-websocket-4.0.6.RELEASE.jar!/:4.0.6.RELEASE]
at org.springframework.web.socket.client.standard.StandardWebSocketClient$1.call(StandardWebSocketClient.java:122) ~[spring-websocket-4.0.6.RELEASE.jar!/:4.0.6.RELEASE]
... etc ...
Caused by: java.net.ConnectException: Connection refused
at sun.nio.ch.UnixAsynchronousSocketChannelImpl.checkConnect(Native Method) ~[na:1.8.0_20]
at sun.nio.ch.UnixAsynchronousSocketChannelImpl.finishConnect(UnixAsynchronousSocketChannelImpl.java:252) ~[na:1.8.0_20]
at sun.nio.ch.UnixAsynchronousSocketChannelImpl.finish(UnixAsynchronousSocketChannelImpl.java:198) ~[na:1.8.0_20]
at sun.nio.ch.UnixAsynchronousSocketChannelImpl.onEvent(UnixAsynchronousSocketChannelImpl.java:213) ~[na:1.8.0_20]
at sun.nio.ch.EPollPort$EventHandlerTask.run(EPollPort.java:293) ~[na:1.8.0_20]
... 1 common frames omitted 

I assume this is the KMF trying to connect to KMS, because Chrome doesn't report any websocket-related errors—it only says "This appears to be Chrome" and then "Senging message: {"id":"joinRoom","name":"talus","room":"test"}," but nothing after that.

The kurentoClient in the Spring app is created as KurentoClient.create("wss://localhost:443/kurento").

Could it be as simple as needing to give the private key instead of the public one (or that it needs to be in a different format)? Do you have any advice as to what could be going wrong?

Thanks for any advice!

~ Talus.

[ta...@eightt.us]

Or is it simply unnecessary to secure the connection when both components are running on the same machine? More broadly, what connections do I need to secure in order to get private communications—is WebRTC fundamentally encrypted so that only the static resources + web sockets need protection?

~ Talus.

[Ivan Gracia]

Well, I think securing connections going through the loopback interface is unnecessary. WebRTC uses DTLS-SRTP, so the media exchange is encrypted between each client and KMS. However, if you are using HTTP to connect to your publicly exposed application, then everything will be in the open: requests, SDP offers and answers... So you should set your spring-boot application to expose only secure connections to clients.

Ivan Gracia

[ta...@eightt.us]

Thanks! That's just what I was hoping for.

Cheers!

~ Talus.

[antonio...@quobis.es]

Hello, I have problems with Kurento websocket SSL:

• when I try to link at https://localhost:8433/ Mozilla fireforx says: "Secure Connection Failed. The connection to localhost:8433 was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
  
• If i check the data flow with wireshark I see that the Client Hello is sent and Kurento Media Server aswer with ACK, but after no messages are exchanged.
• If I try to call the WebSocket from the javascript files, at this address: " ws_uri: 'wss://' + location.hostname + ':8433/kurento' "  in the inspector tool I can see a rejection message: "Firefox can't establish a connection to the server at wss://cofa-project.org:8433/kurento." and after this:
  

Error: Connection error

Stack trace:

failure@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:15960:24

g@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:4618:7

require<[15]</EventEmitter.prototype.emit@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:4548:7

require<[97]</module.exports/</<@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:14778:7

require<[15]</EventEmitter.prototype.emit@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:4526:9

require<[99]</Backoff.prototype.backoff@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:14967:9

onDisconnect@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:14805:15

require<[15]</EventEmitter.prototype.emit@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:4526:9

require<[104]</</WebsocketStream.prototype.onError@https://cofa-project.org/cofa-play-and-record/bower_components/kurento-client/js/kurento-client.js:15451:3

The configuration of Kurento is:

{

  "mediaServer" : {

    "net" : {

      // Uncomment just one of them

      /*

      "rabbitmq": {

        "address" : "127.0.0.1",

        "port" : 5672,

        "username" : "guest",

        "password" : "guest",

        "vhost" : "/"

      }

      */

      "websocket": {

        "port": 8888,

        "secure": {

  "port": 8433,

  "certificate": "/home/antonio/cofa-project.org.cert.pem",

 "password": "Canoa11237"

},

        //"registrar": {

        //  "address": "ws://localhost:9090",

        //  "localAddress": "localhost"

        //},

        "path": "kurento",

        "threads": 10

      }

    }

  },

(The situation is the same even if i leave empty the field "password".

Any suggestions?
Thank you.

[antonio...@quobis.es]

I checked the log files:

error KurentoWebSocketTransport WebSocketTransport.cpp:190 operator()() Error while setting up tls use_private_key_file: no start line

I will let you know.

[Jose Antonio Santos Cadenas]

Browsers does not trust in not signed certificates. When connection is https they ask the users if they trust the certificate, but with websockets they simply give this error. A workaround to fix this (but only for your client) is to try to connect via https to the host and the port of the websocket (in your case open this url in a tab https://cofa-project.org:8433) , and trust the certificate. Further connections during the session won't have this error.

--

[Jose Antonio Santos Cadenas]

I've just noticed that this was already explained in my previous post in this thread

To unsubscribe from this group and stop receiving emails from it, send an email to kurento+unsubscribe@googlegroups.com.

[Markus Bauer]

Hi,

I have an official certificate and if I will connect me directly to the wss port the certificate which also detected and displayed. But if I want to call the regular page ( https://localhost:8080/ ), I get the following message:

"An error occurred while connecting to localhost: 8080 occurred SSL received a record that exceeded the maximum permissible length.. (Error code: ssl_error_rx_record_too_long)"

Does anyone have experience as I can correct this?

----------------
One2OneCallAdvApp.java:

public class One2OneCallAdvApp implements WebSocketConfigurer {

    final static String DEFAULT_KMS_WS_URI = "wss://localhost:8433/kurento";
    final static String DEFAULT_APP_SERVER_URL = "https://localhost:8080";

---------------

index.js:

var ws = new WebSocket('wss://' + location.host + '/call');

---------------

kurento.conf.json:

{
  "mediaServer" : {
    "net" : {
      // Uncomment just one of them
      /*
      "rabbitmq": {
        "address" : "127.0.0.1",
        "port" : 5672,
        "username" : "guest",
        "password" : "guest",
        "vhost" : "/"
      }
      */
      "websocket": {
        "port": 8888,
        "secure": {
          "port": 8433,

          "certificate": "certificate.pem",
          "password": ""

        },
        //"registrar": {
        //  "address": "ws://localhost:9090",
        //  "localAddress": "localhost"
        //},
        "path": "kurento",
        "threads": 10
      }
    }
  },

------------------


Thanks and regards
Markus

[m...@marcback.es]

Hi!

You said you moved the example to a HTTPS-Server. I want (or NEED) to do the same thing. However, I could nowhere find how to include an SSL certificate to the Maven webserver. Can you give me some hints on how to get it done?

Greets,

Marc

[Ivan Gracia]

A bit of googling returns this very helpful post.

Ivan Gracia

--

You received this message because you are subscribed to the Google Groups "kurento" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kurento+u...@googlegroups.com.

[Mark Spowage]

I have  REAL cert and yet wss connection fails ?

nothing in the log files

how to debug ??

[Mark Spowage]

"secure": {
  "port": 8433,
  "certificate": "defaultCertificate.pem",
  "password": ""
},

should be 8443 then a connection comes 

but remains in CONNECTING STATE ?

On Thursday, September 25, 2014 at 4:34:56 PM UTC-7, Casamajor wrote:

[Mark Spowage]

you need this.. no errors but hello world still does not echo 

BUT no errors ha ha

var wss = new ws.Server({

    server : server,

  //  path : '/'

    path : '/helloworld'

});

/

On Thursday, September 25, 2014 at 4:34:56 PM UTC-7, Casamajor wrote:

[Mark Spowage]

now  there are no connection errors using 8443 as the port CONTRARY to the docs.

so ... now there are NO connection errors BUT none of the demos work ha ha

no errors anywhere just NO result ha ha

On Thursday, September 25, 2014 at 4:34:56 PM UTC-7, Casamajor wrote:

[Mark Spowage]

it appears that the kms server is not LISTENING on the port in the config as when it is changed to the HTTPS port it does not block it

so some NEW version of kms ??

On Thursday, September 25, 2014 at 4:34:56 PM UTC-7, Casamajor wrote:

[Mark Spowage]

forgot to copy the PEM file to the server

hours for a missing file

On Thursday, September 25, 2014 at 4:34:56 PM UTC-7, Casamajor wrote: