On 04/01/17 01:00, Mukul Agrawal wrote: > Antoine: Sorry for the trouble with Yahoo. I did test lots of client OS > and browsers. I will send you summary of all testing using Gmail later > today. > > Meanwhile, so I could summarize the results in a more meaningful manner, > can you tell me some implementational differences between 1. bind-tcp > (with ssl=*) and bind-ssl. TCP: bind-tcp creates TCP sockets which can be upgraded to SSL if you enable it (ssl=on flag) and if the client connects using SSL. These sockets can also be used for the built-in webserver (http) and for websockets connections if you enable it (html=on). See "ssl" flag.
SSL: bind-ssl sockets can only be used with a client that connects using SSL. Be it a browser with https or a regular client with a "ssl/HOST:PORT/" connection string. If you are going to be using SSL, I recommend using a dedicated port for it. This may avoid some of the issues with the protocol arbitration logic. > 2. the differences between ssl=Mode switches. Somehow they aren't very > intuitive for me. This is covered in the manual, here is the changeset that added it: https://xpra.org/trac/changeset/13610 For more information on this small limitation, see: https://xpra.org/trac/ticket/1213#comment:3 > 3. Is ssl encryption/protocol used between client and websockify > Webserver only or is it also used between XPRA server socket and > websockify as well? There is no connection between xpra and websockify. Websockify runs embedded in the xpra server as a transport layer. Cheers Antoine > Thanks! > > Mukul > > Sent from Yahoo Mail on Android > <https://overview.mail.yahoo.com/mobile/?.src=Android> > > On Tue, Jan 3, 2017 at 1:01 AM, Antoine Martin via shifter-users > <[email protected]> wrote: > > On 03/01/17 02:39, Mukul Agrawal via shifter-users wrote: > > OK, I tried something slightly different. I removed the > "ssl=https" (seems like I was not reading the wiki on > https://xpra.org/trac/ticket/1213 correctly). > > Here is what I did :- > Please always include all the details: the full OS version, the full > xpra version, the full command or log output, the browser you used, etc. > And you really should be testing with more than one browser. > > Since you are using a signed certificate, you should include how you > generated the full chain. What CA you used, etc > > You may also want to enable "-d websocket,http" > Or even adding "-d network" (this may be too verbose) > > Also, please try using a better email service. Yahoo makes a complete > mess of the text formatting and your emails are a pain to parse. > (and that's just one of many reasons to stay away from Yahoo) > > > xpra start :17 --bind-tcp=0.0.0.0:3001 --ssl=on > --ssl-cert=./fullchain.pem --ssl-key=./privkey.pem --start=xclock > > => Simply hit the https://hostname.com. Web-browser says Secure > Connection Failed. The page you are trying to view cannot be shown > because the authenticity of the received data could not be > verified.=> XPRA log is showing:- Error: error in network packet > reading/parsing^[[0m ^[[31m2017-01-02 19:11:15,446 invalid_header() > takes exactly 3 arguments (4 given) Traceback (most recent call > last): File "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", > line 682, in _read_parse_thread_loop > self.do_read_parse_thread_loop() File > "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", line 725, > in do_read_parse_thread_loop=> openssl s_client -connect host:443 -- > this is showing ssl is connect and is working fine > > Any idea why browser is not connecting? Do I need to provide some > parameters on the address line on the browser? > No. > If openssl connects OK, so should the browser AFAIK. > > Cheers > Antoine > > > > > > > > Regards, > > Mukul > > > > > > On Monday, January 2, 2017 5:20 PM, Mukul Agrawal via > shifter-users <[email protected] > <javascript:return>> wrote: > > > > > > I got a commercial SSL certificate installed on my ubuntu xenial > machine.I tested the setup using a simple "Hello World" python https > server. Everything is woorking good. I can hit the index page using > https from anywhere from outside world.Also checked with "openssl > s_client -connect" and it confiorms that certificate is using used > properly. > > Now I started the xpra server following instructions here - > > Encryption/SSL – Xpra > > > > > > | > > | > > | > > | | | > > > > | > > > > | > > | > > | | > > Encryption/SSL – Xpra > > xpra - screen for X | | > > > > | > > > > | > > > > > > > > Used following command :- > > xpra start :17 --start=xclock --bind-tcp=0.0.0.0:3001 --ssl=on > --ssl-cert=/path/to/fullchain.pem --ssl-key=/ > > path/to/privatekey.pem ssl=https > > > > Now if I hit the webaddress from webbrowser with https, I get > following error on browser ;- > > SSL received a record that exceeded the maximum permissible > length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG > > > > "openssl s_client -connect" is showing "connected" but giving an > error 140770FC:SSL > rountines:SSL23_GET_SERVER_HELLO:unknown_protocol:s23_clnt.c:794: > > > > XPRA server logs are showing "invalid packet header, SSL packet?" > > > > Any idea what is going on?I am doing iptable routing from 443 to > 3001. This works just fine with the above mentioned "Hello World" > python https server. It seems to me there is some problem with > websockify's webserver is trying to attach certificates to wrong > port or network interface. Any advice on how to debug this? > > > > Regards, > > Mukul > > > > > > > > > > > > > > _______________________________________________ > > shifter-users mailing list > > [email protected] <javascript:return> > > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > > > > > > > > _______________________________________________ > > shifter-users mailing list > > [email protected] <javascript:return> > > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > > > > > _______________________________________________ > shifter-users mailing list > [email protected] <javascript:return> > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > _______________________________________________ shifter-users mailing list [email protected] http://lists.devloop.org.uk/mailman/listinfo/shifter-users
