[winswitch] XPRA on TLS/SSL

Mukul Agrawal mukulagrawal78 at yahoo.com
Tue Jan 3 18:00:10 GMT 2017


Antoine: Sorry for the trouble with Yahoo. I did test lots of client OS and browsers. I will send you summary of all testing using Gmail later today. 
Meanwhile, so I could summarize the results in a more meaningful manner, can you tell me some implementational differences between 1. bind-tcp (with ssl=*) and bind-ssl.2. the differences between ssl=Mode switches. Somehow they aren't very intuitive for me. 3. Is ssl encryption/protocol used between client and websockify Webserver only or is it also used between XPRA server socket and websockify as well?
Thanks!

Mukul

Sent from Yahoo Mail on Android 
 
  On Tue, Jan 3, 2017 at 1:01 AM, Antoine Martin via shifter-users<shifter-users at lists.devloop.org.uk> wrote:   On 03/01/17 02:39, Mukul Agrawal via shifter-users wrote:
> OK, I tried something slightly different. I removed the "ssl=https" (seems like I was not reading the wiki on https://xpra.org/trac/ticket/1213 correctly).
> Here is what I did :-
Please always include all the details: the full OS version, the full
xpra version, the full command or log output, the browser you used, etc.
And you really should be testing with more than one browser.

Since you are using a signed certificate, you should include how you
generated the full chain. What CA you used, etc

You may also want to enable "-d websocket,http"
Or even adding "-d network" (this may be too verbose)

Also, please try using a better email service. Yahoo makes a complete
mess of the text formatting and your emails are a pain to parse.
(and that's just one of many reasons to stay away from Yahoo)

> xpra start :17 --bind-tcp=0.0.0.0:3001 --ssl=on --ssl-cert=./fullchain.pem --ssl-key=./privkey.pem --start=xclock
> =>  Simply hit the https://hostname.com. Web-browser says Secure Connection Failed. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.=> XPRA log is showing:- Error: error in network packet reading/parsing^[[0m ^[[31m2017-01-02 19:11:15,446 invalid_header() takes exactly 3 arguments (4 given) Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", line 682, in _read_parse_thread_loop self.do_read_parse_thread_loop() File "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", line 725, in do_read_parse_thread_loop=> openssl s_client -connect host:443 -- this is showing ssl is connect and is working fine
> Any idea why browser is not connecting? Do I need to provide some parameters on the address line on the browser?
No.
If openssl connects OK, so should the browser AFAIK.

Cheers
Antoine


> 
> 
>  Regards, 
> Mukul 
>  
> 
>    On Monday, January 2, 2017 5:20 PM, Mukul Agrawal via shifter-users <shifter-users at lists.devloop.org.uk> wrote:
>  
> 
>  I got a commercial SSL certificate installed on my ubuntu xenial machine.I tested the setup using a simple "Hello World" python https server. Everything is woorking good. I can hit the index page using https from anywhere from outside world.Also checked with "openssl s_client -connect" and it confiorms that certificate is using used properly.
> Now I started the xpra server following instructions here -
> Encryption/SSL – Xpra
> 
>  
>>>> |  |    |
> 
>  |
> 
>  |
>> |  |  
> Encryption/SSL – Xpra
>  xpra - screen for X  |  |
> 
>  |
> 
>  |
> 
>  
> 
> Used following command :-
> xpra start :17 --start=xclock --bind-tcp=0.0.0.0:3001 --ssl=on --ssl-cert=/path/to/fullchain.pem --ssl-key=/
> path/to/privatekey.pem ssl=https
> 
> Now if I hit the webaddress from webbrowser with https, I get following error on browser ;-
> SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
> 
> "openssl s_client -connect" is showing "connected" but giving an error  140770FC:SSL rountines:SSL23_GET_SERVER_HELLO:unknown_protocol:s23_clnt.c:794:
> 
> XPRA server logs are showing "invalid packet header, SSL packet?"
> 
> Any idea what is going on?I am doing iptable routing from 443 to 3001. This works just fine with the above mentioned "Hello World" python https server. It seems to me there is some problem with websockify's webserver is trying to attach certificates to wrong port or network interface. Any advice on how to debug this?
> 
>  Regards, 
> Mukul 
> 
> 
> 
>  
> 
>  
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 
> 
>    
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 

_______________________________________________
shifter-users mailing list
shifter-users at lists.devloop.org.uk
http://lists.devloop.org.uk/mailman/listinfo/shifter-users
  



More information about the shifter-users mailing list