[winswitch] XPRA on TLS/SSL

Antoine Martin antoine at nagafix.co.uk
Wed Jan 4 09:20:44 GMT 2017 

On 04/01/17 01:00, Mukul Agrawal wrote:
> Antoine: Sorry for the trouble with Yahoo. I did test lots of client OS
> and browsers. I will send you summary of all testing using Gmail later
> today. 
> 
> Meanwhile, so I could summarize the results in a more meaningful manner,
> can you tell me some implementational differences between 1. bind-tcp
> (with ssl=*) and bind-ssl.
TCP: bind-tcp creates TCP sockets which can be upgraded to SSL if you
enable it (ssl=on flag) and if the client connects using SSL.
These sockets can also be used for the built-in webserver (http) and for
websockets connections if you enable it (html=on). See "ssl" flag.

SSL: bind-ssl sockets can only be used with a client that connects using
SSL. Be it a browser with https or a regular client with a
"ssl/HOST:PORT/" connection string.

If you are going to be using SSL, I recommend using a dedicated port for
it. This may avoid some of the issues with the protocol arbitration logic.

> 2. the differences between ssl=Mode switches. Somehow they aren't very
> intuitive for me. 
This is covered in the manual, here is the changeset that added it:
https://xpra.org/trac/changeset/13610
For more information on this small limitation, see:
https://xpra.org/trac/ticket/1213#comment:3

> 3. Is ssl encryption/protocol used between client and websockify
> Webserver only or is it also used between XPRA server socket and
> websockify as well?
There is no connection between xpra and websockify. Websockify runs
embedded in the xpra server as a transport layer.

Cheers
Antoine


> Thanks!
> 
> Mukul
> 
> Sent from Yahoo Mail on Android
> <https://overview.mail.yahoo.com/mobile/?.src=Android>
> 
>     On Tue, Jan 3, 2017 at 1:01 AM, Antoine Martin via shifter-users
>     <shifter-users at lists.devloop.org.uk> wrote:
> 
>     On 03/01/17 02:39, Mukul Agrawal via shifter-users wrote:
>     > OK, I tried something slightly different. I removed the
>     "ssl=https" (seems like I was not reading the wiki on
>     https://xpra.org/trac/ticket/1213 correctly).
>     > Here is what I did :-
>     Please always include all the details: the full OS version, the full
>     xpra version, the full command or log output, the browser you used, etc.
>     And you really should be testing with more than one browser.
> 
>     Since you are using a signed certificate, you should include how you
>     generated the full chain. What CA you used, etc
> 
>     You may also want to enable "-d websocket,http"
>     Or even adding "-d network" (this may be too verbose)
> 
>     Also, please try using a better email service. Yahoo makes a complete
>     mess of the text formatting and your emails are a pain to parse.
>     (and that's just one of many reasons to stay away from Yahoo)
> 
>     > xpra start :17 --bind-tcp=0.0.0.0:3001 --ssl=on
>     --ssl-cert=./fullchain.pem --ssl-key=./privkey.pem --start=xclock
>     > =>  Simply hit the https://hostname.com. Web-browser says Secure
>     Connection Failed. The page you are trying to view cannot be shown
>     because the authenticity of the received data could not be
>     verified.=> XPRA log is showing:- Error: error in network packet
>     reading/parsing^[[0m ^[[31m2017-01-02 19:11:15,446 invalid_header()
>     takes exactly 3 arguments (4 given) Traceback (most recent call
>     last): File "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py",
>     line 682, in _read_parse_thread_loop
>     self.do_read_parse_thread_loop() File
>     "/usr/lib/python2.7/dist-packages/xpra/net/protocol.py", line 725,
>     in do_read_parse_thread_loop=> openssl s_client -connect host:443 --
>     this is showing ssl is connect and is working fine
>     > Any idea why browser is not connecting? Do I need to provide some
>     parameters on the address line on the browser?
>     No.
>     If openssl connects OK, so should the browser AFAIK.
> 
>     Cheers
>     Antoine
> 
> 
>     >
>     >
>     >  Regards,
>     > Mukul
>     > 
>     >
>     >    On Monday, January 2, 2017 5:20 PM, Mukul Agrawal via
>     shifter-users <shifter-users at lists.devloop.org.uk
>     <javascript:return>> wrote:
>     > 
>     >
>     >  I got a commercial SSL certificate installed on my ubuntu xenial
>     machine.I tested the setup using a simple "Hello World" python https
>     server. Everything is woorking good. I can hit the index page using
>     https from anywhere from outside world.Also checked with "openssl
>     s_client -connect" and it confiorms that certificate is using used
>     properly.
>     > Now I started the xpra server following instructions here -
>     > Encryption/SSL – Xpra
>     >
>     > 
>     > | 
>     > | 
>     > | 
>     > |  |    |
>     >
>     >  |
>     >
>     >  |
>     > | 
>     > |  | 
>     > Encryption/SSL – Xpra
>     >  xpra - screen for X  |  |
>     >
>     >  |
>     >
>     >  |
>     >
>     > 
>     >
>     > Used following command :-
>     > xpra start :17 --start=xclock --bind-tcp=0.0.0.0:3001 --ssl=on
>     --ssl-cert=/path/to/fullchain.pem --ssl-key=/
>     > path/to/privatekey.pem ssl=https
>     >
>     > Now if I hit the webaddress from webbrowser with https, I get
>     following error on browser ;-
>     > SSL received a record that exceeded the maximum permissible
>     length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
>     >
>     > "openssl s_client -connect" is showing "connected" but giving an
>     error  140770FC:SSL
>     rountines:SSL23_GET_SERVER_HELLO:unknown_protocol:s23_clnt.c:794:
>     >
>     > XPRA server logs are showing "invalid packet header, SSL packet?"
>     >
>     > Any idea what is going on?I am doing iptable routing from 443 to
>     3001. This works just fine with the above mentioned "Hello World"
>     python https server. It seems to me there is some problem with
>     websockify's webserver is trying to attach certificates to wrong
>     port or network interface. Any advice on how to debug this?
>     >
>     >  Regards,
>     > Mukul
>     >
>     >
>     >
>     > 
>     >
>     > 
>     > _______________________________________________
>     > shifter-users mailing list
>     > shifter-users at lists.devloop.org.uk <javascript:return>
>     > http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>     >
>     >
>     >   
>     > _______________________________________________
>     > shifter-users mailing list
>     > shifter-users at lists.devloop.org.uk <javascript:return>
>     > http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 
>     >
> 
>     _______________________________________________
>     shifter-users mailing list
>     shifter-users at lists.devloop.org.uk <javascript:return>
>     http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>

More information about the shifter-users mailing list