Discussion:
SSL REST interface broken
Kyle Haefner
2012-10-31 20:11:54 UTC
Permalink
Hi All,

I'm running a new install of 4.6 updated yesterday, I have turned off the
firewall.
I am getting a fabulously ambiguous "Unknown SSL protocol error in
connection to"
error when I try REST calls over SSL. They work just fine over the
unencrypted port 6667.

Any ideas?
--
Kyle Haefner, M.S.
Communication Systems Programmer
Colorado State University
Fort Collins, CO
Phone: 970-491-1012
Email: ***@colostate.edu
Mircea Carasel
2012-10-31 21:13:30 UTC
Permalink
On Wed, Oct 31, 2012 at 10:11 PM, Kyle Haefner
Post by Kyle Haefner
Hi All,
I'm running a new install of 4.6 updated yesterday, I have turned off the
firewall.
I am getting a fabulously ambiguous "Unknown SSL protocol error in
connection to"
error when I try REST calls over SSL. They work just fine over the
unencrypted port 6667.
What REST calls are you trying over SSL and on what ports?
Thanks
Mircea
Post by Kyle Haefner
Any ideas?
--
Kyle Haefner, M.S.
Communication Systems Programmer
Colorado State University
Fort Collins, CO
Phone: 970-491-1012
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
Kyle Haefner
2012-11-01 16:22:35 UTC
Permalink
Hi Mircea,

This for example works:

curl --digest -k -X GET -u 200:password
http://example.sipx.org:6667/cdr/200?limit=5

This does not:

curl --digest -k -X GET -u 200:password
https://example.sipx.org:6666/cdr/200?limit=5

result....

curl: (35) Unknown SSL protocol error in connection to example.sipx.org:6666

Oddly, this also works.

curl --digest -k -X GET -u 200:password
http://example.sipx.org:6666/cdr/200?limit=5
Post by Mircea Carasel
Post by Kyle Haefner
Hi All,
I'm running a new install of 4.6 updated yesterday, I have turned off
the firewall.
I am getting a fabulously ambiguous "Unknown SSL protocol error in
connection to"
error when I try REST calls over SSL. They work just fine over the
unencrypted port 6667.
What REST calls are you trying over SSL and on what ports?
Thanks
Mircea
Post by Kyle Haefner
Any ideas?
--
Kyle Haefner, M.S.
Communication Systems Programmer
Colorado State University
Fort Collins, CO
Phone: 970-491-1012
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
Kyle Haefner, M.S.
Communication Systems Programmer
Colorado State University
Fort Collins, CO
Phone: 970-491-1012
Email: ***@colostate.edu

01010010 01100101 01100001 01101100 00100000 01101101 01100101 01101110
00100000 01110000 01110010 01101111 01100111 01110010 01100001 01101101
00100000 01101001 01101110 00100000 01100010 01101001 01101110 01100001
01110010 01111001 00101110
Mircea Carasel
2012-11-01 18:01:31 UTC
Permalink
Post by Kyle Haefner
Hi Mircea,
curl --digest -k -X GET -u 200:password
http://example.sipx.org:6667/cdr/200?limit=5
curl --digest -k -X GET -u 200:password
https://example.sipx.org:6666/cdr/200?limit=5
result....
curl: (35) Unknown SSL protocol error in connection to
example.sipx.org:6666
Oddly, this also works.
curl --digest -k -X GET -u 200:password
http://example.sipx.org:6666/cdr/200?limit=5
Hi Kyle,
We removed SSL connectors from all our components (including sipXconfig you
can check sipxconfig-jetty.xml and there is no ssl connector anymore, and
the old secured port 8443 is gone)
The reason behind this was that we wanted to use one single point for SSL
which is now apache (port 443) and our certificates sits in apache only.
We had many problems (related to certificates and SSL handshake) in 4.4
where we used different SSL connectors and different certificates for
sipxconfig (web cert) and for rest components (internal cert)

For reference please see: http://track.sipfoundry.org/browse/XX-10098,
especially the comment:

-sipXcommons:
added new package jetty that contains a jetty http socket factory and a
security handler
that makes sure that security checkings are done only for public port
-sipXivr :
port 8085 default to public http port (instead of https)
added new http listener: port 8086 default for internal ivr rest calls
only calls to 8085 are authenticated using digest
use config http:12000 instead of https
sipXivr digest authenticator is a spring bean now
-sipXrest:
removed basic or digest auth, only digest auth is used
default port 6667 is used for internal communication, http, no
authentication
removed ssl listener from public port 6666, use http instead, and digest
authentication
made changes accross sipXivr, sipXrecording, sipXimbot, sipXrest,
sipXopenfire to use http+internal port instead of https
fixed tests

So what we did is to have two ports (both http) for each component that
exposes rest interfaces, one port which is internal and without
authentication use for internal rest calls (6667 in sipXrest, 8086 for
sipXivr)
and the other port which is uses digest only authentication and is meant to
be public (6666 in sipXrest, 8085 in sipXivr)
Ideally we would need to use apache to proxy ports 6666 and 8085 and reuse
the SSL layer that now is only on port 443 exposed in apache - but this is
not achieved yet, we will address it in next releases

Meanwhile we have a REST api in sipXconfig that proxies sipXrest and
sipXivr (is accessed through 443 ssl) and uses the sipXconfig
authentication layer, which is the most complex and covers LDAP
authentication as well
The relative url is: /my/redirect Here you have to append the relative url
for your sipXrest or sipXivr service, for example:
/cdr/200?limit=5<http://example.sipx.org:6667/cdr/200?limit=5>
and it will be: /my/redirect/cdr/200?limit=5

Another example: to download a voicemail:
https://192.168.1.102/sipxconfig/rest/my/redirect/media/200/inbox/100000005

Hope this helps,
Mircea

Loading...