Problems with SMPP over SSL | Search |
NowSMS Support Forums ⬆ NowSMS Support - SMS Issues ⬆ Archive through August 10, 2011 ⬆ |
◄ ► |
Author | Message | ||||
Dave Baddeley New member Username: Davebaddeley Post Number: 4 Registered: 06-2011 |
We have a customer who is trying to connect to our NowSMS servers using SMPP over SSL but they cannot get the SSL handshake to complete. They are using STUNNEL which is based on the same OpenSSL library as I believe NowSMS uses. Every connection attempt ends with the following error: 15:36:46:667 [0] ThreadProcessSSLSMPPConnection: SSL_accept: Error 1408A0C1 We have changed from using server certificates to public CA issued certificates with no change in the error. We know the clients STUNNEL can connect to our web servers which are using the same certifcate without issue, so the certificate chain check is o.k on the customers system. Using the trail verison of NowSMS we could connect and send messages over the secure SMPP conneciton. Any help is appreciated as this is a large new customer. | ||||
Dave Baddeley New member Username: Davebaddeley Post Number: 5 Registered: 06-2011 |
Also tested to see web browsers could at least SSL handshake with our NowSMS server and they all fail to with cipher issues such as: ERR_SSL_VERSION_OR_CIPHER_MISMATCH | ||||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 3376 Registered: 08-2008 |
Hi Dave, I'm not sure what this would be. The error code from NowSMS indicates that there is no shared cipher (encryption protocol) between the server and client. So it appears that NowSMS is rejecting the connection, because it does not support any of the encryption ciphers requested by the client. I'm not an expert on ciphers, but I know we support the most common SSL/TLS protocols. To try to figure this out, I downloaded a copy of STunnel and configured it to forward a port to an SMPP SSL port on a NowSMS server, and it worked. I used STunnel 4.41 on a Windows PC, adding the following to the configuration section: [nowsms] client = yes accept = 8889 connect = 192.168.0.123:8802 I configured an SMPP client to connect to port 8889 on the machine running stunnel. stunnel forwarded it and added SSL/TLS. 192.168.0.123:8802 in this case was an SMPP SSL port on a NowSMS server. The connection worked fine ... no errors reported anywhere. The system in question was a fresh install of NowSMS. I generated a self signed certificate on the SSL/TLS page of NowSMS. I did not get the certificated signed. My guess is that either there is an issue with the signed certificate that you are trying to use ... or the NowSMS service has not been restarted after the server certificate was generated. I don't think there's any fundamental incompatibility, as stunnel worked fine for me on my first attempt. -- Des NowSMS Support | ||||
Dave Baddeley New member Username: Davebaddeley Post Number: 6 Registered: 06-2011 |
Strange as we started using the self generated certificate and then moved onto a proven wildcard SSL certificate from a public CA. Can you send me your full STunnel config to compare against ours as we are getting the same error as the customer and we are using 4.41 for Windows to. | ||||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 3381 Registered: 08-2008 |
I didn't change anything from the default configuration, other than adding the section I mentioned earlier.
What if you install a NowSMS trial on another machine and try to get it to connect with SMPP SSL. Does that also fail? I'm guessing that it would, which would probably point to some sort of certificate/key problem. I'd suggest going back to the self-signed certificate, or regenerating a self-signed certificate. The files the contain SSL/TLS certificate and key information are: SSL.INI SSL.KEY (private key) SSL.CRT (self-signed certificate) SSL.CSR (not actually used by the SSL module, generated to allow a certificate to be signed) SSL.CA (if you have a signed certificate, this is where it goes, and it is used instead of SSL.CRT) If all inbound SSL connections fail, this suggests that either the private key can't be loaded (password does not match one that was set when key/self-signed certificate was generated), or that the SSL certificate cannot be loaded. I'd suggest deleting all of these files and regenerating a self-signed certificate. -- Des NowSMS Support | ||||
Darren Stokes New member Username: Darrenstokes Post Number: 1 Registered: 08-2011 |
Hi Des To troubleshoot this further I just installed 2 trial versions of NowSMS on 2 Windows 7 PCs. I can connect over SMPP and SMPP/SSL but the minute I use stunnel it times out/fails to connect. I've pretty much used the same config as you except have changed the IP address. When we connect to this port through a browser we get a cipher mismatch but don't know if this is putting us off the real cause. If you browse to https://yourserver:sslsmppportno do you get a cipher mismatch? Darren | ||||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 3384 Registered: 08-2008 |
Hi Darren, Any of my attempts to connect to the SMPP SSL port with a web browser result a connection reset error. What happens if you add an SSL port number for the web interface? Can you connect to it ok with a web browser? (With a self-signed certificate, you will normally get errors telling you that you should not proceed for safety reasons, but if you choose to ignore them, the browser should connect ok.) I'd be curious if a web browser can negotiate a successful connection using SSL for a web session, or if it also sees cipher errors. I tried another fresh install of stunnel on a different PC connecting to a different NowSMS SMPP SSL server, and again, it worked first try. Here are the entries I see for a simple SMPP connection (SMPP client connects to stunnel without SSL, stunnel connects to NowSMS SMPP SSL port): 2011.08.04 14:33:08 LOG5[5432:5796]: Service nowsms accepted connection from 127.0.0.1:52563 2011.08.04 14:33:08 LOG5[5432:5796]: connect_blocking: connected 192.168.0.160:8803 2011.08.04 14:33:08 LOG5[5432:5796]: Service nowsms connected remote server from 192.168.0.126:52564 2011.08.04 14:33:08 LOG5[5432:5796]: Connection closed: 52 bytes sent to SSL, 44 bytes sent to socket I don't know stunnel that well, but maybe it's log would provide some other clue. Also, I've noticed that on each machine that I ran stunnel on ... the first time I run stunnel it prompts about adding exceptions to the Windows firewall, which I allow to be added. Also, to edit stunnel.conf, I manually open a command prompt window as an administrator, then go to c:\program files\stunnel to edit stunnel.conf. I don't know whether either of these things is important, but I was just thinking through the steps I've taken on a fresh install. -- Des NowSMS Support | ||||
Dave Baddeley New member Username: Davebaddeley Post Number: 12 Registered: 06-2011 |
Des, We have managed to get the SSL connecitons working by removing the public CA and regenerating server certificates within NowSMS. We noticed whilst emulating the test you have been performing that occaisonally we could recreate the no overlapping cipher error and simply generating another certificate would clear this. We beleive there is an issue in the generate certificate code that is causing invalid certificates to be generated occaisonally. Oddlyeven when we could not get a browser of STunnel to complete a SSL handshake NowSMS pointed at NowSMS still seemed to work! | ||||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 3389 Registered: 08-2008 |
Hi Dave, We'll see if we can find a way to recreate an error generating a server certificate. It is possible that the NowSMS SMPP client and server support some additional encryption ciphers that Stunnel does not. The more common RSA ciphers are used with web browser SSL/TLS, but I believe we also support DH ciphers. -- Des NowSMS Support |