Problems with SMPP over SSL

Problems with SMPP over SSL SearchSearch
Author Message
Dave Baddeley
New member
Username: Davebaddeley

Post Number: 4
Registered: 06-2011
Posted on Wednesday, August 03, 2011 - 04:50 pm:   

We have a customer who is trying to connect to our NowSMS servers using SMPP over SSL but they cannot get the SSL handshake to complete.

They are using STUNNEL which is based on the same OpenSSL library as I believe NowSMS uses. Every connection attempt ends with the following error:
15:36:46:667 [0] ThreadProcessSSLSMPPConnection: SSL_accept: Error 1408A0C1

We have changed from using server certificates to public CA issued certificates with no change in the error. We know the clients STUNNEL can connect to our web servers which are using the same certifcate without issue, so the certificate chain check is o.k on the customers system.

Using the trail verison of NowSMS we could connect and send messages over the secure SMPP conneciton.

Any help is appreciated as this is a large new customer.
Dave Baddeley
New member
Username: Davebaddeley

Post Number: 5
Registered: 06-2011
Posted on Wednesday, August 03, 2011 - 04:54 pm:   

Also tested to see web browsers could at least SSL handshake with our NowSMS server and they all fail to with cipher issues such as: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 3376
Registered: 08-2008
Posted on Wednesday, August 03, 2011 - 05:45 pm:   

Hi Dave,

I'm not sure what this would be. The error code from NowSMS indicates that there is no shared cipher (encryption protocol) between the server and client.

So it appears that NowSMS is rejecting the connection, because it does not support any of the encryption ciphers requested by the client.

I'm not an expert on ciphers, but I know we support the most common SSL/TLS protocols.

To try to figure this out, I downloaded a copy of STunnel and configured it to forward a port to an SMPP SSL port on a NowSMS server, and it worked.

I used STunnel 4.41 on a Windows PC, adding the following to the configuration section:

[nowsms]
client = yes
accept = 8889
connect = 192.168.0.123:8802

I configured an SMPP client to connect to port 8889 on the machine running stunnel.

stunnel forwarded it and added SSL/TLS. 192.168.0.123:8802 in this case was an SMPP SSL port on a NowSMS server.

The connection worked fine ... no errors reported anywhere.

The system in question was a fresh install of NowSMS. I generated a self signed certificate on the SSL/TLS page of NowSMS. I did not get the certificated signed.

My guess is that either there is an issue with the signed certificate that you are trying to use ... or the NowSMS service has not been restarted after the server certificate was generated.

I don't think there's any fundamental incompatibility, as stunnel worked fine for me on my first attempt.

--
Des
NowSMS Support
Dave Baddeley
New member
Username: Davebaddeley

Post Number: 6
Registered: 06-2011
Posted on Wednesday, August 03, 2011 - 06:13 pm:   

Strange as we started using the self generated certificate and then moved onto a proven wildcard SSL certificate from a public CA.

Can you send me your full STunnel config to compare against ours as we are getting the same error as the customer and we are using 4.41 for Windows to.
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 3381
Registered: 08-2008
Posted on Wednesday, August 03, 2011 - 06:47 pm:   

I didn't change anything from the default configuration, other than adding the section I mentioned earlier.

application/octet-streamstunnel.conf
stunnel.conf (2.7 k)


What if you install a NowSMS trial on another machine and try to get it to connect with SMPP SSL. Does that also fail? I'm guessing that it would, which would probably point to some sort of certificate/key problem.

I'd suggest going back to the self-signed certificate, or regenerating a self-signed certificate.

The files the contain SSL/TLS certificate and key information are:

SSL.INI
SSL.KEY (private key)
SSL.CRT (self-signed certificate)
SSL.CSR (not actually used by the SSL module, generated to allow a certificate to be signed)
SSL.CA (if you have a signed certificate, this is where it goes, and it is used instead of SSL.CRT)

If all inbound SSL connections fail, this suggests that either the private key can't be loaded (password does not match one that was set when key/self-signed certificate was generated), or that the SSL certificate cannot be loaded.

I'd suggest deleting all of these files and regenerating a self-signed certificate.


--
Des
NowSMS Support
Darren Stokes
New member
Username: Darrenstokes

Post Number: 1
Registered: 08-2011
Posted on Thursday, August 04, 2011 - 04:38 pm:   

Hi Des

To troubleshoot this further I just installed 2 trial versions of NowSMS on 2 Windows 7 PCs. I can connect over SMPP and SMPP/SSL but the minute I use stunnel it times out/fails to connect.

I've pretty much used the same config as you except have changed the IP address.

When we connect to this port through a browser we get a cipher mismatch but don't know if this is putting us off the real cause. If you browse to https://yourserver:sslsmppportno do you get a cipher mismatch?

Darren
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 3384
Registered: 08-2008
Posted on Thursday, August 04, 2011 - 07:42 pm:   

Hi Darren,

Any of my attempts to connect to the SMPP SSL port with a web browser result a connection reset error.

What happens if you add an SSL port number for the web interface? Can you connect to it ok with a web browser? (With a self-signed certificate, you will normally get errors telling you that you should not proceed for safety reasons, but if you choose to ignore them, the browser should connect ok.)

I'd be curious if a web browser can negotiate a successful connection using SSL for a web session, or if it also sees cipher errors.

I tried another fresh install of stunnel on a different PC connecting to a different NowSMS SMPP SSL server, and again, it worked first try.

Here are the entries I see for a simple SMPP connection (SMPP client connects to stunnel without SSL, stunnel connects to NowSMS SMPP SSL port):

2011.08.04 14:33:08 LOG5[5432:5796]: Service nowsms accepted connection from 127.0.0.1:52563
2011.08.04 14:33:08 LOG5[5432:5796]: connect_blocking: connected 192.168.0.160:8803
2011.08.04 14:33:08 LOG5[5432:5796]: Service nowsms connected remote server from 192.168.0.126:52564
2011.08.04 14:33:08 LOG5[5432:5796]: Connection closed: 52 bytes sent to SSL, 44 bytes sent to socket

I don't know stunnel that well, but maybe it's log would provide some other clue.

Also, I've noticed that on each machine that I ran stunnel on ... the first time I run stunnel it prompts about adding exceptions to the Windows firewall, which I allow to be added.

Also, to edit stunnel.conf, I manually open a command prompt window as an administrator, then go to c:\program files\stunnel to edit stunnel.conf.

I don't know whether either of these things is important, but I was just thinking through the steps I've taken on a fresh install.

--
Des
NowSMS Support
Dave Baddeley
New member
Username: Davebaddeley

Post Number: 12
Registered: 06-2011
Posted on Friday, August 05, 2011 - 12:16 pm:   

Des,

We have managed to get the SSL connecitons working by removing the public CA and regenerating server certificates within NowSMS. We noticed whilst emulating the test you have been performing that occaisonally we could recreate the no overlapping cipher error and simply generating another certificate would clear this. We beleive there is an issue in the generate certificate code that is causing invalid certificates to be generated occaisonally. Oddlyeven when we could not get a browser of STunnel to complete a SSL handshake NowSMS pointed at NowSMS still seemed to work!
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 3389
Registered: 08-2008
Posted on Friday, August 05, 2011 - 03:15 pm:   

Hi Dave,

We'll see if we can find a way to recreate an error generating a server certificate.

It is possible that the NowSMS SMPP client and server support some additional encryption ciphers that Stunnel does not. The more common RSA ciphers are used with web browser SSL/TLS, but I believe we also support DH ciphers.

--
Des
NowSMS Support