HTML5/WebRTComm.js==>MMS on WSS: SSLException: Received fatal alert: protocol_version

[yassen2gx]

Hello all !!

Given the new requirement that browsers no longer support voice/video over insecure origine(which is taking us we the developers to redo/undo/goback since none of the test environment workarounds is practical in A distributed environment),I have tried to switch to https and wss and I have configured MMS connector with the following.I am running a converged app with two tomcat instances:
1-Apache Tomcat v8.0 at localhost for the app embeding WebRTComm framework( WebRTComm.js and jain-sip.js etc..).https is working perfect in browser and in code for the app.
2-Mobicent Apache Tomcat v7.0 at localhost for the sipservlet for signalling and other need pre-session requirements.WSS is causing trouble at the server with no return from handshake.
this is the connector in Mobicent Apache Tomcat v7.0.
<Connector SSLEnabled="true"
URIEncoding="UTF-8"
acceptCount="200"
clientAuth="false"
compressableMimeType="text/html,text/xml,text/plain"
compression="off"
compressionMinSize="2048"
connectionUploadTimeout="120000"
disableUploadTimeout="true"
enableLookups="false"
keystoreFile=":\Developement.....\ServerTrustStore\truststore.jks" // wonder why relative path(conf/ServerTrustStore\truststore.jks) is resolved but throw FileNoFoundExc in particular case.Any idea?
keystorePass="xxxxxx"
keyAlias="clientselfsigned"
maxKeepAliveRequests="200"
maxThreads="250"
maxSpareThreads="75"
minSpareThreads="25"
maxHttpHeaderSize="8192"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3,SSLv2Hello"
sslProtocol="TLS"
truststorePass="xxxxxx"
truststoreType="jks"
truststorefile="D:\Developement.....\ServerTrustStore\truststore.jks" // wonder why relative path(conf/ServerTrustStore\truststore.jks) is resolved but throw FileNoFoundExc in particular case.Any idea?
/>
and this is the connector in Apache Tomcat v8.0 for the web app:

Both configured my sip-stack and eclipse lunch configuration(run/debug) with :
gov.nist.javax.sip.TLS_CLIENT_AUTH_TYPE=Disabled

javax.net.ssl.keyStore="D:\Developement\Projects\Sources\Pending\security\ServerKeyStore\rootingo.jks"

javax.net.ssl.trustStore="D:\Developement\Projects\Sources\Pending\security\ServerKeyStore\rootingo.jks"

javax.net.ssl.trustStorePassword=%sxp1#calculog#

javax.net.ssl.keyStorePassword=%sxp1#calculog#

javax.net.ssl.trustStoreType=JKS
gov.nist.javax.sip.TLS_CLIENT_PROTOCOLS=TLSv1.2,TLSv1.1,TLSv1,SSLv3,SSLv2Hello

gov.nist.javax.sip.MAX_MESSAGE_SIZE=1048576

javax.net.debug=ssl
.
I have also created the necessary keystore and clien truststore as can be seen above.
I have tried a variation of TLSv1.2,TLSv1.1,TLSv1 and see that the client(jain-sip.js) and MMS are both hapy with TLSv1.2. see ClientHello, TLSv1.2 and ServerHello, TLSv1.2 as below:
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-13, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
*** ServerHello, TLSv1.2
and the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 was selected.
So when I click client.hml=>>TelScaleRTMController.js(onClickConnectButtonViewEventHandler)==>>this.webRTCommClient.open(this.webRTCommClientConfiguration);==>RegistrarSIPServlet.java,TLS handshakes succeeds as I can get to my RegistrarSIPServlet.doRegister():
It is here that things go bad:As soon as it executes SipServletResponse.send();,it says:
NioSelector-WSS-172.62.2.10/5082, RECV TLSv1.2 ALERT: fatal, protocol_version
NioSelector-WSS-172.62.2.10/5082, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: protocol_version
NioSelector-WSS-172.62.2.10/5082, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: protocol_version
javax.net.ssl.SSLException: Received fatal alert: protocol_version
.....

Caused by: java.lang.NullPointerException
at gov.nist.javax.sip.stack.SSLStateMachine.unwrap(SSLStateMachine.java:263)
at gov.nist.javax.sip.stack.SSLStateMachine.unwrap(SSLStateMachine.java:198)
at gov.nist.javax.sip.stack.NioTlsWebSocketMessageChannel.addBytes(NioTlsWebSocketMessageChannel.java:215)
at gov.nist.javax.sip.stack.NioTcpMessageChannel.readChannel(NioTcpMessageChannel.java:117)

.....
the sip msg generated and received by the registrar is:
SIP message sent: REGISTER sip:pbx.rootingo.com SIP/2.0
Call-ID: 1451477183409
CSeq: 1 REGISTER
From: sip:admin@pbx.rootingo.com;tag=1451477183429
To: sip:admin@pbx.rootingo.com
Via: SIP/2.0/WSS XNCrSBbscUch.invalid;branch=z9hG4bK-333430-45dd017fdcbb8f884bf0a78789902ae7;rport
Max-Forwards: 70
User-Agent: RoooterUAv1.0[admin-MOHAMMAD-125-1]-0
Expires: 3600
Allow: INVITE,ACK,BYE,CANCEL,UPDATE,INFO,SUBSCRIBE,NOTIFY,REFER,MESSAGE,OPTIONS
Contact: sip:admin@XNCrSBbscUch.invalid;transport=wss
Content-Length: 0

As you can see no SDP is generated as now and this is where we stop.
The client waits to timeout ....

One more,I have restriced to the same domain of my PBX, in my dar as:
INVITE=("project","DAR:From","ORIGINATING","","NO_ROUTE","0","REGEX=From:.sip:.@pbx.domain.com"),("project","DAR:From","TERMINATING","","NO_ROUTE","0","REGEX=From:.sip:.@pbx.domain.com")
MESSAGE=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
PUBLISH=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
NOTIFY=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
REGISTER=("project","DAR:From","ORIGINATING","","NO_ROUTE","0","REGEX=From:.sip:.@pbx.domain.com"),("project","DAR:From","TERMINATING","","NO_ROUTE","0","REGEX=From:.sip:.@pbx.domain.com")
REFER=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
SUBSCRIBE=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
OPTIONS=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")

I will very much applreciate your ideas on understanding the problem and the solution.
Thank you !!

[deruelle]

Which version of MSS are you using ?

[yassen2gx]

I am using mss-3.0.0-SNAPSHOT-apache-tomcat-7.0.50.

[atsakiridis]

What is the status here? Is it still an issue?

[atsakiridis]

Closing this as already fixed