Public Registration

[titanshadow]

I am trying to let my server register itself on the public server list. I have followed the instructions and I have a proper CA signed certificate. No errors for SSL are given to me when I sign in with any client to the server. The server is running on a VPS running Ubuntu 14.04 LTS. I have filled in the RegistrationName, Password, and other information as outlined in the Wiki as well. I have no ServerPassword and I have my country code set, and it is the same as my certificate and my domain name.

For some reason, I am getting the following error:

2015-12-05 23:50:25.402 1 => Registration failed: SSL handshake failed

I am using mumble-django to manage the server, but I have configured the ini with the same registration information as the server in django, so they match (including the certificates).

Any help would be appreciated.

[fwaggle]

"Registration failed" means that the problem described is on your side of the connection (counter-intuitively, if you get an error message in the form "Registration: something went wrong", that's a response from the list server).

You might try using the openssl command line client to connect to the list server, something like this (RTFM I might be a bit rusty):

 

openssl s_client -connect mumble.hive.no:443 -cert /path/to/mumble/cert.pem -key /path/to/mumble/key.pem

... and see if you get anything sane, or an error message. I'm not sure if, for example, Mumble ships with the root cert for the CA that mumble.hive.no uses, that would likely result in that message. If your cert also has a bundle, I think you need to include that as well since about OpenSSL 0.9.8 or so, they silently "fixed" that violation of SSL specs (the client must be able to validate it's own certificate before even trying to present it to the server).

Finally, if you're using a StartSSL Class 1 certificate, they (IIRC, I reserve the right to be wrong :)) don't have the TLS bit and therefore can't act as a client certificate for TLS, so there's nothing you can do but get a better cert.

[titanshadow]

Well, since you weren't sure, I tried the test you said... I think I do have the TLS bit because I use TLS with my mail server with works with a StartSSL cert. The problem might be the chained certificates. Here is what I get...

Issuing the command:

openssl s_client -connect mumble.hive.no:443 -CAfile /root/ssl/new-cert/sub.class1.server.ca.pem -cert /root/ssl/new-cert/hal.crt -key /root/ssl/new-cert/ssl.key

Comes out with this output:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 4096 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID:

Session-ID-ctx:

Master-Key: XXXX

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1449362892

Timeout : 300 (sec)

Verify return code: 0 (ok)

I'm going to try to do a few things with the SSL system here, perhaps that will work.

[mkrautz]

This is possibly a configuration issue on the registration server after upgrading our SSL certificate. Hang on.

EDIT:

I don't believe that to be the case.

[mkrautz]

Can you please check if your certificate allows it to be used as a client certificate?