SSL error while connecting to my server

It crashed, it is bugged, ...

SSL error while connecting to my server

Postby rene » Wed Mar 15, 2017 9:14 pm

Hello,

First off thank you devs for this awesome tool!
In my 10 years working with Linux this is my first time I'm actually posting a question on a forum.

I have been running mumble server quite some time now and i love it, works great. But here is where my trouble starts. Recently i upgraded my server to new hardware and did a clean install of Ubuntu server 16.10 (couldn't use 16.04 LTS due to a very new processor).

So i did a clean install of mumble-server, all went fine but I can't connect to it and I've been pulling my hair out trying to find out why.

Running mumble server version: murmurd -- 1.2.18-1~ppa1~yakkety1

Output of murmurd:
Code: Select all
root@har:/home/administrator# murmurd -v -fg
<W>2017-03-15 21:59:33.889 Initializing settings from /etc/mumble-server.ini (basepath /etc)
<W>2017-03-15 21:59:33.891 Meta: TLS cipher preference is "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA:AES128-SHA"
<W>2017-03-15 21:59:33.891 OpenSSL: OpenSSL 1.0.2g  1 Mar 2016
<C>2017-03-15 21:59:33.891 Successfully switched to uid 115
<W>2017-03-15 21:59:33.960 ServerDB: Opened SQLite database /var/lib/mumble-server/mumble-server.sqlite
<W>2017-03-15 21:59:33.962 Resource limits were 0 0
<W>2017-03-15 21:59:33.962 Successfully dropped capabilities
<W>2017-03-15 21:59:33.964 DBus registration succeeded
<W>2017-03-15 21:59:33.966 MurmurIce: Endpoint "tcp -h 127.0.0.1 -p 6502 -t 60000" running
<W>2017-03-15 21:59:34.066 Murmur 1.2.18 (1.2.18-1~ppa1~yakkety1) running on X11: Ubuntu 16.10: Booting servers
<W>2017-03-15 21:59:34.077 1 => Server listening on [::]:64738
<W>2017-03-15 21:59:34.090 1 => Announcing server via bonjour
<W>2017-03-15 21:59:34.102 1 => Not registering server as public
<W>2017-03-15 21:59:34.103 Object::connect: No such slot MurmurDBus::userTextMessage(const User *, const TextMessage &)
<W>2017-03-15 21:59:41.459 1 => <1:(-1)> New connection: 10.12.21.102:51348
<W>2017-03-15 21:59:41.545 1 => <1:(-1)> Client version 1.2.19 (Win: 1.2.19)
<W>2017-03-15 21:59:41.560 1 => Starting voice thread
<W>2017-03-15 21:59:41.569 1 => CELT codec switch ffffffff80000010 0 (prefer ffffffff80000010) (Opus 1)
<W>2017-03-15 21:59:41.593 1 => <1:SuperUser(0)> Authenticated
<W>2017-03-15 21:59:41.605 1 => <1:SuperUser(0)> Connection closed: The remote host closed the connection [1]
<W>2017-03-15 21:59:41.612 1 => Ending voice thread


Output of mumble windows client version 1.2.19
Code: Select all
[21:59:41] Connecting to server 10.12.21.40.
[21:59:41] Connected.
[21:59:41] Server connection failed: Error while reading: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac.


Trying to connect to it using a android phone for instance also fails. "connection refused"

Can someone point me in the right direction?
Thanks
rene
 
Posts: 3
Joined: Wed Mar 15, 2017 8:54 pm

Re: SSL error while connecting to my server

Postby rene » Sat Apr 01, 2017 7:44 pm

Okay, I've been digging deeper to find out what is happening and it seems related to my motherboard.

What i did was: (I did this with both the server and desktop version)
- Clean install of ubuntu 16.10 as virtual machine in virtualbox, installed mumble-server, works fine.
- Took my server offline and grabbed a spare hdd and did a clean install of ubuntu 16.10 using the new motherboard, installed mumble-server, doesn't work, same exact error as in my original post.

I ran exactly the same commands on all of these clean installs:
apt-get update
apt-get install ssh
apt-get install mumble-server

I tried this with both ubuntu server and ubuntu desktop and the results are the same and consistent. As i suspected it has something to to with my motherboard (Asrock J3455-ITX) with an Intel quad core J3455. This processor is only supported in the newest kernel 4.8 but maybe there is still a bug there.

Problem now is I have no more information as I gave in the first post. Seems that some action is failing but I have no idea what action and what that action is doing and what that action needs.

At least i know now I didn't screw something up on my server, wasn't looking forward to reconfigure everything again. :D
rene
 
Posts: 3
Joined: Wed Mar 15, 2017 8:54 pm

Re: SSL error while connecting to my server

Postby kissaki » Tue Apr 04, 2017 9:08 am

<W>2017-03-15 21:59:34.103 Object::connect: No such slot MurmurDBus::userTextMessage(const User *, const TextMessage &)


Did you change the Mumble server configuration?

Do you register a dbus script?

Try disabling dbus in the server configuration.

Are you using your own cert? Maybe it’s broken?

See also https://github.com/openssl/openssl/issues/1799, potentially an openssl issue - which version of Mumble server and OpenSSL is that?

The client code line in question: MainWindow.cpp#L2962. No ServerHandler QSslError (no SSL error that Qt handles on QSocket as a signal sslErrors), no SSL version mismatch.
MumPI: Your Mumble Web Interface in PHP
User avatar
kissaki
Team member
Team member
 
Posts: 1234
Joined: Sat Jan 09, 2010 12:15 pm

Re: SSL error while connecting to my server

Postby rene » Thu Apr 27, 2017 3:51 pm

kissaki wrote:
<W>2017-03-15 21:59:34.103 Object::connect: No such slot MurmurDBus::userTextMessage(const User *, const TextMessage &)


Did you change the Mumble server configuration?

No, clean install, see my mumble-server.ini
Code: Select all
# Murmur configuration file.
#
# General notes:
# * Settings in this file are default settings and many of them can be overridden
#   with virtual server specific configuration via the Ice or DBus interface.
# * Due to the way this configuration file is read some rules have to be
#   followed when specifying variable values (as in variable = value):
#     * Make sure to quote the value when using commas in strings or passwords.
#        NOT variable = super,secret BUT variable = "super,secret"
#     * Make sure to escape special characters like '\' or '"' correctly
#        NOT variable = """ BUT variable = "\""
#        NOT regex = \w* BUT regex = \\w*

# Path to database. If blank, will search for
# murmur.sqlite in default locations or create it if not found.
database=/var/lib/mumble-server/mumble-server.sqlite

# If you wish to use something other than SQLite, you'll need to set the name
# of the database above, and also uncomment the below.
# Sticking with SQLite is strongly recommended, as it's the most well tested
# and by far the fastest solution.
#
#dbDriver=QMYSQL
#dbUsername=
#dbPassword=
#dbHost=
#dbPort=
#dbPrefix=murmur_
#dbOpts=

# If you want to use ZeroC Ice to communicate with Murmur, you need
# to specify the endpoint to use. Since there is no authentication
# with ICE, you should only use it if you trust all the users who have
# shell access to your machine.
# Please see the ICE documentation on how to specify endpoints.
#ice="tcp -h 127.0.0.1 -p 6502"

# Ice primarily uses local sockets. This means anyone who has a
# user account on your machine can connect to the Ice services.
# You can set a plaintext "secret" on the Ice connection, and
# any script attempting to access must then have this secret
# (as context with name "secret").
# Access is split in read (look only) and write (modify)
# operations. Write access always includes read access,
# unless read is explicitly denied (see note below).
#
# Note that if this is uncommented and with empty content,
# access will be denied.

#icesecretread=
icesecretwrite=

# Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the
# RPC methods available in Murmur, please specify so here.  [The D-Bus interface
# is now considered deprecated and using it is no longer advised.]
#
#dbus=system

# Alternate D-Bus service name. Only use if you are running distinct
# murmurd processes connected to the same D-Bus daemon.
#dbusservice=net.sourceforge.mumble.murmur

# How many login attempts do we tolerate from one IP
# inside a given timeframe before we ban the connection?
# Note that this is global (shared between all virtual servers), and that
# it counts both successfull and unsuccessfull connection attempts.
# Set either Attempts or Timeframe to 0 to disable.
#autobanAttempts = 10
#autobanTimeframe = 120
#autobanTime = 300

# Specifies the file Murmur should log to. By default, Murmur
# logs to the file 'murmur.log'. If you leave this field blank
# on Unix-like systems, Murmur will force itself into foreground
# mode which logs to the console.
logfile=/var/log/mumble-server/mumble-server.log

# If set, Murmur will write its process ID to this file
# when running in daemon mode (when the -fg flag is not
# specified on the command line). Only available on
# Unix-like systems.
pidfile=/var/run/mumble-server/mumble-server.pid

# The below will be used as defaults for new configured servers.
# If you're just running one server (the default), it's easier to
# configure it here than through D-Bus or Ice.
#
# Welcome message sent to clients when they connect.
welcometext="<br />Welcome to this server running <b>Murmur</b>.<br />Enjoy your stay!<br />"

# Port to bind TCP and UDP sockets to.
port=64738

# Specific IP or hostname to bind to.
# If this is left blank (default), Murmur will bind to all available addresses.
#host=

# Password to join server.
serverpassword=

# Maximum bandwidth (in bits per second) clients are allowed
# to send speech at.
bandwidth=72000

# Maximum number of concurrent clients allowed.
users=100

# Amount of users with Opus support needed to force Opus usage, in percent.
# 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients.
#opusthreshold=100

# Maximum depth of channel nesting. Note that some databases like MySQL using
# InnoDB will fail when operating on deeply nested channels.
#channelnestinglimit=10

# Regular expression used to validate channel names.
# (Note that you have to escape backslashes with \ )
#channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+

# Regular expression used to validate user names.
# (Note that you have to escape backslashes with \ )
#username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+

# Maximum length of text messages in characters. 0 for no limit.
#textmessagelength=5000

# Maximum length of text messages in characters, with image data. 0 for no limit.
#imagemessagelength=131072

# Allow clients to use HTML in messages, user comments and channel descriptions?
#allowhtml=true

# Murmur retains the per-server log entries in an internal database which
# allows it to be accessed over D-Bus/ICE.
# How many days should such entries be kept?
# Set to 0 to keep forever, or -1 to disable logging to the DB.
#logdays=31

# To enable public server registration, the serverpassword must be blank, and
# this must all be filled out.
# The password here is used to create a registry for the server name; subsequent
# updates will need the same password. Don't lose your password.
# The URL is your own website, and only set the registerHostname for static IP
# addresses.
# Only uncomment the 'registerName' parameter if you wish to give your "Root" channel a custom name.
#
#registerName=Mumble Server
#registerPassword=secret
#registerUrl=https://www.mumble.info/
#registerHostname=

# If this option is enabled, the server will announce its presence via the
# bonjour service discovery protocol. To change the name announced by bonjour
# adjust the registerName variable.
# See http://developer.apple.com/networking/bonjour/index.html for more information
# about bonjour.
#bonjour=True

# If you have a proper SSL certificate, you can provide the filenames here.
# Otherwise, Murmur will create it's own certificate automatically.
#sslCert=
#sslKey=

# The sslCiphers option chooses the cipher suites to make available for use
# in SSL/TLS. This option is server-wide, and cannot be set on a
# per-virtual-server basis.
#
# This option is specified using OpenSSL cipher list notation (see
# https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT).
#
# It is recommended that you try your cipher string using 'openssl ciphers <string>'
# before setting it here, to get a feel for which cipher suites you will get.
#
# After setting this option, it is recommend that you inspect your Murmur log
# to ensure that Murmur is using the cipher suites that you expected it to.
#
# Note: Changing this option may impact the backwards compatibility of your
# Murmur server, and can remove the ability for older Mumble clients to be able
# to connect to it.
#sslCiphers=EECDH+AESGCM:AES256-SHA:AES128-SHA

# If Murmur is started as root, which user should it switch to?
# This option is ignored if Murmur isn't started with root privileges.
uname=mumble-server

# If this options is enabled, only clients which have a certificate are allowed
# to connect.
#certrequired=False

# If enabled, clients are sent information about the servers version and operating
# system.
#sendversion=True

# You can configure any of the configuration options for Ice here. We recommend
# leave the defaults as they are.
# Please note that this section has to be last in the configuration file.
#
[Ice]
Ice.Warn.UnknownProperties=1
Ice.MessageSizeMax=65536


Do you register a dbus script?

Not to my knowledge, those tests where clean installs of Ubuntu with only the commands executed in my previous post.

Try disabling dbus in the server configuration.

As far as i can tell from the mumble-server.ini it is already disabled right?

Are you using your own cert? Maybe it’s broken?

No clean install of Ubuntu and mumble-server

See also https://github.com/openssl/openssl/issues/1799, potentially an openssl issue - which version of Mumble server and OpenSSL is that?

As far as I understand that post it looks like that bug was introduced in openssl version 1.1.0
I checked and my Ubuntu server is running openssl version 1.0.2g so I shouldn't be effected by that. But just to be thorough I removed the packaged openssl and build the latest stable version 1.1.0e which for sure has that bug fix and unfortunately no difference, still the same error.

The client code line in question: MainWindow.cpp#L2962. No ServerHandler QSslError (no SSL error that Qt handles on QSocket as a signal sslErrors), no SSL version mismatch.

I'll need more time to do something with that, maybe build it myself and add some debugging?

I also saw that a new version of Ubuntu came out, so i upgraded from 16.10 kernel 4.8 to 17.04 kernel 4.10 hoping maybe something was fixed but sadly that also didn't make a difference. Not giving up yet.
rene
 
Posts: 3
Joined: Wed Mar 15, 2017 8:54 pm


Return to Technical

Who is online

Users browsing this forum: No registered users and 2 guests

cron