TLS handshake error (ws+tls)

hzb · September 29, 2021, 4:25am

Only use websockets. I am sure of that, thank you.

system · October 25, 2021, 2:34pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

francislavoie · December 20, 2021, 1:58am

Conclusion:

https://caddy.community/t/appending-tls-handshake-error-ws-tls/14474

hzb · December 20, 2021, 1:52am

Sorry I opened a new post because the old post is closed.

This question is fixed, and I want to share how.

Caddy is strictly case-sensitive, as shown in the old post, my Caddy config.json is following

sub.esdomain.com {
 tls {
   protocols tls1.2 tls1.3
   ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
   curves x25519
 }
 @staff_websocket {
  path /3367
  header Connection *Upgrade*
  header Upgrade websocket
 }
 reverse_proxy @staff_websocket localhost:37566
}

But the proxy tool I’m using sends the header like Connection *upgrade*, and I added a new block in config.json

@staff_websocket_alias {
  path /3367
  header Connection *upgrade*
  header Upgrade websocket
 }
reverse_proxy @staff_websocket_alias localhost:37566

That’s all.

francislavoie · December 20, 2021, 2:01am

What you can do is this:

@staff_websocket {
	path /3367
	header Connection *Upgrade*
	header Connection *upgrade*
	header Upgrade websocket
}

Caddy will then match either of those Connection header patterns.

But really, do you even need the matcher? If the only thing that site block has is that proxy, then you can completely omit the matcher.

Also, this is redundant, because they’re already the defaults, so you can remove it:

Also, why are you changing the ciphers? There’s rarely any benefit to doing that. Caddy’s defaults are secure.

I don’t think Let’s Encrypt nor ZeroSSL supports curve x25519 yet. I don’t think this’ll actually work. Caddy allows configuring it, but I don’t think a cert will be successfully issued with that key type. This option will actually do nothing unless you set key_type, because the default is still to issue RSA keys.

hzb · December 20, 2021, 2:07am

I see, thank you.

francislavoie · December 20, 2021, 2:11am

I added additional information in edits above, in case you missed it.

hzb · December 20, 2021, 2:22am

In order not to create confusion with the previous post, I did not delete the content, such as protocols tls1.2 tls1.3.

I used the default configuration information of the proxy protocol, and you will see these config thing.

I just removed the matcher and tested, it works, thank you.