Websocket: Unexpected response code: 525

dash-dns
dash-crypto
#1

I was getting WebSocket ERR_CONNECTION_TIMED_OUT error then turns out the problem was that i should’ve used one of the ports that are supported by cloudflare here.

After I changed the port to 2087 now i’m getting a new error: WebSocket connection to 'wss://rage.one:2087/' failed: Error during WebSocket handshake: Unexpected response code: 525.

the website works fine the problem is just the websocket connection.
this is what I’ve done: i created a origin certificates and along with the key put them in my server and configured them in nginx config.
doesn’t matter if i set the ssl on full or full (strict), that doesn’t change anything

I tried this curl -v --resolve rage:443:[104.248.126.127] https://rage.one and here is the output:

  • Added rage:443:[123.123.123.123 to DNS cache
  • Rebuilt URL to: https://rage.one/
  • Trying 123.123.123.123…
  • TCP_NODELAY set
  • Connected to rage.one (123.123.123.123) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.3 (OUT), TLS handshake, [no content] (0):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=sni.cloudflaressl.com
  • start date: Mar 15 00:00:00 2019 GMT
  • expire date: Mar 15 12:00:00 2020 GMT
  • subjectAltName: host “rage.one” matched cert’s “rage.one”
  • issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • Using Stream ID: 1 (easy handle 0x558797a68d00)
  • TLSv1.3 (OUT), TLS app data, [no content] (0):

GET / HTTP/2
Host: rage.one
User-Agent: curl/7.61.0
Accept: /

  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
    < HTTP/2 200
    < date: Fri, 15 Mar 2019 21:40:37 GMT
    < content-type: text/html
    < set-cookie: __cfduid=da466c592f17d60c64c2e9279bb56593e1552686037; expires=Sat, 14-Mar-20 21:40:37 GMT; path=/; domain=.rage.one; HttpOnly
    < last-modified: Fri, 15 Mar 2019 12:04:48 GMT
    < expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    < server: cloudflare
    < cf-ray: redacted
    <
    <!doctype html>
    .
    .
    .
* TLSv1.3 (IN), TLS app data, [no content] (0): * Connection #0 to host rage.one left intact

and here is my nginx config:

server {

            listen 80;

            server_name rage.one;

            return   301 https://$server_name$request_uri;
    }
    server {
            listen 443 ssl;

            server_name rage.one;

            root /srv/test/public;

            location / {
                    index index.html;
            }

            ssl_certificate /etc/cloudflare-ssl/rage.one.pem;
            ssl_certificate_key /etc/cloudflare-ssl/rage.one.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
            ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
            ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
            ssl_prefer_server_ciphers on;

    }

btw can this be caused by maybe bad/wrong dns configuration?

(sorry for putting everything here, thought maybe there is something silly i’m missing)
any help would be appreciated

#2

Assuming your origin’s IP address ends in 164 it would seem as if it simply does not listen on port 2087.

#3

what do you mean by “origin’s IP address” ?

#4

Your server.

#5

My server’s IP address ends in 127

#7

The service on port 2087 does not seem to serve SSL but is actually a plain HTTP server. You need to configure that for SSL.

1 Like
#8

The service on port 2087 does not seem to serve SSL but is actually a plain HTTP server. You need to configure that for SSL.
If it’s possible may I know how you found out about this?

#9

Connecting to it responded with an HTTP response not a TLS handshake.

http://sitemeer.com/#104.248.126.127:2087 versus http://sitemeer.com/#https://104.248.126.127:2087

1 Like
closed #10

This topic was automatically closed after 30 days. New replies are no longer allowed.