Websocket: Unexpected response code: 525

I was getting WebSocket ERR_CONNECTION_TIMED_OUT error then turns out the problem was that i should’ve used one of the ports that are supported by Cloudflare here.

After I changed the port to 2087 now i’m getting a new error: WebSocket connection to 'wss://rage.one:2087/' failed: Error during WebSocket handshake: Unexpected response code: 525.

the website works fine the problem is just the websocket connection.
this is what I’ve done: i created a origin certificates and along with the key put them in my server and configured them in nginx config.
doesn’t matter if i set the ssl on full or full (strict), that doesn’t change anything

I tried this curl -v --resolve rage:443:[104.248.126.127] https://rage.one and here is the output:

  • Added rage:443:[123.123.123.123 to DNS cache
  • Rebuilt URL to: https://rage.one/
  • Trying 123.123.123.123…
  • TCP_NODELAY set
  • Connected to rage.one (123.123.123.123) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.3 (OUT), TLS handshake, [no content] (0):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.Cloudflaressl.com
  • start date: Mar 15 00:00:00 2019 GMT
  • expire date: Mar 15 12:00:00 2020 GMT
  • subjectAltName: host “rage.one” matched cert’s “rage.one”
  • issuer: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-2
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • Using Stream ID: 1 (easy handle 0x558797a68d00)
  • TLSv1.3 (OUT), TLS app data, [no content] (0):

GET / HTTP/2
Host: rage.one
User-Agent: curl/7.61.0
Accept: /

  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
    < HTTP/2 200
    < date: Fri, 15 Mar 2019 21:40:37 GMT
    < content-type: text/html
    < set-cookie: __cfduid=da466c592f17d60c64c2e9279bb56593e1552686037; expires=Sat, 14-Mar-20 21:40:37 GMT; path=/; domain=.rage.one; HttpOnly
    < last-modified: Fri, 15 Mar 2019 12:04:48 GMT
    < expect-ct: max-age=604800, report-uri=“https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct
    < server: Cloudflare
    < cf-ray: redacted
    <
    <!doctype html>
    .
    .
    .
* TLSv1.3 (IN), TLS app data, [no content] (0): * Connection #0 to host rage.one left intact

and here is my nginx config:

server {

            listen 80;

            server_name rage.one;

            return   301 https://$server_name$request_uri;
    }
    server {
            listen 443 ssl;

            server_name rage.one;

            root /srv/test/public;

            location / {
                    index index.html;
            }

            ssl_certificate /etc/Cloudflare-ssl/rage.one.pem;
            ssl_certificate_key /etc/Cloudflare-ssl/rage.one.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
            ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
            ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
            ssl_prefer_server_ciphers on;

    }

btw can this be caused by maybe bad/wrong dns configuration?

(sorry for putting everything here, thought maybe there is something silly i’m missing)
any help would be appreciated

Assuming your origin’s IP address ends in 164 it would seem as if it simply does not listen on port 2087.

what do you mean by “origin’s IP address” ?

Your server.

My server’s IP address ends in 127

The service on port 2087 does not seem to serve SSL but is actually a plain HTTP server. You need to configure that for SSL.

1 Like

The service on port 2087 does not seem to serve SSL but is actually a plain HTTP server. You need to configure that for SSL.
If it’s possible may I know how you found out about this?

Connecting to it responded with an HTTP response not a TLS handshake.

http://sitemeer.com/#104.248.126.127:2087 versus http://sitemeer.com/#https://104.248.126.127:2087

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.