Using OCSERV On An HTTPS server

What happened

  • Using ocserv 0.11.1 on Debian Stretch
ocserv 0.11.1

Compiled with seccomp, tcp-wrappers, oath, gssapi, PAM, PKCS#11, AnyConnect, 
GnuTLS version: 3.4.12 (compiled with 3.4.10)
  • By default, ocserv creates ocserv.socket that listens on port 443, and you usually can't figure out what thing is on port 443 as you will see this:
vultr ~ # netstat -antp | grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      1/init # WTF???

  • And you will see an invalid cert randomly when trying to open your site via https cert_error

  • And sometimes you see a valid cert without warnings... (As both ocserv and Apache are listening on port 443)

  • Since it might be difficult for most users to solve this problem, I think it's necessary to share with you my trouble shooting process

How to

I would like to thank jmcnaught on #debian channel (Freenode) for his help with this problem

jmcnaught

  • Like he said, I should be using systemctl list-units -t socket to check if there were anything activated any socket, and I got this:
UNIT                        LOAD   ACTIVE SUB       DESCRIPTION
acpid.socket                loaded active running   ACPID Listen Socket
dbus.socket                 loaded active running   D-Bus System Message Bus Soc
ocserv.socket               loaded active running   OpenConnect SSL VPN server S
syslog.socket               loaded active running   Syslog Socket
systemd-fsckd.socket        loaded active listening fsck to fsckd communication 
systemd-initctl.socket      loaded active listening /dev/initctl Compatibility N
systemd-journald-audit.socket loaded active running   Journal Audit Socket
systemd-journald-dev-log.socket loaded active running   Journal Socket (/dev/log
systemd-journald.socket     loaded active running   Journal Socket
systemd-udevd-control.socket loaded active running   udev Control Socket
systemd-udevd-kernel.socket loaded active running   udev Kernel Socket
  • Looks like ocserv is the only one that might have something to do with port 443, let's go on with systemctl show ocserv.socket | grep Listen
ListenStream=[::]:443
ListenDatagram=[::]:443

  • Bingo!

  • Just change the 443 port to any port that is not in use, then reboot you server, and then you are good

Comments

comments powered by Disqus