Connect to electrum server without SSL

[helloelec]

When I try to connect to my local electrs server I get errors that suggest the electrum client expects the connection to be SSL, but the server is not configured for SSL (this is true). I am able to connect to this server using one of my lightning wallets.

I tried to configure the electrs server for SSL but it's been giving me a bit of trouble, and I think it has to do with the certs. Since it's a local server I was thinking it would be better to just leave traffic unencrypted.

My main question is: is it possible for the electrum client to make unencrypted connections to servers?

If not, does anyone know any good resources for configuring SSL on the electrum server?

[1714006280]

1714006280

[1714006280]

1714006280

[pooya87]

I don't think you can do that without modifying the source code on both client and server to skip the SSL encryption and verification. It was designed to add some layer of protection for the communication between clients and servers so it is pretty much part of the protocol.

[BlackHatCoiner]

Since it's a local server I was thinking it would be better to just leave traffic unencrypted.

Not sure if that's recommended unless your internet provider can't track your router's info down.

My main question is: is it possible for the electrum client to make unencrypted connections to servers?

I just tried and nope. It's not unless you modify the source code as said above. (Check NeuroticFish's response)

If not, does anyone know any good resources for configuring SSL on the electrum server?

You might want to check this: https://raspibolt.org/electrs.html

[NeuroticFish]

My main question is: is it possible for the electrum client to make unencrypted connections to servers?

From what I know my electrs server is not on SSL (at least I didn't set up any certificate there)
And the command line I use for my Electrum is:

Code:

electrum --oneserver --server 127.0.0.1:50001:t

Edit: since @BlackHatCoiner wrote that this doesn't work for him, I will add that it works for me, I use it, it works. I've connected to it just yesterday (since I have no ports opened I run it only when I need it).

[BlackHatCoiner]

Code:

electrum --oneserver --server 127.0.0.1:50001:t

This doesn't work to me, but instead of 127.0.0.1 I enter 192.168.X.X.

[helloelec]

My main question is: is it possible for the electrum client to make unencrypted connections to servers?

From what I know my electrs server is not on SSL (at least I didn't set up any certificate there)
And the command line I use for my Electrum is:

Code:

electrum --oneserver --server 127.0.0.1:50001:t

Edit: since @BlackHatCoiner wrote that this doesn't work for him, I will add that it works for me, I use it, it works. I've connected to it just yesterday (since I have no ports opened I run it only when I need it).

Oh what on earth? This actually worked. I swear I tried this last night except for the ":t" bit. Thanks!

[helloelec]

If not, does anyone know any good resources for configuring SSL on the electrum server?

Get free SSL certificate from https://letsencrypt.org/ and configure nginx/apache which act as reverse proxy to use the SSL certificate.

Since it's a local server I was thinking it would be better to just leave traffic unencrypted.

Not sure if that's recommended unless your internet provider can't track your router's info down.

Or your ISP sell your data.

I'm staying with family right now so I'm using the ISP's modem/router thing, unfortunately. The ISP can inspect LAN traffic you think?

And thanks to the poster who recommended https://raspibolt.org/electrs.html, it looks good.

[NotATether]

If not, does anyone know any good resources for configuring SSL on the electrum server?

Install Stunnel on the Electrum server, generate a self-signed OpenSSL certificate and create a config file for stunnel with Electrum's port number and the OpenSSL cert you generated. Then set a TLS port that will encapsulate Electrum TLS traffic inside the config file. From then on you can use the new port under HTTPS to connect to Electrum.

Then block external connections to the HTTP port with a firewall if you want to disable HTTP traffic.

[helloelec]

If not, does anyone know any good resources for configuring SSL on the electrum server?

Install Stunnel on the Electrum server, generate a self-signed OpenSSL certificate and create a config file for stunnel with Electrum's port number and the OpenSSL cert you generated. Then set a TLS port that will encapsulate Electrum TLS traffic inside the config file. From then on you can use the new port under HTTPS to connect to Electrum.

Then block external connections to the HTTP port with a firewall if you want to disable HTTP traffic.

Dumb question, but is this better than creating a reverse proxy using nginx? Is it maybe a little simpler?


I followed the instructions at https://raspibolt.org/electrs.html, but when I try to connect using Electrum I get the following error:

Code:

2022/02/06 15:01:11 [debug] 123519#123519: *3 SSL_do_handshake: -1
2022/02/06 15:01:11 [debug] 123519#123519: *3 SSL_get_error: 1
2022/02/06 15:01:11 [info] 123519#123519: *3 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking, client: 192.168.2.69, server: 0.0.0.0:50002

I can do a TLS handshake using openssl s_client. I can also connect directly to the electrs server (not over tls) using a command supplied in this thread.

Has anyone seen this before?

My cert is self-signed, but according to the Electrum docs this should be ok.

[vv181]

I followed the instructions at https://raspibolt.org/electrs.html, but when I try to connect using Electrum I get the following error:
~

Did you also follow this(https://raspibolt.org/security.html#prepare-nginx-reverse-proxy) tutorial?

[NotATether]

Dumb question, but is this better than creating a reverse proxy using nginx? Is it maybe a little simpler?

In my experience yes, because I frequently got nginx configuration entries wrong.

I followed the instructions at https://raspibolt.org/electrs.html, but when I try to connect using Electrum I get the following error:

Code:

2022/02/06 15:01:11 [debug] 123519#123519: *3 SSL_do_handshake: -1
2022/02/06 15:01:11 [debug] 123519#123519: *3 SSL_get_error: 1
2022/02/06 15:01:11 [info] 123519#123519: *3 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking, client: 192.168.2.69, server: 0.0.0.0:50002

I can do a TLS handshake using openssl s_client. I can also connect directly to the electrs server (not over tls) using a command supplied in this thread.

Has anyone seen this before?

My cert is self-signed, but according to the Electrum docs this should be ok.

Looks like you already have TLS up and running but you're trying to connect to your Electrum server with a different TLS version - SSL3 to be specific - than what your setup supports.

Try running s_client with, e.g. -tls1_2, to specifically connect with TLS 1.2 and see if that's supported. If you see the certificate chain then it worked, otherwise if there is some "handshake error" then it's not supported. Modern browsers only support TLS 1.2 and 1.3 so older TLS version on the nginx config will not work (this includes SSL3 and 2).

[helloelec]

I followed the instructions at https://raspibolt.org/electrs.html, but when I try to connect using Electrum I get the following error:
~

Did you also follow this(https://raspibolt.org/security.html#prepare-nginx-reverse-proxy) tutorial?

Yes, I did 

Dumb question, but is this better than creating a reverse proxy using nginx? Is it maybe a little simpler?

In my experience yes, because I frequently got nginx configuration entries wrong.

I followed the instructions at https://raspibolt.org/electrs.html, but when I try to connect using Electrum I get the following error:

Code:

2022/02/06 15:01:11 [debug] 123519#123519: *3 SSL_do_handshake: -1
2022/02/06 15:01:11 [debug] 123519#123519: *3 SSL_get_error: 1
2022/02/06 15:01:11 [info] 123519#123519: *3 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking, client: 192.168.2.69, server: 0.0.0.0:50002

I can do a TLS handshake using openssl s_client. I can also connect directly to the electrs server (not over tls) using a command supplied in this thread.

Has anyone seen this before?

My cert is self-signed, but according to the Electrum docs this should be ok.

Looks like you already have TLS up and running but you're trying to connect to your Electrum server with a different TLS version - SSL3 to be specific - than what your setup supports.

Try running s_client with, e.g. -tls1_2, to specifically connect with TLS 1.2 and see if that's supported. If you see the certificate chain then it worked, otherwise if there is some "handshake error" then it's not supported. Modern browsers only support TLS 1.2 and 1.3 so older TLS version on the nginx config will not work (this includes SSL3 and 2).

My nginx config allows tls 1.3 and 1.2. s_client completes a handshake when these two are used, but I get errors when I use -tls1_1 and -tls1 flags (-ssl3 is not available in my build of s_client). The error I get is the following, which is different than what I get when I try to connect with electrum:

Code:

281473671444976:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70

Do you think electrum is trying to connect with ssl3? I thought it was deprecated.

And I tried to use stunnel first before nginx but I failed there as well. I couldn't find a good guide, and the following config did not work:

Code:

[https]
accept = 443
connect = 50001
cert = /home/xx/stunnel_cert.pem

I realize now that [https] probably isn't what I'm looking for.

[ABCbits]

Or your ISP sell your data.

I'm staying with family right now so I'm using the ISP's modem/router thing, unfortunately. The ISP can inspect LAN traffic you think?

It is possible and there are news that some ISP actually inspect/collect/sell your traffic data. Here are few random reference,
https://www.ftc.gov/news-events/press-releases/2021/10/ftc-staff-report-finds-many-internet-service-providers-collect
https://www.lightreading.com/security/t-mobile-to-join-atandt-verizon-in-selling-customers-data/d/d-id/767955
https://en.wikipedia.org/wiki/Deep_packet_inspection

If not, does anyone know any good resources for configuring SSL on the electrum server?

Install Stunnel on the Electrum server
--snip--

Great suggestion, i forget such tool is exist. But IIRC it lacks integration with OS service (such as initrc or systemd), so you'll need to create it manually if you wish convenience offered by OS service (such as start on boot and logging).

[vv181]

@helloelec can you also try to post the Electrum log? and what version does your Electrs running?

Code:

./electrum -v -1 --oneserver --server electrs_server_ip:50002:s

[helloelec]

@helloelec can you also try to post the Electrum log? and what version does your Electrs running?

Code:

./electrum -v -1 --oneserver --server electrs_server_ip:50002:s

This command works! What is this :s protocol? Strange, my man page for elecctrum says there are only :t and :h options.

[NeuroticFish]

What is this :s protocol? Strange, my man page for elecctrum says there are only :t and :h options.

The online docs tell about more; a server can announce even a non-standard tcp port easily.

supported protocols (“t” = tcp@50001, “h” = http@8081, “s” = tcp/tls@50002, “g” = https@8082; non-standard port would be announced this way: “t3300” for tcp on port 3300)

I didn't need to know all those details, but it's all in server.peers.subscribe docu; it may worth a read.

[vv181]

@helloelec can you also try to post the Electrum log? and what version does your Electrs running?

Code:

./electrum -v -1 --oneserver --server electrs_server_ip:50002:s

This command works! What is this :s protocol? Strange, my man page for elecctrum says there are only :t and :h options.

Thats should do it then

I think I have read it somewhere. The :t suffix should tell the client not to use SSL, and just connect plainly over TCP. While the :s suffix would make the client connext over SSL over TCP which make the command you are using now is working. This also the reason in your previous try whereas you are connecting to the server in an unencrypted manner.

[helloelec]

What is this :s protocol? Strange, my man page for elecctrum says there are only :t and :h options.

The online docs tell about more; a server can announce even a non-standard tcp port easily.

supported protocols (“t” = tcp@50001, “h” = http@8081, “s” = tcp/tls@50002, “g” = https@8082; non-standard port would be announced this way: “t3300” for tcp on port 3300)

I didn't need to know all those details, but it's all in server.peers.subscribe docu; it may worth a read.

How bizarre, having two dfiferent protocol flags for ports 50001 and 50002.

Thanks for sharing, I'll give those docs a look.

@helloelec can you also try to post the Electrum log? and what version does your Electrs running?

Code:

./electrum -v -1 --oneserver --server electrs_server_ip:50002:s

This command works! What is this :s protocol? Strange, my man page for elecctrum says there are only :t and :h options.

Thats should do it then

I think I have read it somewhere. The :t suffix should tell the client not to use SSL, and just connect plainly over TCP. While the :s suffix would make the client connext over SSL over TCP which make the command you are using now is working. This also the reason in your previous try whereas you are connecting to the server in an unencrypted manner.

Well I'm a bit confused. According to the post above the :t flag is just for tls over 50001, and my electrs server listens on 50001 but is not (to my knowledge) tls. I'll have to do some digging. Anyway thanks a bunch, what a relief to have this finally working!

[profedustream]

Hi guys,

I struggled a lot to connect Electrum <-> EPS <-> Bitcoin Core, especially 'cause of the .cookie path, the certificat problem, the configuration of config.ini and the 127.0.0.1 cookie file of Electrum.

There aren't lots of helps on Windows. That's why i've decided yesterday to do a full-explained tutorial on youtube, which explains everything: how to do, how to resolve all configuration problems, etc...
Link: https://www.youtube.com/watch?v=wxiH8hG9G-4&ab_channel=ProfEduStream
It's in french, but you can add subtitles on your own langage.

Hope it gonna help the community.

Bye 👋