[Freeswitch-users] SSL implementation in FreeSWITCH

Emrah lists at kavun.ch
Thu Mar 10 22:36:33 MSK 2016


Hi all,
I’m writing to document where I’m at with my issues with FreeSWITCH and SSL / TLS and share my conclusions so far.
I am hoping that this can give lieu to some further testing in different environments, and a proper fix if a bug is indeed confirmed.

First, I am running FreeSWITCH 1.6.6 on a Debian 8. Vars.xml shows sip_tls_version=tlsv1,tlsv1.1,tlsv1.2.

What I’ve observed is that in a sequence where
client sens an invite to FS; 
FS responds with 407 proxy authorization required;
client sends ack;
 Client sends the invite with the digest auth.

The last packet can easily exceed the max segment size of a TCP segment, typically if the SDP advertises a bunch of codecs, or if the client uses SRTP and the SAVP contains many crypto suites. 

Now, when this occurs, the packets should be sent fragmented so they can fit in the MTU. It is then up to the receiving end to reassemble the segments and feed the complete packet to the application layer.

What I’ve noticed is that a packet that is too large is simply never received by FreeSWITCH. Since this is systematically the case with every software and hardware client I’ve used, I am drawn to think that the issue lies in the SSL implementation of FreeSWITCH.

In the event that for some reason my network or server OS configuration may be behind this, I would appreciate if someone would be willing to share some SIP credentials that can let me test TLS and SRTP. If getting to the bottom of this is of interest to any of you, I’d obviously be keen on handing out a couple of accounts.

I hope this message can be the starting point of a fruitful resolution process.

Thank you if you’ve read this up to here. Now hit reply and give me your 2 cents! :)

Best,
Emrah


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list