[Freeswitch-users] SSL implementation in FreeSWITCH
Ken Rice
krice at freeswitch.org
Thu Mar 10 22:42:32 MSK 2016
Are you sure you are sending this over TCP/TLS? This sounds like its really using UDP... TCP automatically does packet reassembly, UDP does not. The behavior you described sounds suspiciously like you are using UDP instead of TCP/TLS
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Emrah
Sent: Thursday, March 10, 2016 1:37 PM
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Subject: [Freeswitch-users] SSL implementation in FreeSWITCH
Hi all,
I’m writing to document where I’m at with my issues with FreeSWITCH and SSL / TLS and share my conclusions so far.
I am hoping that this can give lieu to some further testing in different environments, and a proper fix if a bug is indeed confirmed.
First, I am running FreeSWITCH 1.6.6 on a Debian 8. Vars.xml shows sip_tls_version=tlsv1,tlsv1.1,tlsv1.2.
What I’ve observed is that in a sequence where client sens an invite to FS; FS responds with 407 proxy authorization required; client sends ack; Client sends the invite with the digest auth.
The last packet can easily exceed the max segment size of a TCP segment, typically if the SDP advertises a bunch of codecs, or if the client uses SRTP and the SAVP contains many crypto suites.
Now, when this occurs, the packets should be sent fragmented so they can fit in the MTU. It is then up to the receiving end to reassemble the segments and feed the complete packet to the application layer.
What I’ve noticed is that a packet that is too large is simply never received by FreeSWITCH. Since this is systematically the case with every software and hardware client I’ve used, I am drawn to think that the issue lies in the SSL implementation of FreeSWITCH.
In the event that for some reason my network or server OS configuration may be behind this, I would appreciate if someone would be willing to share some SIP credentials that can let me test TLS and SRTP. If getting to the bottom of this is of interest to any of you, I’d obviously be keen on handing out a couple of accounts.
I hope this message can be the starting point of a fruitful resolution process.
Thank you if you’ve read this up to here. Now hit reply and give me your 2 cents! :)
Best,
Emrah
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list