[Freeswitch-users] SSL implementation in FreeSWITCH

Sergey Safarov s.safarov at gmail.com
Fri Mar 11 08:49:11 MSK 2016


If want send TLS+encryption key check that RSA encryption is used. Some
other encryption may not allow decryption.

On Fri, Mar 11, 2016, 08:15 Michael Giagnocavo <mgg at giagnocavo.net> wrote:

> Can you do TCP without TLS and pcap it? Or pcap the TLS and provide the
> key (if no PFS)?
> -Michael
>
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Emrah
> Sent: Thursday, 10 March, 2016 13:37
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Subject: [Freeswitch-users] SSL implementation in FreeSWITCH
>
> Hi all,
> I’m writing to document where I’m at with my issues with FreeSWITCH and
> SSL / TLS and share my conclusions so far.
> I am hoping that this can give lieu to some further testing in different
> environments, and a proper fix if a bug is indeed confirmed.
>
> First, I am running FreeSWITCH 1.6.6 on a Debian 8. Vars.xml shows
> sip_tls_version=tlsv1,tlsv1.1,tlsv1.2.
>
> What I’ve observed is that in a sequence where client sens an invite to
> FS; FS responds with 407 proxy authorization required; client sends ack;
> Client sends the invite with the digest auth.
>
> The last packet can easily exceed the max segment size of a TCP segment,
> typically if the SDP advertises a bunch of codecs, or if the client uses
> SRTP and the SAVP contains many crypto suites.
>
> Now, when this occurs, the packets should be sent fragmented so they can
> fit in the MTU. It is then up to the receiving end to reassemble the
> segments and feed the complete packet to the application layer.
>
> What I’ve noticed is that a packet that is too large is simply never
> received by FreeSWITCH. Since this is systematically the case with every
> software and hardware client I’ve used, I am drawn to think that the issue
> lies in the SSL implementation of FreeSWITCH.
>
> In the event that for some reason my network or server OS configuration
> may be behind this, I would appreciate if someone would be willing to share
> some SIP credentials that can let me test TLS and SRTP. If getting to the
> bottom of this is of interest to any of you, I’d obviously be keen on
> handing out a couple of accounts.
>
> I hope this message can be the starting point of a fruitful resolution
> process.
>
> Thank you if you’ve read this up to here. Now hit reply and give me your 2
> cents! :)
>
> Best,
> Emrah
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160311/a7f99195/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list