[Freeswitch-users] SSL implementation in FreeSWITCH

Sat Mar 12 01:09:09 MSK 2016

The particular message on the polycom boards only References FreeSWITCH 1.2... there have been significant changes from that point... without getting decoded packet captures theres really not much to see here.

TCP handles the packet fragmentation as should TLS... this is transport protocol later stuff... this is not something FreeSWITCH would really be involved in at that point...

The other thing that might prove useful is isolating this on an idle machine, with 1 phone enabling all the good SIP and libsofia debugging and getting it into a long along with the logs from the client so it can be compared to see whats going on...

Further discussion of this should be taken to jira so that it can be tracked and captures and logging can be attached to the ticket

-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Emrah
Sent: Friday, March 11, 2016 3:57 PM
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Subject: Re: [Freeswitch-users] SSL implementation in FreeSWITCH

Hi there,
I am using TLS over TCP for sure. I spent a significant amount of time inspecting this and UDP is only used for the RTP stream.
People have reported issues with Polycom phones where the TLS thread crashes when the SDP is overloaded. 
http://community.polycom.com/t5/VoIP/IP550-Loses-Registration-as-soon-as-I-try-to-make-a-call/td-p/21372
This is not just a Polycom issue, and doesn’t seem to be happening with other SIP servers.
Many times, because the client doesn’t get a response, it sends the packets over and over and eventually times out.
I doubt that the same SIP stack is used across Polycom, Yealink, Counterpath Bria, Blink Pro, etc… I will put together a PCAP of the session in TCP since I can’t share the private key of the SSL certificate.
Is someone willing to provide me with a SIP account where I can test TLS connections with SRTP enabled? An Echo test is enough.

Thanks
> On Mar 10, 2016, at 8:42 PM, Ken Rice <krice at freeswitch.org> wrote:
> 
> Are you sure you are sending this over TCP/TLS? This sounds like its 
> really using UDP... TCP automatically does packet reassembly, UDP does 
> not. The behavior you described sounds suspiciously like you are using 
> UDP instead of TCP/TLS
> 
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org 
> [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of 
> Emrah
> Sent: Thursday, March 10, 2016 1:37 PM
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Subject: [Freeswitch-users] SSL implementation in FreeSWITCH
> 
> Hi all,
> I’m writing to document where I’m at with my issues with FreeSWITCH and SSL / TLS and share my conclusions so far.
> I am hoping that this can give lieu to some further testing in different environments, and a proper fix if a bug is indeed confirmed.
> 
> First, I am running FreeSWITCH 1.6.6 on a Debian 8. Vars.xml shows sip_tls_version=tlsv1,tlsv1.1,tlsv1.2.
> 
> What I’ve observed is that in a sequence where client sens an invite to FS; FS responds with 407 proxy authorization required; client sends ack;  Client sends the invite with the digest auth.
> 
> The last packet can easily exceed the max segment size of a TCP segment, typically if the SDP advertises a bunch of codecs, or if the client uses SRTP and the SAVP contains many crypto suites. 
> 
> Now, when this occurs, the packets should be sent fragmented so they can fit in the MTU. It is then up to the receiving end to reassemble the segments and feed the complete packet to the application layer.
> 
> What I’ve noticed is that a packet that is too large is simply never received by FreeSWITCH. Since this is systematically the case with every software and hardware client I’ve used, I am drawn to think that the issue lies in the SSL implementation of FreeSWITCH.
> 
> In the event that for some reason my network or server OS configuration may be behind this, I would appreciate if someone would be willing to share some SIP credentials that can let me test TLS and SRTP. If getting to the bottom of this is of interest to any of you, I’d obviously be keen on handing out a couple of accounts.
> 
> I hope this message can be the starting point of a fruitful resolution process.
> 
> Thank you if you’ve read this up to here. Now hit reply and give me 
> your 2 cents! :)
> 
> Best,
> Emrah
> ______________________________________________________________________
> ___ Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
> rs
> http://www.freeswitch.org
> 
> 
> ______________________________________________________________________
> ___ Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
> rs
> http://www.freeswitch.org

_________________________________________________________________________
Professional FreeSWITCH Consulting Services: 
consulting at freeswitch.org
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org