[Freeswitch-users] SSL implementation in FreeSWITCH
Brian West
brian at freeswitch.org
Sat Mar 12 01:12:23 MSK 2016
What kind of router is doing your nat?
Smells like someone needs 'ip virtual-reassembly'
On Fri, Mar 11, 2016 at 4:09 PM, Ken Rice <krice at freeswitch.org> wrote:
> The particular message on the polycom boards only References FreeSWITCH
> 1.2... there have been significant changes from that point... without
> getting decoded packet captures theres really not much to see here.
>
> TCP handles the packet fragmentation as should TLS... this is transport
> protocol later stuff... this is not something FreeSWITCH would really be
> involved in at that point...
>
> The other thing that might prove useful is isolating this on an idle
> machine, with 1 phone enabling all the good SIP and libsofia debugging and
> getting it into a long along with the logs from the client so it can be
> compared to see whats going on...
>
> Further discussion of this should be taken to jira so that it can be
> tracked and captures and logging can be attached to the ticket
>
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Emrah
> Sent: Friday, March 11, 2016 3:57 PM
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Subject: Re: [Freeswitch-users] SSL implementation in FreeSWITCH
>
> Hi there,
> I am using TLS over TCP for sure. I spent a significant amount of time
> inspecting this and UDP is only used for the RTP stream.
> People have reported issues with Polycom phones where the TLS thread
> crashes when the SDP is overloaded.
>
> http://community.polycom.com/t5/VoIP/IP550-Loses-Registration-as-soon-as-I-try-to-make-a-call/td-p/21372
> This is not just a Polycom issue, and doesn’t seem to be happening with
> other SIP servers.
> Many times, because the client doesn’t get a response, it sends the
> packets over and over and eventually times out.
> I doubt that the same SIP stack is used across Polycom, Yealink,
> Counterpath Bria, Blink Pro, etc… I will put together a PCAP of the session
> in TCP since I can’t share the private key of the SSL certificate.
> Is someone willing to provide me with a SIP account where I can test TLS
> connections with SRTP enabled? An Echo test is enough.
>
> Thanks
> > On Mar 10, 2016, at 8:42 PM, Ken Rice <krice at freeswitch.org> wrote:
> >
> > Are you sure you are sending this over TCP/TLS? This sounds like its
> > really using UDP... TCP automatically does packet reassembly, UDP does
> > not. The behavior you described sounds suspiciously like you are using
> > UDP instead of TCP/TLS
> >
> > -----Original Message-----
> > From: freeswitch-users-bounces at lists.freeswitch.org
> > [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of
> > Emrah
> > Sent: Thursday, March 10, 2016 1:37 PM
> > To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> > Subject: [Freeswitch-users] SSL implementation in FreeSWITCH
> >
> > Hi all,
> > I’m writing to document where I’m at with my issues with FreeSWITCH and
> SSL / TLS and share my conclusions so far.
> > I am hoping that this can give lieu to some further testing in different
> environments, and a proper fix if a bug is indeed confirmed.
> >
> > First, I am running FreeSWITCH 1.6.6 on a Debian 8. Vars.xml shows
> sip_tls_version=tlsv1,tlsv1.1,tlsv1.2.
> >
> > What I’ve observed is that in a sequence where client sens an invite to
> FS; FS responds with 407 proxy authorization required; client sends ack;
> Client sends the invite with the digest auth.
> >
> > The last packet can easily exceed the max segment size of a TCP segment,
> typically if the SDP advertises a bunch of codecs, or if the client uses
> SRTP and the SAVP contains many crypto suites.
> >
> > Now, when this occurs, the packets should be sent fragmented so they can
> fit in the MTU. It is then up to the receiving end to reassemble the
> segments and feed the complete packet to the application layer.
> >
> > What I’ve noticed is that a packet that is too large is simply never
> received by FreeSWITCH. Since this is systematically the case with every
> software and hardware client I’ve used, I am drawn to think that the issue
> lies in the SSL implementation of FreeSWITCH.
> >
> > In the event that for some reason my network or server OS configuration
> may be behind this, I would appreciate if someone would be willing to share
> some SIP credentials that can let me test TLS and SRTP. If getting to the
> bottom of this is of interest to any of you, I’d obviously be keen on
> handing out a couple of accounts.
> >
> > I hope this message can be the starting point of a fruitful resolution
> process.
> >
> > Thank you if you’ve read this up to here. Now hit reply and give me
> > your 2 cents! :)
> >
> > Best,
> > Emrah
> > ______________________________________________________________________
> > ___ Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://confluence.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
> > rs
> > http://www.freeswitch.org
> >
> >
> > ______________________________________________________________________
> > ___ Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://confluence.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
> > rs
> > http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
*Brian West*
brian at freeswitch.org
*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com
https://www.gofundme.com/freeswitch_ubuntu
Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
/r/freeswitch <https://www.reddit.com/r/freeswitch>
*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160311/4ae3274c/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list