[Freeswitch-users] SSL implementation in FreeSWITCH
Stanislav Sinyagin
ssinyagin at gmail.com
Sun Mar 13 22:01:26 MSK 2016
Let's try reproducing it in a lab and let freeswitch developers access it
if we're able to reproduce the issue. I can help and also provide some
hosts for it.
On Sun, Mar 13, 2016 at 7:58 PM, Emrah <lists at kavun.ch> wrote:
> Hi!
> The server isn’t behind NAT, and I don’t know the make and model of all
> the routers that the affected clients use. And this problem also occurs
> when there isn’t NAT involved at all.
>
> I will see to open a bug.
>
> Best,
> Emrah
>
> On Mar 11, 2016, at 11:12 PM, Brian West <brian at freeswitch.org> wrote:
>
> What kind of router is doing your nat?
>
> Smells like someone needs 'ip virtual-reassembly'
>
> On Fri, Mar 11, 2016 at 4:09 PM, Ken Rice <krice at freeswitch.org> wrote:
>
>> The particular message on the polycom boards only References FreeSWITCH
>> 1.2... there have been significant changes from that point... without
>> getting decoded packet captures theres really not much to see here.
>>
>> TCP handles the packet fragmentation as should TLS... this is transport
>> protocol later stuff... this is not something FreeSWITCH would really be
>> involved in at that point...
>>
>> The other thing that might prove useful is isolating this on an idle
>> machine, with 1 phone enabling all the good SIP and libsofia debugging and
>> getting it into a long along with the logs from the client so it can be
>> compared to see whats going on...
>>
>> Further discussion of this should be taken to jira so that it can be
>> tracked and captures and logging can be attached to the ticket
>>
>> -----Original Message-----
>> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:
>> freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Emrah
>> Sent: Friday, March 11, 2016 3:57 PM
>> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>> Subject: Re: [Freeswitch-users] SSL implementation in FreeSWITCH
>>
>> Hi there,
>> I am using TLS over TCP for sure. I spent a significant amount of time
>> inspecting this and UDP is only used for the RTP stream.
>> People have reported issues with Polycom phones where the TLS thread
>> crashes when the SDP is overloaded.
>>
>> http://community.polycom.com/t5/VoIP/IP550-Loses-Registration-as-soon-as-I-try-to-make-a-call/td-p/21372
>> This is not just a Polycom issue, and doesn’t seem to be happening with
>> other SIP servers.
>> Many times, because the client doesn’t get a response, it sends the
>> packets over and over and eventually times out.
>> I doubt that the same SIP stack is used across Polycom, Yealink,
>> Counterpath Bria, Blink Pro, etc… I will put together a PCAP of the session
>> in TCP since I can’t share the private key of the SSL certificate.
>> Is someone willing to provide me with a SIP account where I can test TLS
>> connections with SRTP enabled? An Echo test is enough.
>>
>> Thanks
>> > On Mar 10, 2016, at 8:42 PM, Ken Rice <krice at freeswitch.org> wrote:
>> >
>> > Are you sure you are sending this over TCP/TLS? This sounds like its
>> > really using UDP... TCP automatically does packet reassembly, UDP does
>> > not. The behavior you described sounds suspiciously like you are using
>> > UDP instead of TCP/TLS
>> >
>> > -----Original Message-----
>> > From: freeswitch-users-bounces at lists.freeswitch.org
>> > [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of
>> > Emrah
>> > Sent: Thursday, March 10, 2016 1:37 PM
>> > To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>> > Subject: [Freeswitch-users] SSL implementation in FreeSWITCH
>> >
>> > Hi all,
>> > I’m writing to document where I’m at with my issues with FreeSWITCH and
>> SSL / TLS and share my conclusions so far.
>> > I am hoping that this can give lieu to some further testing in
>> different environments, and a proper fix if a bug is indeed confirmed.
>> >
>> > First, I am running FreeSWITCH 1.6.6 on a Debian 8. Vars.xml shows
>> sip_tls_version=tlsv1,tlsv1.1,tlsv1.2.
>> >
>> > What I’ve observed is that in a sequence where client sens an invite to
>> FS; FS responds with 407 proxy authorization required; client sends ack;
>> Client sends the invite with the digest auth.
>> >
>> > The last packet can easily exceed the max segment size of a TCP
>> segment, typically if the SDP advertises a bunch of codecs, or if the
>> client uses SRTP and the SAVP contains many crypto suites.
>> >
>> > Now, when this occurs, the packets should be sent fragmented so they
>> can fit in the MTU. It is then up to the receiving end to reassemble the
>> segments and feed the complete packet to the application layer.
>> >
>> > What I’ve noticed is that a packet that is too large is simply never
>> received by FreeSWITCH. Since this is systematically the case with every
>> software and hardware client I’ve used, I am drawn to think that the issue
>> lies in the SSL implementation of FreeSWITCH.
>> >
>> > In the event that for some reason my network or server OS configuration
>> may be behind this, I would appreciate if someone would be willing to share
>> some SIP credentials that can let me test TLS and SRTP. If getting to the
>> bottom of this is of interest to any of you, I’d obviously be keen on
>> handing out a couple of accounts.
>> >
>> > I hope this message can be the starting point of a fruitful resolution
>> process.
>> >
>> > Thank you if you’ve read this up to here. Now hit reply and give me
>> > your 2 cents! :)
>> >
>> > Best,
>> > Emrah
>> > ______________________________________________________________________
>> > ___ Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://confluence.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
>> > rs
>> > http://www.freeswitch.org
>> >
>> >
>> > ______________________________________________________________________
>> > ___ Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://confluence.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
>> > rs
>> > http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
> https://www.gofundme.com/freeswitch_ubuntu
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160313/28a15527/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list