[Freeswitch-users] WSS SSL errors "decryption failed or bad record mac" under load

Luke Wahlmeier lwahlmeier at gmail.com
Thu May 11 21:48:00 UTC 2017


I keep semi-regularly running into issues using the wss transport when
using dtls/strp/ice.  This is on the latest 1.6.17~34~0fc0946 on Debian
jessie, but I am pretty sure it was happening on the last couple releases
as well.

It seems like something bad/wrong happens to the encrypted data going over
the websocket coming from freeswitch when more then 1 websocket connection
are going and so far ice/srtp/dtls also seem to be needed in the invite to
duplicate it.

I have tried many different languages and network/ssl stacks and keep
running into this.  It is always on data coming in from freeswitch on the
websocket connection, and its very very random.  Sometimes I will get it 20
times in a row, other times it takes thousands of connections/sessions
before it happen.  It also, obviously, completely goes away if I use plain
ws instead wss.

Here are the errors:
python:
SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or
bad record mac (_ssl.c:1750)
c/c++ (stunnel4):
SSL_read: 1408F119: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac
Java:
java.lang.IllegalArgumentException: Bad arguments
    at javax.crypto.Mac.update(Mac.java:509)
    at sun.security.ssl.MAC.compute(MAC.java:135)
    at sun.security.ssl.InputRecord.checkMacTags(InputRecord.java:265)
    at sun.security.ssl.InputRecord.decrypt(InputRecord.java:216)
    at
sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:177)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

Attached are a simple python script to do the load, my dialplan and
sip_profile.  The python script can take a few runs before it see the
error, and I know its not completing the sip or rtp, but even if it does
this still happens.

I have also looked at libsofia-sip-ua/tport/ws.c and I dont see anything
obvious.  I am getting setup to build v1.6 head and test this any guidance
on ways I can trouble shoot this better or requests for more info are very
welcome.

Thanks
Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170511/df7de8f5/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wss-dialplan.xml
Type: text/xml
Size: 258 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170511/df7de8f5/attachment.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wss-profile.xml
Type: text/xml
Size: 3570 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170511/df7de8f5/attachment-0001.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: load.py
Type: text/x-python
Size: 2580 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170511/df7de8f5/attachment.py 


More information about the FreeSWITCH-users mailing list