[Freeswitch-users] WSS SSL errors "decryption failed or bad record mac" under load
Michael Jerris
mike at jerris.com
Thu May 11 22:34:08 UTC 2017
what is “this environment” ?
> On May 11, 2017, at 6:31 PM, Luke Wahlmeier <lwahlmeier at gmail.com> wrote:
>
> Yeah I can usually get it to happen within about 5 minutes or so of testing. Still getting all setup to build freeswitch in this environment, but I should have it working by tomorrow. I will try more w/o dtls/srtp as well and make sure it does not need to be on.
>
> Thanks
> Luke
>
> On Thu, May 11, 2017 at 4:20 PM, Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>> wrote:
> if you can reproduce this reliably, i’d try master as well. Unless this is a bug in openssl, i can’t imagine how dtls would come into play in something like this.
>
> > On May 11, 2017, at 5:48 PM, Luke Wahlmeier <lwahlmeier at gmail.com <mailto:lwahlmeier at gmail.com>> wrote:
> >
> > I keep semi-regularly running into issues using the wss transport when using dtls/strp/ice. This is on the latest 1.6.17~34~0fc0946 on Debian jessie, but I am pretty sure it was happening on the last couple releases as well.
> >
> > It seems like something bad/wrong happens to the encrypted data going over the websocket coming from freeswitch when more then 1 websocket connection are going and so far ice/srtp/dtls also seem to be needed in the invite to duplicate it.
> >
> > I have tried many different languages and network/ssl stacks and keep running into this. It is always on data coming in from freeswitch on the websocket connection, and its very very random. Sometimes I will get it 20 times in a row, other times it takes thousands of connections/sessions before it happen. It also, obviously, completely goes away if I use plain ws instead wss.
> >
> > Here are the errors:
> > python:
> > SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1750)
> > c/c++ (stunnel4):
> > SSL_read: 1408F119: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> > Java:
> > java.lang.IllegalArgumentException: Bad arguments
> > at javax.crypto.Mac.update(Mac.java:509)
> > at sun.security.ssl.MAC.compute(MAC.java:135)
> > at sun.security.ssl.InputRecord.checkMacTags(InputRecord.java:265)
> > at sun.security.ssl.InputRecord.decrypt(InputRecord.java:216)
> > at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:177)
> > at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974)
> > at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
> > at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> >
> > Attached are a simple python script to do the load, my dialplan and sip_profile. The python script can take a few runs before it see the error, and I know its not completing the sip or rtp, but even if it does this still happens.
> >
> > I have also looked at libsofia-sip-ua/tport/ws.c and I dont see anything obvious. I am getting setup to build v1.6 head and test this any guidance on ways I can trouble shoot this better or requests for more info are very welcome.
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170511/9d323d76/attachment.html
More information about the FreeSWITCH-users
mailing list