<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi there,<div class="">So what do we do of this?</div><div class="">I don’t have any TLS issues except with FreeSWITCH. And to everyone here, it’s an issue with the equipment or the soft phone.</div><div class="">I tried FS V1.2, 1.4, 1.6 and 1.7.</div><div class="">Now remember this is something that can be reproduced with Yealink, Polycom, an I recently found out that Counterpath Bria was in the same basket.</div><div class=""><a href="https://support.counterpath.com/topic/intermittent-tls-403-forbidden-error" class="">https://support.counterpath.com/topic/intermittent-tls-403-forbidden-error</a></div><div class=""><br class=""></div><div class="">We know what the problem is. When the TLS packet is too large, possibly because of a long list of codecs, the TLS thread crashes on the client.</div><div class=""><br class=""></div><div class="">The question is, how can this happen only when using FS? The same clients do OK with other TLS enabled PBXs.</div><div class=""><br class=""></div><div class="">Emrah<br class=""><div><blockquote type="cite" class=""><div class="">On Jan 14, 2016, at 1:09 PM, Emrah <<a href="mailto:lists@kavun.ch" class="">lists@kavun.ch</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">I was certain that I’d fixe all my issues with an FS update to 1.6. </div>After much frustration and over a year of trial and error, I found out that the TLS session breaks if the content of the packet is too large.<div class="">This was also confirmed with the FS documentation that lists this issue as a generic Polycom issue: <a href="https://freeswitch.org/confluence/display/FREESWITCH/Polycom#Polycom-GenericPolycomissues" class="">Generic Polycom issues</a></div><div class=""><br class=""></div><div class="">I can confirm that this also happens with Yealink phones and a couple of other Softphones including Blink Pro on Mac OS X.</div><div class=""><br class=""></div><div class="">So far, I’ve only experienced this with FS. I’ve not been able to replicate this with other SIP servers that can also transport and handle media.</div><div class=""><br class=""></div><div class="">Anyone else can relate to this?</div><div class=""><br class=""></div><div class="">Anyway, what’s worked for me is to make my packets as small as possible by reducing the number of offered codecs to the bare minimum. </div><div class=""><br class=""></div><div class="">Best,</div><div class="">E<br class=""><div class=""><blockquote type="cite" class=""><div class="">On Mar 3, 2015, at 2:38 PM, Brian West <<a href="mailto:brian@freeswitch.org" class="">brian@freeswitch.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">sofia global siptrace on <div class="">sofia loglevel all 9</div><div class=""><br class=""></div><div class="">Then outline the scenario and config on the JIRA.</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, Mar 3, 2015 at 7:54 AM, Emrah <span dir="ltr" class=""><<a href="mailto:lists@kavun.ch" target="_blank" class="">lists@kavun.ch</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Hey Brian, just saw this message.<div class="">There is no other UA in between FS and the endpoint. There is a regular NAT, that's all.</div><div class="">What seems to happen is:</div><div class="">endpoint -> FS: invite = ok</div><div class="">FS -> endpoint: 407 = OK</div><div class="">Endpoint -> FS: invite = Fails with SSL error.</div><div class=""><br class=""></div><div class="">What are the components I should capture to open up a Jira? FS Logs, FS Siptrace, anything else?</div><div class=""><br class=""></div><div class="">Thanks!</div><div class=""><div class="h5"><div class=""><div class=""><div class=""><blockquote type="cite" class=""><div class="">On Feb 16, 2015, at 2:44 PM, Brian West <<a href="mailto:brian@freeswitch.org" target="_blank" class="">brian@freeswitch.org</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class=""><span style="font-family:Menlo;font-size:11px" class="">Via: SIP/2.0/TLS 1.2.3.4:443;branch=</span><span style="font-family:Menlo;font-size:11px" class="">z9hG4bK6Kv171Q3U5rrD</span><br class=""><div class=""><span style="font-family:Menlo;font-size:11px" class=""><br class=""></span></div><div class=""><font face="Menlo" class=""><span style="font-size:11px" class="">Your issue is the contact has no port 443 or transport=tls right? What sits between FS and the endpoint?</span></font></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Sun, Feb 15, 2015 at 5:38 AM, Emrah <span dir="ltr" class=""><<a href="mailto:lists@kavun.ch" target="_blank" class="">lists@kavun.ch</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Thanks Ken. Is there a way to filter the SIP trace? It's a busy box.<div class=""><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Feb 14, 2015, at 3:35 AM, Ken Rice <<a href="mailto:krice@freeswitch.org" target="_blank" class="">krice@freeswitch.org</a>> wrote:</div><br class=""><div class=""><div dir="auto" class=""><div class="">Open a jire with a full debug login including sip tracing on<br class=""><br class="">Sent from my iPhone</div><div class=""><br class="">On Feb 13, 2015, at 7:57 PM, Emrah <<a href="mailto:lists@kavun.ch" target="_blank" class="">lists@kavun.ch</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class="">Hi,<div class="">The issue is persistent. I am curious to know if anyone else on the list is experiencing this. It doesn't seem to have been reported before.</div><div class="">Should I dedicate a profile to TLS use only?</div><div class="">I also posted a message on the list about receiving options packet with the wrong transport. Are these 2 issues connected? Here is a copy paste of my message:</div><div class=""><div class=""><br class=""></div><div class="">My experience with FS and TLS has been rather mixed so far. It's been a little inconsistent in keeping NAT sessions up and users discoverable.</div><div class="">One thing I've noticed is that FS advertises the wrong information in option packets. The following is what I receive over my TLS session which is working on port 443.</div><div class=""><div style="margin:0px;font-size:11px;font-family:Menlo" class=""><a href="http://1.2.3.4:443/" target="_blank" class="">1.2.3.4:443</a> -(SIP over TLS)-> <a href="http://10.0.0.99:51132/" target="_blank" class="">10.0.0.99:51132</a></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">OPTIONS <a class="">sip:53178246@10.0.0.99:56494;transport=tls;received=5.6.7.8:51132</a> SIP/2.0</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Via: SIP/2.0/TLS 1.2.3.4:443;branch=z9hG4bK6Kv171Q3U5rrD</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Route: <<a class="">sip:53178246@5.6.7.8:51132</a>>;transport=tls</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Max-Forwards: 70</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">From: <<a class="">sip:mod_sofia@1.2.3.4:5060</a>>;tag=Q6XDFHeUUrcHD</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">To: <<a class="">sip:user@domain.com</a>></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Call-ID: 0a052f23-34a8-4158-8c88-fd2a70ffb561_c2RhaSoOYBR6jfJe4ndLoTTKJMrO2gMv</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">CSeq: 71498568 OPTIONS</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Contact: <<a class="">sip:mod_sofia@1.2.3.4:5060</a>></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">User-Agent: FreeSWITCH</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Supported: timer, path, replaces</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer</div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Content-Length: 0</div></div><div class=""><br class=""></div><div class="">As you can see FS stamps the packet with a port 5060... No reference to port 443 with a transport=tls.</div><div class=""><br class=""></div><div class="">What shall be done?</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div class="">On Feb 5, 2015, at 3:18 PM, Emrah <<a href="mailto:lists@kavun.ch" target="_blank" class="">lists@kavun.ch</a>> wrote:</div><br class=""><div class=""><div style="word-wrap:break-word" class="">Hi there,<div class="">This issue is happening all around with devices using TLS. It's not very frequent with softphones, but not inexistant.</div><div class="">Any pointers would be greatly appreciated. Do you have best practice configs you'd like to share?</div><div class=""><br class=""></div><div class="">Thanks<br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jan 30, 2015, at 6:10 PM, Emrah <<a href="mailto:lists@kavun.ch" target="_blank" class="">lists@kavun.ch</a>> wrote:</div><br class=""><div class=""><div style="word-wrap:break-word" class="">Hi all,<div class="">I am facing a very frustrating issue. I often have to dial twice when using my Yealink phone with TLS because the first attempt times out.</div><div class="">The logs on the Yealink indicate that the first invite is successfully received, to which my FS sends a 100 trying and 407 proxy auth required. It is subsequently when my phone sends back the invite that the connection crashes with the following error:</div><div class=""><div style="margin:0px;font-size:11px;font-family:Menlo" class="">SSL ERROR SYSCALL</div></div><div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class=""></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Is this something common? Why does the SSL connection crashes when the phone attempts to send the second invite? My phone is behind NAT.</div><div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class=""></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">It is going to be a crazy expedition to collect the logs and Pastebin them, so I am tempting my luck on the list first to see if you have any pointers.</div><div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class=""></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">As a last piece, my Bria on my iPHone, among other clients, never had this issue. I did experience it from time to time with Blink on Mac OS X.</div><div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class=""></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Any help appreciated.</div><div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class=""></div><div style="margin:0px;font-size:11px;font-family:Menlo" class="">Emrah</div></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></blockquote><blockquote type="cite" class=""><div class=""><span class="">_________________________________________________________________________</span><br class=""><span class="">Professional FreeSWITCH Consulting Services: </span><br class=""><span class=""><a href="mailto:consulting@freeswitch.org" target="_blank" class="">consulting@freeswitch.org</a></span><br class=""><span class=""><a href="http://www.freeswitchsolutions.com/" target="_blank" class="">http://www.freeswitchsolutions.com</a></span><br class=""><span class=""></span><br class=""><span class="">Official FreeSWITCH Sites</span><br class=""><span class=""><a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a></span><br class=""><span class=""><a href="http://confluence.freeswitch.org/" target="_blank" class="">http://confluence.freeswitch.org</a></span><br class=""><span class=""><a href="http://www.cluecon.com/" target="_blank" class="">http://www.cluecon.com</a></span><br class=""><span class=""></span><br class=""><span class="">FreeSWITCH-users mailing list</span><br class=""><span class=""><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" class="">FreeSWITCH-users@lists.freeswitch.org</a></span><br class=""><span class=""><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a></span><br class=""><span class="">UNSUBSCRIBE:http://<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank" class="">lists.freeswitch.org/mailman/options/freeswitch-users</a></span><br class=""><span class=""><a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a></span></div></blockquote></div>_________________________________________________________________________<br class="">Professional FreeSWITCH Consulting Services: <br class=""><a href="mailto:consulting@freeswitch.org" target="_blank" class="">consulting@freeswitch.org</a><br class=""><a href="http://www.freeswitchsolutions.com/" target="_blank" class="">http://www.freeswitchsolutions.com</a><br class=""><br class="">Official FreeSWITCH Sites<br class=""><a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a><br class=""><a href="http://confluence.freeswitch.org/" target="_blank" class="">http://confluence.freeswitch.org</a><br class=""><a href="http://www.cluecon.com/" target="_blank" class="">http://www.cluecon.com</a><br class=""><br class="">FreeSWITCH-users mailing list<br class=""><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" class="">FreeSWITCH-users@lists.freeswitch.org</a><br class=""><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br class="">UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br class=""><a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a></div></blockquote></div><br class=""></div></div></div><br class="">_________________________________________________________________________<br class="">
Professional FreeSWITCH Consulting Services:<br class="">
<a href="mailto:consulting@freeswitch.org" target="_blank" class="">consulting@freeswitch.org</a><br class="">
<a href="http://www.freeswitchsolutions.com/" target="_blank" class="">http://www.freeswitchsolutions.com</a><br class="">
<br class="">
Official FreeSWITCH Sites<br class="">
<a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a><br class="">
<a href="http://confluence.freeswitch.org/" target="_blank" class="">http://confluence.freeswitch.org</a><br class="">
<a href="http://www.cluecon.com/" target="_blank" class="">http://www.cluecon.com</a><br class="">
<br class="">
FreeSWITCH-users mailing list<br class="">
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" class="">FreeSWITCH-users@lists.freeswitch.org</a><br class="">
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br class="">
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br class="">
<a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a><br class=""></blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class=""><div dir="ltr" class=""><p class=""><font face="courier new, monospace" class=""><b class=""><i class=""><font size="4" class="">Brian West</font></i></b><br class=""><span style="font-size:x-small" class=""><a href="mailto:brian@freeswitch.org" target="_blank" class="">brian@freeswitch.org</a></span></font></p><p class=""><font size="1" face="courier new, monospace" class=""><img src="http://billing.freeswitch.org/templates/default/img/whmcslogo.png" class=""><br class=""></font></p><p class=""><font face="courier new, monospace" class=""><b class=""><i class="">Twitter: @FreeSWITCH , @briankwest</i></b><br class=""><a href="http://www.freeswitchbook.com/" target="_blank" class="">http://www.freeswitchbook.com</a><br class=""><a href="http://www.freeswitchcookbook.com/" target="_blank" class="">http://www.freeswitchcookbook.com</a></font></p><p class=""><font face="courier new, monospace" class=""><b class="">T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank" class="">+19184209001</a> | <b class="">F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank" class="">+19184209002</a> | <b class="">M:</b>+1918424WEST (9378)<br class=""><b class="">iNUM:</b>+883 5100 1420 9001 | <b class="">ISN:</b>410*543 | <b class="">Skype:</b>briankwest</font></p></div></div>
</div>
_________________________________________________________________________<br class="">Professional FreeSWITCH Consulting Services: <br class=""><a href="mailto:consulting@freeswitch.org" target="_blank" class="">consulting@freeswitch.org</a><br class=""><a href="http://www.freeswitchsolutions.com/" target="_blank" class="">http://www.freeswitchsolutions.com</a><br class=""><br class="">Official FreeSWITCH Sites<br class=""><a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a><br class=""><a href="http://confluence.freeswitch.org/" target="_blank" class="">http://confluence.freeswitch.org</a><br class=""><a href="http://www.cluecon.com/" target="_blank" class="">http://www.cluecon.com</a><br class=""><br class="">FreeSWITCH-users mailing list<br class=""><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" class="">FreeSWITCH-users@lists.freeswitch.org</a><br class=""><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br class="">UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br class=""><a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a></div></blockquote></div><br class=""></div></div></div></div></div><br class="">_________________________________________________________________________<br class="">
Professional FreeSWITCH Consulting Services:<br class="">
<a href="mailto:consulting@freeswitch.org" class="">consulting@freeswitch.org</a><br class="">
<a href="http://www.freeswitchsolutions.com/" target="_blank" class="">http://www.freeswitchsolutions.com</a><br class="">
<br class="">
Official FreeSWITCH Sites<br class="">
<a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a><br class="">
<a href="http://confluence.freeswitch.org/" target="_blank" class="">http://confluence.freeswitch.org</a><br class="">
<a href="http://www.cluecon.com/" target="_blank" class="">http://www.cluecon.com</a><br class="">
<br class="">
FreeSWITCH-users mailing list<br class="">
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" class="">FreeSWITCH-users@lists.freeswitch.org</a><br class="">
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br class="">
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank" class="">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br class="">
<a href="http://www.freeswitch.org/" target="_blank" class="">http://www.freeswitch.org</a><br class=""></blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="gmail_signature"><div dir="ltr" class=""><p class=""><font face="courier new, monospace" class=""><b class=""><i class=""><font size="4" class="">Brian West</font></i></b><br class=""><span style="font-size:x-small" class=""><a href="mailto:brian@freeswitch.org" target="_blank" class="">brian@freeswitch.org</a></span></font></p><p class=""><font size="1" face="courier new, monospace" class=""><img src="http://billing.freeswitch.org/templates/default/img/whmcslogo.png" class=""><br class=""></font></p><p class=""><font face="courier new, monospace" class=""><b class=""><i class="">Twitter: @FreeSWITCH , @briankwest</i></b><br class=""><a href="http://www.freeswitchbook.com/" target="_blank" class="">http://www.freeswitchbook.com</a><br class=""><a href="http://www.freeswitchcookbook.com/" target="_blank" class="">http://www.freeswitchcookbook.com</a></font></p><p class=""><font face="courier new, monospace" class=""><b class="">T:</b>+19184209001 | <b class="">F:</b>+19184209002 | <b class="">M:</b>+1918424WEST (9378)<br class=""><b class="">iNUM:</b>+883 5100 1420 9001 | <b class="">ISN:</b>410*543 | <b class="">Skype:</b>briankwest</font></p></div></div>
</div>
_________________________________________________________________________<br class="">Professional FreeSWITCH Consulting Services: <br class=""><a href="mailto:consulting@freeswitch.org" class="">consulting@freeswitch.org</a><br class=""><a href="http://www.freeswitchsolutions.com" class="">http://www.freeswitchsolutions.com</a><br class=""><br class="">Official FreeSWITCH Sites<br class="">http://www.freeswitch.org<br class="">http://confluence.freeswitch.org<br class="">http://www.cluecon.com<br class=""><br class="">FreeSWITCH-users mailing list<br class="">FreeSWITCH-users@lists.freeswitch.org<br class="">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br class="">UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br class="">http://www.freeswitch.org</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>