<div dir="ltr"><div>Thanks Michael,<br><br></div><div>I am more then happy to setup something with libks if needed.<br></div><div><br>I have figured out some more however. It appears that this only happens when a wss connections session has not fully established and is cleaning up because of timing out. The problem is that it causes another wss connection it to get this ssl error, even if that other wss connection has a fully established and running audio session. It is important to note it does not seem to interrupt audio just the wss sip channel, which I am fairly sure can be reestablished for that audio session w/o an issue.<br><br></div><div>The sessions that is being cleaned up sends the logs messages as its doing it:<br>2017-05-12 17:32:46.607768 [NOTICE] sofia.c:8438 Hangup sofia/websocket/nobody@1LF3F6I924P9WH6U [CS_EXECUTE] [NORMAL_UNSPECIFIED]<br>2017-05-12 17:32:46.627768 [INFO] conference_loop.c:1621 Channel leaving conference, cause: NORMAL_UNSPECIFIED<br>2017-05-12 17:32:46.627768 [NOTICE] switch_core_session.c:1730 Session 46 (sofia/websocket/nobody@1LF3F6I924P9WH6U) Ended<br>2017-05-12 17:32:46.627768 [NOTICE] switch_core_session.c:1734 Close Channel sofia/websocket/nobody@1LF3F6I924P9WH6U [CS_DESTROY]<br><br></div><div>I have attached the updated python script, it can duplicate this every time now with only 2 connections. I verified with a webRTC client that if I initiate this first connection in the script, let it close, then connect the webRTC client and get full audio, once the first session from the script times out it causes the webRTC wss connection to get an error and close.<br><br></div><div>The webRTC connection is in chrome with sip.js.<br><br></div><div>Sorry the python script is so nasty, was working through any possible duplicated sip session stuff in it to make sure that was not why it was hitting the second connection.<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 12, 2017 at 10:20 AM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">test on master.. work a similar test for verto maybe, this might have to do with sip specifically trying to keep state. Might make sense to build something out of libks as it has basically the same web socket code, and has both client and server web socket support in it, to do a “real” test”, instead of this fake sip without any state over web sockets.<div><div class="h5"><div><br><div><br><div><blockquote type="cite"><div>On May 12, 2017, at 11:42 AM, Luke Wahlmeier <<a href="mailto:lwahlmeier@gmail.com" target="_blank">lwahlmeier@gmail.com</a>> wrote:</div><br class="m_-30872036386906528Apple-interchange-newline"><div><div dir="ltr"><div><div>Just got done testing this on v1.6 head and master, both seem to still have this issue. This box is using libssl version 1.0.1t-1+deb8u6. I am gonna start digging more into the ws/wss/sofia code to see if I can figure it out. Any suggestions on debugging this would be appreciated.<br><br></div>Thanks<br></div>Luke<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 11, 2017 at 5:12 PM, Luke Wahlmeier <span dir="ltr"><<a href="mailto:lwahlmeier@gmail.com" target="_blank">lwahlmeier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Its just in our isolated lab, pretty normal dell xeon server running Jessie 8.6. I just want to get it building on the same box I am testing with so setting that all up.<br><br></div>I was able to reproduce it w/o DTLS/Srtp. here is a much simpler and cleaned up version of the python script.<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_-30872036386906528h5">On Thu, May 11, 2017 at 4:34 PM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_-30872036386906528h5"><div style="word-wrap:break-word">what is “this environment” ?<div><div class="m_-30872036386906528m_2675276587231758968h5"><div><br><div><blockquote type="cite"><div>On May 11, 2017, at 6:31 PM, Luke Wahlmeier <<a href="mailto:lwahlmeier@gmail.com" target="_blank">lwahlmeier@gmail.com</a>> wrote:</div><br class="m_-30872036386906528m_2675276587231758968m_-9144194180052449967Apple-interchange-newline"><div><div dir="ltr"><div><div>Yeah I can usually get it to happen within about 5 minutes or so of testing. Still getting all setup to build freeswitch in this environment, but I should have it working by tomorrow. I will try more w/o dtls/srtp as well and make sure it does not need to be on.<br><br></div>Thanks<br></div>Luke<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 11, 2017 at 4:20 PM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">if you can reproduce this reliably, i’d try master as well. Unless this is a bug in openssl, i can’t imagine how dtls would come into play in something like this.<br>
<span><br>
> On May 11, 2017, at 5:48 PM, Luke Wahlmeier <<a href="mailto:lwahlmeier@gmail.com" target="_blank">lwahlmeier@gmail.com</a>> wrote:<br>
><br>
> I keep semi-regularly running into issues using the wss transport when using dtls/strp/ice. This is on the latest 1.6.17~34~0fc0946 on Debian jessie, but I am pretty sure it was happening on the last couple releases as well.<br>
><br>
> It seems like something bad/wrong happens to the encrypted data going over the websocket coming from freeswitch when more then 1 websocket connection are going and so far ice/srtp/dtls also seem to be needed in the invite to duplicate it.<br>
><br>
> I have tried many different languages and network/ssl stacks and keep running into this. It is always on data coming in from freeswitch on the websocket connection, and its very very random. Sometimes I will get it 20 times in a row, other times it takes thousands of connections/sessions before it happen. It also, obviously, completely goes away if I use plain ws instead wss.<br>
><br>
> Here are the errors:<br>
> python:<br>
> SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECOR<wbr>D_MAC] decryption failed or bad record mac (_ssl.c:1750)<br>
> c/c++ (stunnel4):<br>
> SSL_read: 1408F119: error:1408F119:SSL routines:SSL3_GET_RECORD:decry<wbr>ption failed or bad record mac<br>
> Java:<br>
> java.lang.IllegalArgumentExcep<wbr>tion: Bad arguments<br>
> at javax.crypto.Mac.update(Mac.ja<wbr>va:509)<br>
> at sun.security.ssl.MAC.compute(M<wbr>AC.java:135)<br>
> at sun.security.ssl.InputRecord.c<wbr>heckMacTags(InputRecord.java:2<wbr>65)<br>
> at sun.security.ssl.InputRecord.d<wbr>ecrypt(InputRecord.java:216)<br>
> at sun.security.ssl.EngineInputRe<wbr>cord.decrypt(EngineInputRecord<wbr>.java:177)<br>
> at sun.security.ssl.SSLEngineImpl<wbr>.readRecord(SSLEngineImpl.java<wbr>:974)<br>
> at sun.security.ssl.SSLEngineImpl<wbr>.readNetRecord(SSLEngineImpl.j<wbr>ava:907)<br>
> at sun.security.ssl.SSLEngineImpl<wbr>.unwrap(SSLEngineImpl.java:781<wbr>)<br>
> at javax.net.ssl.SSLEngine.unwrap<wbr>(SSLEngine.java:624)<br>
><br>
> Attached are a simple python script to do the load, my dialplan and sip_profile. The python script can take a few runs before it see the error, and I know its not completing the sip or rtp, but even if it does this still happens.<br>
><br>
> I have also looked at libsofia-sip-ua/tport/ws.c and I dont see anything obvious. I am getting setup to build v1.6 head and test this any guidance on ways I can trouble shoot this better or requests for more info are very welcome.<br>
><br></span></blockquote></div></div></div></blockquote></div><br></div></div></div></div><br></div></div><span>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com/" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org/" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com/" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></span></blockquote></div><br></div>
</blockquote></div><br></div>
______________________________<wbr>______________________________<wbr>_____________<br>Professional FreeSWITCH Consulting Services: <br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.<wbr>org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></div></blockquote></div><br></div></div></div></div></div><br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>