[Freeswitch-users] WSS SSL errors "decryption failed or bad record mac" under load

Luke Wahlmeier lwahlmeier at gmail.com
Fri May 12 15:42:03 UTC 2017


Just got done testing this on v1.6 head and master, both seem to still have
this issue.  This box is using libssl version 1.0.1t-1+deb8u6.  I am gonna
start digging more into the ws/wss/sofia code to see if I can figure it
out.  Any suggestions on debugging this would be appreciated.

Thanks
Luke

On Thu, May 11, 2017 at 5:12 PM, Luke Wahlmeier <lwahlmeier at gmail.com>
wrote:

> Its just in our isolated lab, pretty normal dell xeon server running
> Jessie 8.6.  I just want to get it building on the same box I am testing
> with so setting that all up.
>
> I was able to reproduce it w/o DTLS/Srtp.  here is a much simpler and
> cleaned up version of the python script.
>
>
>
> On Thu, May 11, 2017 at 4:34 PM, Michael Jerris <mike at jerris.com> wrote:
>
>> what is “this environment” ?
>>
>> On May 11, 2017, at 6:31 PM, Luke Wahlmeier <lwahlmeier at gmail.com> wrote:
>>
>> Yeah I can usually get it to happen within about 5 minutes or so of
>> testing.  Still getting all setup to build freeswitch in this environment,
>> but I should have it working by tomorrow.  I will try more w/o dtls/srtp as
>> well and make sure it does not need to be on.
>>
>> Thanks
>> Luke
>>
>> On Thu, May 11, 2017 at 4:20 PM, Michael Jerris <mike at jerris.com> wrote:
>>
>>> if you can reproduce this reliably, i’d try master as well.  Unless this
>>> is a bug in openssl, i can’t imagine how dtls would come into play in
>>> something like this.
>>>
>>> > On May 11, 2017, at 5:48 PM, Luke Wahlmeier <lwahlmeier at gmail.com>
>>> wrote:
>>> >
>>> > I keep semi-regularly running into issues using the wss transport when
>>> using dtls/strp/ice.  This is on the latest 1.6.17~34~0fc0946 on Debian
>>> jessie, but I am pretty sure it was happening on the last couple releases
>>> as well.
>>> >
>>> > It seems like something bad/wrong happens to the encrypted data going
>>> over the websocket coming from freeswitch when more then 1 websocket
>>> connection are going and so far ice/srtp/dtls also seem to be needed in the
>>> invite to duplicate it.
>>> >
>>> > I have tried many different languages and network/ssl stacks and keep
>>> running into this.  It is always on data coming in from freeswitch on the
>>> websocket connection, and its very very random.  Sometimes I will get it 20
>>> times in a row, other times it takes thousands of connections/sessions
>>> before it happen.  It also, obviously, completely goes away if I use plain
>>> ws instead wss.
>>> >
>>> > Here are the errors:
>>> > python:
>>> > SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption
>>> failed or bad record mac (_ssl.c:1750)
>>> > c/c++ (stunnel4):
>>> > SSL_read: 1408F119: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
>>> failed or bad record mac
>>> > Java:
>>> > java.lang.IllegalArgumentException: Bad arguments
>>> >     at javax.crypto.Mac.update(Mac.java:509)
>>> >     at sun.security.ssl.MAC.compute(MAC.java:135)
>>> >     at sun.security.ssl.InputRecord.checkMacTags(InputRecord.java:265)
>>> >     at sun.security.ssl.InputRecord.decrypt(InputRecord.java:216)
>>> >     at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord
>>> .java:177)
>>> >     at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java
>>> :974)
>>> >     at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.j
>>> ava:907)
>>> >     at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
>>> >     at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>>> >
>>> > Attached are a simple python script to do the load, my dialplan and
>>> sip_profile.  The python script can take a few runs before it see the
>>> error, and I know its not completing the sip or rtp, but even if it does
>>> this still happens.
>>> >
>>> > I have also looked at libsofia-sip-ua/tport/ws.c and I dont see
>>> anything obvious.  I am getting setup to build v1.6 head and test this any
>>> guidance on ways I can trouble shoot this better or requests for more info
>>> are very welcome.
>>> >
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170512/0093ade4/attachment-0001.html 


More information about the FreeSWITCH-users mailing list