search

ivlovric / HFP

HEP Fidelity Proxy
15 stars 7 forks source link

HFP - TLS connection to HEP server #10

Open idanam-del opened 1 year ago

idanam-del commented 1 year ago

hey, does this supports TLS connection to HEP server? If so, how to configure it?

ivlovric commented 1 year ago

Hi!

Haven't tried TLS, in theory it could work as TLS is transported by TCP which this proxy is doing, just set outbound/backend side using -r command line switch to point to HEP TLS server endpoint which should take care of TLS decoding, HFP in this case should just transparently pass TLS over TCP to backend.

We would appreciate feedback about this case.

Thanks, I

idanam-del commented 1 year ago

as i understood i could use the heplfiy as hep Proxy from HFP to

Hi!

Haven't tried TLS, in theory it could work as TLS is transported by TCP which this proxy is doing, just set outbound/backend side using -r command line switch to point to HEP TLS server endpoint which should take care of TLS decoding, HFP in this case should just transparently pass TLS over TCP to backend.

We would appreciate feedback about this case.

Thanks, I

as i understood i could use the heplfiy as hep Proxy from HFP to the HEP server and that will be TLS.

So native agent will send HEP to HFP -> heplify hep proxy -> TLS ->HEP server

still haven't tested

ivlovric commented 1 year ago

Hi,

Heplify server also supports TLS, so it can be terminated there. But not sure it will work at all as packet will change its IP along the way breaking TLS integrity. Nonethless, would be interesting to try :)

So, something like this: HEP agent(TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

https://github.com/sipcapture/heplify-server/blob/master/example/homer7_config/heplify-server.toml#LL3C5-L3C5

idanam-del commented 1 year ago

Well my idea is that HEP agent, HFP ane Heplify will be the same localhost.

So only Heplify will communicate with HEP server over TLS

But as i write this i understand in this case HFP will be useless because how will he know the hep server is down in order to buffer the hep packets?

He needs to be upfront the HEP server to be effective

On Tue, May 9, 2023, 16:30 Ivica Lovrić @.***> wrote:

Hi,

Heplify server also supports TLS, so it can be terminated there. But not sure it will work at all as packet will change its IP along the way breaking TLS integrity. Nonethless, would be interesting to try :)

So, something like this: HEP agent(TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

https://github.com/sipcapture/heplify-server/blob/master/example/homer7_config/heplify-server.toml#LL3C5-L3C5

— Reply to this email directly, view it on GitHub https://github.com/ivlovric/HFP/issues/10#issuecomment-1540130573, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7GVSLKOQSPNWZEISGM5WPTXFJBH7ANCNFSM6AAAAAAXSVGLZI . You are receiving this because you authored the thread.Message ID: @.***>

idanam-del commented 1 year ago

Hi,

Heplify server also supports TLS, so it can be terminated there. But not sure it will work at all as packet will change its IP along the way breaking TLS integrity. Nonethless, would be interesting to try :)

So, something like this: HEP agent(TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

https://github.com/sipcapture/heplify-server/blob/master/example/homer7_config/heplify-server.toml#LL3C5-L3C5

I've tested this setup

HEP agent (UDP) > heplify as HEP COLLECTOR (TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

  1. I configure HEP COLLECTOR to directly connect to the Heplify server on TLS port 9063

  2. And HFP to listen to 9063 and proxy towards the Heplify server at port 9063

    HEP COLLECTOR and HFP are at the same machine.

  3. At heplify server i can see calls and encrypted msgs at tcpdump

Now i will test the HFP capabilities by initiating network outages using UFW at heplify server

idanam-del commented 1 year ago

2 issues. While using latest release. https://github.com/ivlovric/HFP/releases

  1. When heplify server is down, HFP should immediately be triggered and try to reconnect the server and say so in logs. It only happens after i exit and run the executable again.

  2. After reconnecting when its supposed to flush the buffer, it doesn't and says the following:

||-->X File Send HEP from buffer to file error read tcp4 127.0.0.1:9063->127.0.0.1:35144: use of closed network connection

ivlovric commented 1 year ago

Hi,

  1. HFP is trying to reconnect on first packet received on input after backend side/heplify server in your case is down. Will assess if monitoring of outbound side without traffic is good option for this proxy, reasoning was to use traffic for first reconnect retry loop not to overburden backenfd HEP server if there is no traffic at all.

  2. Yes, that is repercussion of last revert commit, but please check last beta branch as well latest next branch and see if it behaves better - it should. "next" branch is complete rewrite so feel free to report.

Thanks