search

sipcapture / captagent

100% Open-Source Packet Capture Agent for HEP
https://sipcapture.org
GNU Affero General Public License v3.0
167 stars 75 forks source link

This is not a valid TLS/SSL packet #188

Closed quasd closed 4 years ago

quasd commented 6 years ago

Hello I have been trying to get TLS SIP workig for a while now.

I have been gettin mixed results from segfaults to INVALID TLS/SSL packets.

I will talk regarding the INVALID TLS/SSL packets since it's happening on Ubuntu Ubuntu 16.04 LTS which is closest to Debian (that is used in wiki)

The error I am getting is below

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 16929
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

It repeats for the count of the packets.

Here is scrambled tcpdump. (I can share orginal dump + key by mail if necessary)

yealink.pcap.zip

Setings I think are releveant can be found below. If you need anything else please let me know.

I can't figure out what would be causing this. Any help would be awesome.

Asterisk

 tlscipher=AES256-GCM-SHA384:AES128-GCM-SHA256

/usr/local/captagent/etc/captagent/protocol_tcp.xml

<?xml version="1.0"?>
<document type="captagent_module/xml">
<module name="protocol_tcp" description="TCP Protocol" serial="2014010402">
    <profile name="proto_tcp" description="TCP PROTO" enable="true" serial="2014010402">
    <settings>
    <param name="flow-timeout" value="180"/>
    <!-- the value of private key refers to the absolute path of the key (used for decription) -->
    <param name="private-key-path" value="/usr/src/captagent/captagent/conf/private.key"/>
    </settings>
    </profile>
</module>
</document>

/usr/local/captagent/etc/captagent/socket_pcap.xml 

<?xml version="1.0"?>
<document type="captagent_module/xml">
    <module name="socket_pcap" description="HEP Socket" serial="2014010402">
    <profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
        <settings>
        <param name="dev" value="any"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <param name="tcpdefrag" value="false"/>
        <param name="capture-plan" value="sip_capture_plan.cfg"/>
        <param name="filter">
            <value>port 5060</value>
        </param>
        </settings>
    </profile>
    <profile name="socketspcap_tls" description="TLS Socket" enable="true" serial="2014010402">
        <settings>
        <param name="dev" value="ens33"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <param name="tcpdefrag" value="true"/>
        <param name="capture-plan" value="tcp_capture_plan.cfg"/>
        <param name="filter">
            <value>tcp port 5061</value>
        </param>
        </settings>
    </profile>
    <profile name="socketspcap_rtcp" description="RTCP Socket" enable="false" serial="2014010402">
        <settings>
        <param name="dev" value="any"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <!-- size in MB -->
        <param name="ring-buffer" value="20"/>
        <!-- for rtp && rtcp < 250 -->
        <param name="snap-len" value="256"/>
        <param name="capture-filter" value="rtcp"/>
        <param name="capture-plan" value="rtcp_capture_plan.cfg"/>
        <param name="filter">
            <value>portrange 10000-30000 and len >=50 </value>
        </param>
        </settings>
    </profile>
    </module>
</document>

/usr/local/captagent/etc/captagent/captagent.xml

<?xml version="1.0"?>
<document type="captagent/xml">
    <configuration name="core.conf" description="CORE Settings" serial="2014024212">
        <settings>
        <param name="debug" value="9"/>
        <param name="version" value="2"/>
        <param name="serial" value="2014056501"/>
        <param name="uuid" value="00781a4a-5b69-11e4-9522-bb79a8fcf0f3"/>
        <param name="daemon" value="false"/>
        <param name="syslog" value="false"/>
        <param name="pid_file" value="/var/run/captagent.pid"/>
        <!-- Configure using installation path if different from default -->
        <param name="module_path" value="/usr/local/captagent/lib/captagent/modules"/>
        <param name="config_path" value="/usr/local/captagent/etc/captagent/"/>
        <param name="capture_plans_path" value="/usr/local/captagent/etc/captagent/captureplans"/>
        <param name="backup" value="/usr/local/captagent/etc/captagent/backup"/>
        <param name="chroot" value="/usr/local/captagent/etc/captagent"/>
        </settings>
    </configuration>
    <configuration name="modules.conf" description="Modules">
        <modules>

        <load module="transport_hep" register="local"/>
        <load module="protocol_sip" register="local"/>
        <load module="database_hash" register="local"/>
        <load module="protocol_tcp" register="local"/>
        <load module="protocol_rtcp" register="local"/> 
        <load module="socket_pcap" register="local"/>

        <!-- NOTE: Block required for RTCPXR socket + RTCPXR protocol -->
        <!-- 
            <load module="protocol_rtcpxr" register="local"/>
            <load module="socket_collector" register="local"/> 
        -->

            <!--
        <load module="socket_tzsp" register="local"/>
        <load module="protocol_ss7" register="local"/>
        <load module="protocol_tcp" register="local"/>
        <load module="output_json" register="local"/>
        <load module="protocol_rtcp" register="local"/>
        <load module="interface_http" register="local"/>
        <load module="database_redis" register="local"/>
        <load module="socket_pfring" register="local"/>
            -->
    </modules>
    </configuration>
</document>

/usr/local/captagent/etc/captagent/captureplans/tcp_capture_plan.cfg 

capture[pcap] {

    # check minimum message size
    if(msg_check("size", "10")) {

        # attempt TLS parsing
        if(parse_tls()) {

        # attempt SIP parsing
        if(parse_sip()) {

        # Send using a profile defined in transport_hep.xml
        if(!send_hep("hepsocket")) {
            clog("ERROR", "Error sending HEP!!!!");
        }
        # attempt SDP parsing
        if(sip_has_sdp())
        {
            #Activate it for RTCP checks
            if(!check_rtcp_ipport())
            {
                clog("ERROR", "Duplicate SDP Session!");
            }
        }

        } else {
        clog("ERROR", "Error parsing SIP!!!!");
        drop;
        }

    } else {
    clog("ERROR", "Error parsing TLS!!!!");
    drop;
    }
    }
    drop;
}

/usr/src/captagent/captagent/conf/private.key (self signed just for this purpose)

openssl req -x509 -newkey rsa:4096 -nodes -keyout private.key -out cert.pem -days 365
lmangani commented 6 years ago

The cypher seems to be supported so perhaps @kYroL01 can provide a hint for investigation

kYroL01 commented 6 years ago

Sorry, today github sucks! I'll check asap

kYroL01 commented 6 years ago

@quasd Yes, i can confirm that the cipher suites in the pcap should be supported. Can u sent me orginal dump + key at mcampus@qxip.net and I'll try to check the problem better ? Thank you

quasd commented 6 years ago

@kYroL01 dump + key sent to the mail mentioned above. Thank you for the help.

quasd commented 6 years ago

@kYroL01 this might have been a error on my side.

I went and assumed that Ubuntu 16.04 ships with libgcrypt-1.8 when that is not the case...

I tried compiling libgpg-error and libgcrypt from source, which resulted in captagent segfaulting, when trying to capture device registering. (dump should be same/similar as above) 

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17750
Segmentation fault (core dumped)

I am currently upgrading the test server to 18.04 to rule out problems with my manually compiled libraries.

( I have experienced this same behaviour on my personal computer running Arch that currently ships with 1.8.3, so there does seem to be some problem even though it's slightly different from the problem I reported initially )

pacman -Q | grep libgcrypt
lib32-libgcrypt 1.8.3-1
libgcrypt 1.8.3-1
quasd commented 6 years ago

@kYroL01 spoke too soon, even on 18.04 with libgcrypt 1.8.1 from official repositories it doesn't work. The errors are slightly different though.

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
[DEBUG] protocol_tcp.c:271 TLS packet found
[DEBUG] protocol_tcp.c:202 KEY in proto_tcp = 17349
This is not a valid TLS/SSL packet
[ERR] protocol_tcp.c:253 INVALID TLS/SSL packet
[ERR] protocol_sip.c:132 Error parsing TLS!!!!

at least it doesn't segfault anymore

kYroL01 commented 6 years ago

@quasd Mail received, thanks! So, basically, it's a good news no Segfault anymore. Maybe something change from the cipher suite. I'll try to figure out if something is changed.

kYroL01 commented 6 years ago

@quasd Can you sent me by mail also the cert.pem you created ? Thanks

quasd commented 6 years ago

@kYroL01 mail sent.

openssl pkey -in private.key -pubout -outform pem | sha256sum 
b384b8ea960f629176ceec3a8974c2f0caa2c2c429b8ac810773a7343067fcbe  -
openssl x509 -in private.pem -pubkey -noout -outform pem | sha256sum
b384b8ea960f629176ceec3a8974c2f0caa2c2c429b8ac810773a7343067fcbe  -
kYroL01 commented 6 years ago

As I privately answer to @quasd (but the answer should probably useful for others), the problem is the size of the private key created. Captagent TLS support 2048 bit keys, but the one used here is 4096. From my side I try to understand how (and if) I can put the 4096 bit support. Need to update the Wiki to specify this limitation for now.