Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HFP - TLS connection to HEP server #10

Open
idanam-del opened this issue May 2, 2023 · 7 comments
Open

HFP - TLS connection to HEP server #10

idanam-del opened this issue May 2, 2023 · 7 comments

Comments

@idanam-del
Copy link

hey, does this supports TLS connection to HEP server? If so, how to configure it?

@ivlovric
Copy link
Owner

ivlovric commented May 9, 2023

Hi!

Haven't tried TLS, in theory it could work as TLS is transported by TCP which this proxy is doing, just set outbound/backend side using -r command line switch to point to HEP TLS server endpoint which should take care of TLS decoding, HFP in this case should just transparently pass TLS over TCP to backend.

We would appreciate feedback about this case.

Thanks,
I

@idanam-del
Copy link
Author

as i understood i could use the heplfiy as hep Proxy from HFP to

Hi!

Haven't tried TLS, in theory it could work as TLS is transported by TCP which this proxy is doing, just set outbound/backend side using -r command line switch to point to HEP TLS server endpoint which should take care of TLS decoding, HFP in this case should just transparently pass TLS over TCP to backend.

We would appreciate feedback about this case.

Thanks, I

as i understood i could use the heplfiy as hep Proxy from HFP to the HEP server and that will be TLS.

So native agent will send HEP to HFP -> heplify hep proxy -> TLS ->HEP server

still haven't tested

@ivlovric
Copy link
Owner

ivlovric commented May 9, 2023

Hi,

Heplify server also supports TLS, so it can be terminated there. But not sure it will work at all as packet will change its IP along the way breaking TLS integrity. Nonethless, would be interesting to try :)

So, something like this: HEP agent(TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

https://github.com/sipcapture/heplify-server/blob/master/example/homer7_config/heplify-server.toml#LL3C5-L3C5

@idanam-del
Copy link
Author

idanam-del commented May 9, 2023 via email

@idanam-del
Copy link
Author

idanam-del commented May 15, 2023

Hi,

Heplify server also supports TLS, so it can be terminated there. But not sure it will work at all as packet will change its IP along the way breaking TLS integrity. Nonethless, would be interesting to try :)

So, something like this: HEP agent(TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

https://github.com/sipcapture/heplify-server/blob/master/example/homer7_config/heplify-server.toml#LL3C5-L3C5

I've tested this setup

HEP agent (UDP) > heplify as HEP COLLECTOR (TLS over TCP) > (TCP) HFP (TCP proxy) > (TLS over TCP) Heplify server

  1. I configure HEP COLLECTOR to directly connect to the Heplify server on TLS port 9063

  2. And HFP to listen to 9063 and proxy towards the Heplify server at port 9063

    HEP COLLECTOR and HFP are at the same machine.

  3. At heplify server i can see calls and encrypted msgs at tcpdump

Now i will test the HFP capabilities by initiating network outages using UFW at heplify server

@idanam-del
Copy link
Author

idanam-del commented May 15, 2023

2 issues. While using latest release. https://github.com/ivlovric/HFP/releases

  1. When heplify server is down, HFP should immediately be triggered and try to reconnect the server and say so in logs. It only happens after i exit and run the executable again.

  2. After reconnecting when its supposed to flush the buffer, it doesn't and says the following:

||-->X File Send HEP from buffer to file error read tcp4 127.0.0.1:9063->127.0.0.1:35144: use of closed network connection

@ivlovric
Copy link
Owner

Hi,

  1. HFP is trying to reconnect on first packet received on input after backend side/heplify server in your case is down. Will assess if monitoring of outbound side without traffic is good option for this proxy, reasoning was to use traffic for first reconnect retry loop not to overburden backenfd HEP server if there is no traffic at all.

  2. Yes, that is repercussion of last revert commit, but please check last beta branch as well latest next branch and see if it behaves better - it should. "next" branch is complete rewrite so feel free to report.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants