I am developing a project based on the Google Cloud IoT Core platform. I want to publish telemetry data using the GSM module (SIM7020 - NB-IoT).
However, the connection time (TLS handshake) takes a lot of time (> 10 seconds) and the connection is broken by the Google server.
What is the timeout handshake?
Can I extend this timeout in IoT Core settings?. Anyone have an idea how to work around this problem with slow connections?
best regards
You use SSL/TLS to establish a secure connection between the 2 points. To achieve this connection you need to complete a successful handshake between these points. If this handshake fails for example in your scenario because of timeout then the SSL/TLS couldn’t complete the handshake during this period. You can find more information about SSl/TLS from the organization Internet Engineering Task Force (ietf). Handshake from ietf, timeout from ietf.
For your information SSL/TLS is for TCP and DTLS for UDP.
If your bound to UDP, you may try out cloud-iot-coap-proxy. A DTLS PSK handshake, if that complies to your security requirements, is much faster.
After talking to Google support, it turned out that the only solution was to run your own virtual machine or use CoAP and communication over UDP. I decided to change cloud hosting to competitive.
Related
I have a couple questions.
If I were to use TLS1.0->1.3 Client-Side and never use SSLv2 or v3, would there be any impacts on TCP Client Handshake Compatibility?
As in, would there ever be a server that wouldn't support this change that would require me to use SSLv2/v3?
I guess what i'm asking is if TLS is backwards compatible which servers that use SSLv2/v3 or do I not understand SSL/TLS properly?
Also other way around, if I was running an OS that had no support for TLS, would I at some point end up with Protocol Issues when Handshaking an SSL Stream?
I used Wireshark to monitor packages of some websites, but found that there are such many communicating patterns of TLS 1.2.
The first one is a generic one:
Client: Client Hello
Server: Server Hello, Certificate, Server Hello Done
Client: Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
Server: Change Cipher Spec, Encrypted Handshake Message
Second one is as followed:
Wireshark1
I'm just confused with why Certificate and Server Hello Done was in another package. Who demand server to do that? For what reasons?
After multiply refreshing page, I got the third one:
Wireshark2
Only 3 packages in handshake? A lot of processes were missed, was it because the information was cached? And how about the pre-master key?
Thanks for the answering!
TLS is a protocol over TCP, i.e. over a streaming transport protocol. For transport the data stream gets split into packets and thus it can happen that the ServerHelloDone is contained in one packet or in another or even split over two packets. Since the sizes are visible in your second example but not in the first it is unknown why the difference is exactly but it might be caused by the size of the certificate(s) contained in the handshake.
As for the third example: this is simple a TLS session reuse, i.e. it continues an older session and thus no sending of server certificate or similar is needed.
I'm testing SSL/TLS stream proxying within NGINX that will connect to a web server using gnutls as the underlying TLS API. Using the command line test tool in gnutls (gnutls-serv) the entire process works, but I can't understand the logic:
the NGINX client (proxying HTTP requests from an actual client to the gnutls server) seems to want to handshake the connection multiple times. In fact in most tests it seems to handshake 3 times without error before the server will respond with a test webpage. Using wireshark, or just debugging messages, it looks like the socket on the client side (in the perspective of the gnutls server) is being closed and reopened on different ports. Finally on the successful connection, gnutls uses a resumed sessions, which I imagine is one of the previously mentioned successful handshakes.
I am failing to find any documentation about this sort of behaviour, and am wondering if this is just an 'NGINX thing.'
Though the handshake eventually works with the test programs, it seems kind of wasteful (to have multiple expensive handshakes) and implementing handshake logic in a non-test environment will be tricky without actually understanding what the client is trying to do.
I don't think there are any timeouts or problems happening on the transport, the test environment is a few different VMs on the same subnet connected between 1 switch.
NGINX version is the latest mainline: 1.11.7. I was originally using 1.10.something, and the behaviour was similar though there were more transport errors. Those errors seemed to get cleaned up nicely with upgrading.
Any info or experience from other people is greatly appreciated!
Use either RSA key exchange between NGINX and the backend server or use SSLKEYLOGFILE LD_PRELOAD for NGINX to have the necessary data for Wireshark to decrypt the data.
While a single incoming connection should generate just one outgoing connection, there may be some optimisations in NGINX to fetch common files (favicon.ico, robots.txt).
I am new to the VOIP concepts. I just took a course on VOIP. I am interested in implementations of SIP using TLS, IPSEC and Digest as well.
I want to see if SIP signaling uses IPSEC instead of TLS, how would it effect the performance, would the singaling be a little more time consuming? Would it add to the security or reduce the security.
I was searching for a softphone which has both TLS/IPSEC mechanisms so that I can analyze both packets on wireshark but I didnot come across any. Any suggestions on how to do that?
Thanking in advance!
Softphones don't explicitly support IPSEC because it is a network layer protocol. The lowest level dealt with in the SIP RFC is the transport layer where it provides 3 alternatives those being UDP, TCP and TLS.
SIP signalling would work fine over IPSEC since it's not that time sensitive. Even a delay of 1 or 2 seconds for SIP requests and responses will be barely noticeable. However the RTP traffic which carries the call media could well be affected if additional latency is introduced.
Let's suppose you have to secure your SIP signalling between your end points (soft phone or hardware) and the call control engine, also suppose both end-points and the call control reside inside the same campus, or LAN or private network.
The right choice is to employ TLS between end-points and the call control engine, most of end-points support TLS in their implementation (firmware or software). Anyway the same applies also for mobile workers (they establish TLS from the internet with an authenticated front-end placed in the DMZ inside your corporate); TLS is well suited in those scenarious where non additional client installation is needed.
At the other hand to have SIP protected inside IPSec you need to install IPSec client on your laptop (where sip client resides) first, the IPSec client establishes security with an IPSec Gateway placed in your corporate (more complex and expensive to manage). In brief IPSec is well suited in those scanarious where you need privacy between LANs accross the public network (IPSec tunnel mode is set up between IPsec Gateways).
When you talk about SIP with TLS or IPSec you cannot neglet RTP.
To have SecureRTP in place, TLS protocol is the choice. During session setup SIP entities exchange TLS parameters (such as the chiper suite to use to protect RTP) within SDP body, have a look at logs to see SDP inside SIP. At the end of the exchange SIP entities are able to secure RTP traffic because of they agreed on a common session encryption key (is the simmetric key derived from the key exchange protocol).
With IPSec is different, there are no IPSec information exchanged within SDP or SIP messages. You setup IPSec tunnel first and then you send your traffic inside the tunnel, this traffic can be SIP and RTP as well. Note that with IPSec tunnel mode the original packet is encapsulated on a new IP packet (there is an external IP header), so more overhead and processing..
To summary:
Securing SIP is possible with TLS and IPSec, consider your environment. I would consider TLS as much as possible.
Securing RTP is possible with TLS, it is called SecureRTP (encryption, message authentication and integrity, and replay attack protection to the RTP data ).
Securing RTP\SIP with IPSec requires more effort. Consider IPSec tunnel when you need to protect more than SIP\RTP.
Have a look at NAT traversal feature when you decide to employ IPSec with voice\video and a NAT device is traversed.
I'm developing a client/server Winforms application. Clients connect to server using internet and use WCF's netTCPBinding to talk to server.
Communicating in a secure channel is very important for me and since NetTCP binding is secured by default with TLS, it seems like I don't have to do anything. Do I?
How can I monitor the encrypted data sent/received between my client/server in localhost? I used RawCap to capture data and opened the dump file in Wireshark. But I don't know how I should check for TLS security in packets. dump file is full of unkown TCP packets (not from my software) with vcom=tunnel info for most of them.
TCP binding security element is set to Transport by default. This indicates requirement that transport session must be encypted. If you cannot establish TLS session service will reject the call.
You can use something like TCPMon which will show TLS traffic albeit encrypted. Also there is SSLDump