Earlier last week n8fr8 suspected something changed on the ostel.co server, due to many users emailing support specifically about Jitsi connectivity to ostel.co. The common question was why did it work a few weeks ago and now it doesnt anymore?
The tl;dr follows, skip to keyword CONCLUSION to hear only the punch line.
To support n8fr8s hypothesis, there was a small change to the server but I want convinced it effected anything since all my clients continued to work properly, including Jitsi. Obviously something had changed but none of us knew what it was. After some testing we discovered the problem was related to insecure connections from Jitsi to UDP port 5060 on ostel.co. Secure connections (on TCP port 5061) continued to work as expected.
To make matters more confusing, I could register and make calls with two different clients (CSipSimple and Linphone) on the same network (my home ISP, Verizon FiOS) using an insecure connection to ostel.co on UDP port 5060.
At this point I was like WTF?
I went back to the server, diffed all the configs, checked server versions, connected with every client I could find that would run on any of my computers. The only change was a Kamailio upgrade from 4.0.1 to 4.0.2. A minor point release. The problem with Jitsi remained. What could the server be doing to this poor client?
I did a packet trace on the ostel.co servers public network interface, filtered to dump packets only on UDP port 5060 that match my SIP username. I opened Jitsi and things got interesting. For the curious, heres the utility and options I used. If you are new to operating a SIP network, ngrep is an excellent tool for debugging.
ngrep -d eth0 -t -p -W byline foo port 5060
Ill include an excerpt (Ive included only the relevant headers for this issue) of the initial request from Jitsi. IP addresses and usernames have been changed to protect the innocent.
U 2013/07/19 22:17:34.920749 0.0.0.0:5060 -> 66.151.32.200:5060 REGISTER sip:ostel.co SIP/2.0. CSeq: 1 REGISTER. From: "foo"
# U 2013/07/19 22:17:34.921155 66.151.32.200:5060 -> 0.0.0.0:5060 SIP/2.0 401 Unauthorized. CSeq: 1 REGISTER. From: foo
If you read the response, youll see Kamailio sent 401 Unauthorized. This is normal for SIP authentication. A second client request should follow it, which should contain an Authorization header with an md5 and a nonce. When Kamailio receives this request, checks the auth database and sends a 200 OK response, the client is authenticated.
The SIP dialog looks good but Jitsi continues not to register. The dialog flow is cut off after the 401 Unauthorized response. Its almost like something has blocked the response to the client.
Since I could register Linphone using the same account, I did the same trace for that client. Heres the excerpt.
U 2013/07/19 22:33:18.372770 0.0.0.0:42680 -> 66.151.32.200:5060 REGISTER sip:ostel.co SIP/2.0. Via: SIP/2.0/UDP 0.0.0.0:49153;rport;branch=z9hG4bK359459505. From:
# U 2013/07/19 22:33:18.373112 66.151.32.200:5060 -> 0.0.0.0:42680 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 0.0.0.0:49153;rport=42680;branch=z9hG4bK359459505. From:
This 401 Unauthorized response was received by the client and the follow up request with the Authorization header was sent with the correct digest. Linphone registered. I made a call. Everything worked fine. Indeed WTF?
I stared at these traces for a while to get a clue. Look again at the first line of the request from Jitsi. Youll see a timestamp followed by two IP:port pairs. Notice the port on the first IP is 5060 and the port on the second IP is also 5060. This means that the source port used by Jitsi on my home network is UDP port 5060. In order for a response to come back to Jitsi, it must enter my network on the same port it exited. Now read the top line of the response from Kamailio. Indeed, the server sent the response to UDP port 5060.
Now look at the same flow for Linphone. There is a very different source port in that dialog. In this case, Kamailio sent the response to UDP port 42680 and Linphone received it. Also notice the IP address used by Kamailio as the destination of the response is the same one in the dialog from Jitsi.
The question remained, why cant Jitsi get the same kind of SIP response on UDP port 5060? Why is Jitsi using a single source port for outgoing traffic anyway? That value can be dynamic. I configured Jitsi to use a different port for insecure SIP. It has an advanced configuration for SIP with the key SIP client port. I set this to 5062 (5061 is conventionally used for secure SIP traffic so I incremented by 2) and tried to register again.
SUCCESSSSSSSSSSSS!
To be thorough, I changed Jitsis SIP port again to a 5 digit number I randomly typed on my keyboard without looking.
SUCCESSSSSSSSSSSS!
So if Jitsi can register to Kamailio on any port other than UDP port 5060, WTF is going on? I had a suspicion. I tried one more test before I called it. I configured Jitsi to connect on TCP port 5060. It registered successfully. Now I know whats going on. I have a sad
CONCLUSION
My ISP, Verizon FiOS, has a firewall running somewhere upstream (it could be on the router they provided, I havent checked yet) that blocks incoming UDP traffic to port 5060. This probably falls under their TOS section which forbids running servers since Verizon provides voice services for an additional fee on top of data service, despite both running over the same fiber connection to my house. It seems like Verizon doesnt want their data-only customers to get in the way of that sweet cheddar delivery each month in exchange for phone service.
This sucks on two levels.
LEVEL 1
Why is my ISP censoring my incoming traffic when I have 5 mbps of incoming bandwidth? I assume the answer is because they can. *desolate frowny face*
LEVEL 2
Why doesnt Jitsi use a dynamic source port for SIP requests? I assume the answer is Jitsi is open source, why dont I change this and send a patch upstream?
Both levels are formidable challenges to overcome. Convincing Verizon to play nice on the Internet feels like a vanity project. Im writing that off. To make a change to the SIP stack in Jitsi is well within the area of the GP teams expertise, myself included but its not a trivial undertaking. Since this is a default configuration change there is probably a reason upstream devs made this choice so in addition to the programming work theres the work to convince the developers this would be a change worth a new release.
Since this is specific to Jitsi, Im going to follow up with the developers and see if I missed anything. Stay tuned for part two.
Thanks for listening. Stay safe!
Read the original:
Jitsi, ostel.co and ISP censorship | The Guardian Project
- Jitsi - Business VoIP Phone Service | OnSIP [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Softonic - Jitsi - Download [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- The Architecture of Open Source Applications: Jitsi [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Jitsi - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Jitsi - Official Site [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- FLOSS Weekly 293: Jitsi Meet - Video [Last Updated On: May 9th, 2014] [Originally Added On: May 9th, 2014]
- Jitsi Overview: FLOSS Weekly 293 - Video [Last Updated On: May 9th, 2014] [Originally Added On: May 9th, 2014]
- NetSecDemo Secure FTP over Jitsi - Video [Last Updated On: May 9th, 2014] [Originally Added On: May 9th, 2014]
- Jitsi VoIP softphone Hands On Tutorial - Video [Last Updated On: May 11th, 2014] [Originally Added On: May 11th, 2014]
- Eliyah Moore, Barum Jiu Jitsi Vs Cahel Gonzalez, 5 Star Martial Arts - Video [Last Updated On: May 16th, 2014] [Originally Added On: May 16th, 2014]
- How to download and install Jitsi - Video [Last Updated On: May 17th, 2014] [Originally Added On: May 17th, 2014]
- Jitsi (Mac) - Download - Softonic [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Using XMPP chat with Jitsi - Video [Last Updated On: September 12th, 2014] [Originally Added On: September 12th, 2014]
- Jitsi - SIP Softphone - Video [Last Updated On: September 12th, 2014] [Originally Added On: September 12th, 2014]
- The Luminosity of Free Software Episode 20 - Video [Last Updated On: September 13th, 2014] [Originally Added On: September 13th, 2014]
- FOSDEM 2014 - Jitsi Videobridge And Webrtc - Video [Last Updated On: September 16th, 2014] [Originally Added On: September 16th, 2014]
- Just Linux touch screen and Jitsi - Video [Last Updated On: September 16th, 2014] [Originally Added On: September 16th, 2014]
- jitsi.org | Jitsi [Last Updated On: September 17th, 2014] [Originally Added On: September 17th, 2014]
- Bitcoin and dark wallet could be used by terrorists. So what? [Last Updated On: September 24th, 2014] [Originally Added On: September 24th, 2014]
- Top messaging apps flat-out flunk EFF's security review [Last Updated On: November 5th, 2014] [Originally Added On: November 5th, 2014]
- When I say join me in a jitsi meet... - Video [Last Updated On: November 7th, 2014] [Originally Added On: November 7th, 2014]
- Jitsi Flasms Dogfooding: Using your own imperfect solutions helps improve them, - Video [Last Updated On: November 10th, 2014] [Originally Added On: November 10th, 2014]
- IETF91 chairs meeting Honolulu Jitsi Meet presentation - Video [Last Updated On: November 17th, 2014] [Originally Added On: November 17th, 2014]
- IETF91 chairs meeting Honolulu Jitsi Meet questions - Video [Last Updated On: November 18th, 2014] [Originally Added On: November 18th, 2014]
- jitsi videollamada - Video [Last Updated On: December 26th, 2014] [Originally Added On: December 26th, 2014]
- Skype Encrypted Alt. SIP Jitsi Combo [Last Updated On: February 7th, 2015] [Originally Added On: February 7th, 2015]
- Jitsi Wikipdia [Last Updated On: February 7th, 2015] [Originally Added On: February 7th, 2015]
- Jitsi for Mac | MacUpdate - Apple Mac OS X Software & Apps ... [Last Updated On: February 13th, 2015] [Originally Added On: February 13th, 2015]
- Nexi Unified Communication Jitsi Presentazione full - Video [Last Updated On: February 19th, 2015] [Originally Added On: February 19th, 2015]
- Jitsi - secure IM & VoIP | security in-a-box [Last Updated On: March 21st, 2015] [Originally Added On: March 21st, 2015]
- JITSI - Video [Last Updated On: April 8th, 2015] [Originally Added On: April 8th, 2015]
- Jitsi: A Multi-Protocol, Cross Platform Compatible Chat ... [Last Updated On: July 24th, 2015] [Originally Added On: July 24th, 2015]
- jitsi/jitsi-meet GitHub [Last Updated On: July 24th, 2015] [Originally Added On: July 24th, 2015]
- Jitsi Tutorial 1 - Installation - Top Windows Tutorials [Last Updated On: August 8th, 2015] [Originally Added On: August 8th, 2015]
- Jitsi | Tiki Suite [Last Updated On: August 30th, 2015] [Originally Added On: August 30th, 2015]
- Jitsi SIP Softphone Review - About.com Tech [Last Updated On: August 30th, 2015] [Originally Added On: August 30th, 2015]
- Jitsi Configuration and Review - Callcentric [Last Updated On: August 30th, 2015] [Originally Added On: August 30th, 2015]
- A Skype alternative worth its salt: Jitsi | usability ... [Last Updated On: September 6th, 2015] [Originally Added On: September 6th, 2015]
- Jitsi (Build 3132) [Last Updated On: September 24th, 2015] [Originally Added On: September 24th, 2015]
- [jitsi-users] SIP - Lync Connect deosnt work [Last Updated On: December 19th, 2015] [Originally Added On: December 19th, 2015]
- Jitsi - Wikipedia, la enciclopedia libre [Last Updated On: December 22nd, 2015] [Originally Added On: December 22nd, 2015]
- Why did Atlassian Acquire Jitsi? (Hint: WebRTC Multiparty ... [Last Updated On: March 6th, 2016] [Originally Added On: March 6th, 2016]
- Jitsi Download - Softpedia [Last Updated On: March 16th, 2016] [Originally Added On: March 16th, 2016]
- OpenFire Jitsi as Skype(desktop sharing) and Temviewer ... [Last Updated On: March 20th, 2016] [Originally Added On: March 20th, 2016]
- Jitsi - WOW.com [Last Updated On: April 11th, 2016] [Originally Added On: April 11th, 2016]
- Review: Jitsi the ultimate SIP voice and video client ... [Last Updated On: April 22nd, 2016] [Originally Added On: April 22nd, 2016]
- Jitsi WOW.com | Prometheism.net [Last Updated On: May 1st, 2016] [Originally Added On: May 1st, 2016]
- Jitsi - OSTN - Guardian Project Open Dev [Last Updated On: May 21st, 2016] [Originally Added On: May 21st, 2016]
- Jitsi - FreeBSD Wiki [Last Updated On: May 22nd, 2016] [Originally Added On: May 22nd, 2016]
- Jitsi - [Last Updated On: May 24th, 2016] [Originally Added On: May 24th, 2016]
- Chocolatey Gallery | Jitsi 2.8.5426 [Last Updated On: May 28th, 2016] [Originally Added On: May 28th, 2016]
- Jitsi - Quora [Last Updated On: May 31st, 2016] [Originally Added On: May 31st, 2016]
- Jitsi - Mensajera instantnea segura de texto, audio y ... [Last Updated On: August 10th, 2016] [Originally Added On: August 10th, 2016]
- Jitsi - Wikipedia [Last Updated On: October 27th, 2016] [Originally Added On: October 27th, 2016]
- Trying to install jitsi meet with apache2 - Stack Overflow [Last Updated On: October 29th, 2016] [Originally Added On: October 29th, 2016]
- Jitsi softphone for Windows OnSIP Support [Last Updated On: November 23rd, 2016] [Originally Added On: November 23rd, 2016]
- Jitsi for Mac - Download - jitsi.en.softonic.com [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Jitsi for Windows - Secure Instant Messaging and VoIP [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- Edward Snowden's New Job: Protecting Reporters From Spies - WIRED [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Snowden helping develop tools to protect journalists and whistleblowers - 'to make the game a little more fair' - Press Gazette [Last Updated On: February 15th, 2017] [Originally Added On: February 15th, 2017]
- Jitsi Meet - Android Apps on Google Play [Last Updated On: March 9th, 2017] [Originally Added On: March 9th, 2017]
- 5 Apps You Didn't Know You Needed - Syracuse University News [Last Updated On: April 3rd, 2017] [Originally Added On: April 3rd, 2017]
- Encrypted Chat Took Over. Let's Encrypt Calls, Too - Huffington Post [Last Updated On: April 25th, 2017] [Originally Added On: April 25th, 2017]
- Your Essential List of 7 Productivity Hacks and Time Management Tips - Business 2 Community [Last Updated On: May 11th, 2017] [Originally Added On: May 11th, 2017]
- Online privacy guide for journalists - Radioinfo (subscription) [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Diaspora* and Other Free Software Are Available in the Occitan Language, Thanks to Volunteer Translators - Global Voices Online [Last Updated On: May 23rd, 2017] [Originally Added On: May 23rd, 2017]
- Jitsi Meet (advanced) Projects [Last Updated On: May 23rd, 2017] [Originally Added On: May 23rd, 2017]
- How to Configure and Set-Up Jitsi - Liberty Under Attack [Last Updated On: June 6th, 2017] [Originally Added On: June 6th, 2017]
- Jitsi - PediaView.com [Last Updated On: June 14th, 2017] [Originally Added On: June 14th, 2017]
- FAQ | Jitsi [Last Updated On: June 25th, 2017] [Originally Added On: June 25th, 2017]
- FAQ | Jitsi | Prometheism.net - euvolution.com [Last Updated On: June 26th, 2017] [Originally Added On: June 26th, 2017]
- Tsirang vegetable vendors commit to selling local chillies - Kuensel, Buhutan's National Newspaper [Last Updated On: June 27th, 2017] [Originally Added On: June 27th, 2017]
- FAQ | Jitsi | Futurist Transhuman News Blog [Last Updated On: June 29th, 2017] [Originally Added On: June 29th, 2017]
- FAQ | Jitsi | Prometheism.net euvolution.com | Futurist ... [Last Updated On: July 5th, 2017] [Originally Added On: July 5th, 2017]
- Jitsi | Futurist Transhuman News Blog - euvolution.com [Last Updated On: July 10th, 2017] [Originally Added On: July 10th, 2017]
- Gladstone gold does club proud - Gladstone Observer [Last Updated On: July 19th, 2017] [Originally Added On: July 19th, 2017]
- Fox Sports 1 Dials Up VCC for The Herd With Colin Cowherd - TV Technology [Last Updated On: December 22nd, 2019] [Originally Added On: December 22nd, 2019]
- Fox Sports 1 Utilized Video Call Center to Extend Reach of Shows Like The Herd with Colin Cowherd - Sports Video Group [Last Updated On: December 22nd, 2019] [Originally Added On: December 22nd, 2019]
- Home schooling tips: The things I wish I'd known before the schools went into lockdown - Telegraph.co.uk [Last Updated On: March 26th, 2020] [Originally Added On: March 26th, 2020]
- What Is the Most Secure Video Conferencing Software? - VICE [Last Updated On: March 26th, 2020] [Originally Added On: March 26th, 2020]