SIP Telephony, good and bad

I’ve had a SIP handset now for about two weeks: a Budgetone 102 handset. Its not too bad, from what I can tell, but I am using a provider in Perth, SimTex, whichis around 400ms away RTT, and I am getting some bad audio on one side of the call.

Its so frustrating, that we constantly have to abandon the SIP phone and use the PSTN, at more expense. I’m connecting through Demon internet in London on a 512 DSL link., which should be plenty fast enough. The annoying thing is that my emails and now phone calls to SimTex have gone unanswered. Not a way to keep customers. TIme to start looking for other providers, or, put my own box in…. Asterisk rocks, and the PSTN cards arent that expensive… if I put a 1U box with an ISDN 30 card in each city…. I’d be a SIP-telco.

I found Cisco had a nice lit of SIP response codes.

Random stuff I may get on EBay

Ever since I was stung on eBay a few years back for around AUD$ 500 worth of wireless equipment from some bastard in Deer Park, USA, I’ve not used eBay. But now I’m thinking of getting a few things:

  • 75 – 300 mm Canon EF zoom lens, for my 300D digital SLR camera
  • Wireless print server for my canon printer
  • Ethernet web cam/video conference facility

PocketPC Tips

I purchased a Toshiba PocketPC e570 PDA in June 2002. This device is a little bulky, but had the advantage of a CF (Compact Flash) port and a secure media port.

My hopes where to be able to send and recieve emails (plain text is fine), and be able to print (via IRDA).

While printing does work, it is not a part of the default suite of programs available. You have to shell out more money to 3rd party developers to get this support working. Looks like Toshiba, or Microsoft, took shortcuts. I was trying to print to a Hewlet Packard LaserJet 2100 M, and HP’s web site directed me to get drivers from my manufacturer, Toshiba. Toshiba’s PocketPC web site is completely fucking useless. There entire support structure is geared *away* from these products. Their staff reject and disencourage PocketPC support questions. Aghhh!

Luckily, their telephone support does exist. Place a call and save time. While you’re there, ask to speak to a manager, and tell them that in place of wasting their time right now, you could be helping yourself to the information you are after if they put some effort into their web site!

Ho hum. Lets move on. Printing. Looks like the 3rd party software is at The product is called PrintPocketCE, and while a little sliggish on some redraws, it does work under PocketPC 2002 quite well. Well done FS. A 30 day trial is availale, and the software is around US$39 or so.

Back to getting data in and out of the device. I got a belkin 802.11b wireless CF card. I can cruise around my network; I can see it DHCP, and I can use the built-in IE browser to look at HTTP and HTTPS web sites. I havent forced it yet, but using a specific proxy with HTTPS would be nice; if people are going to use wireless, doing a bit extra to help secure it at an application layer is nice.

And it is security that brings me to my next issue. For me, email is either accessed locally on a server, or via IMAPS. IMAPS is like IMAP, except over SSL. If I am going to have passwords fly around the network, I like them to be encrypted in transit! However, the ‘INBOX’ client that comes with PocketPC 2002 seems to be too cut down, only supporting unencrypted POP3 and IMAPv4. There is no SSL support here. This is pretty important. It seems there are no Mail User Agents (MUA) for the PocketPC that support IMAPS. Fr me. this greatly hinders the use of the product.

Sun Crypto Accelerator Board 1: How to get it working with OpenSSL

The Sun Crypto Accelerator Board 1 is a PCI based board that is used to accelerate public key cryptography, used during the establishment of SSL connections to web servers.

Sun provide a set of patches against OpenSSL 0.9.4. This version was released quite some time ago, and does not support the notion of SGC, or Server Gated Cryptptography. SGC, also called SuperCerts, Global Server Certs, or Step-Up Cryptography, permits the (now venerable) Export Grade browsers to renegotiate their cryptgraphy sterngth with certain web sites that have special extended certificate usage flags set within their signed web site certificate.

While Sun’s patches do work against OpenSSL 0.9.4, and thus permit you to run Apache + ModSSL + OpenSSL, you wont be able to do SGC.

The Sun card is a rebadged Rainbow CS-200 card. It has a little LED on the PCI card to indicate that it is on (green) and when it is doing crypto (orange).

The next important thing to know is what the card can accelerate for you. Doing SSL to a web site actually uses two different types of cryptography. The inital is a public key exchange; this is because this is the only feaible way of doing public encryption without a shared secret. After this has been done, we THEN use a shared secret: symmetric key encryption.

The Sun Crypto Accelerator Board 1 will only help you with one part of the encryption: the public key stuff. Once a symmetric key has been passwd between both parties, it is not used on this connection any more. Furthermore, if you have a SSLSessionCache set up, this symmetric key is saved between subsequent connections. So using your own browser and trying to see if the Crypto Card is helping will actually not show you anything; every time you re-test and reload a page, you will be using the saved SSL Sesscion Cache symmetric key, not renegotiating a new session key! For testing purposes, disable this, but for production use, turn it on.

Testing the card with software: Rainbow supply a utility called csdiag, and Sun have something similar called cstest. These utilities show you the number of interrupts and request that have been routed to the PCI card. Unfortunately, the act of inspecting the interrupts on the card actually increases these interrupts, similar to the problems of quantum mechanics and the law of observability; the act of observing changes the state. This known change must be taken into consideration when using these programs.

The card works by using a kernel resident driver, cspci. Under Solaris, you can find if it is in memory with modinfo |grep cspci. There is also a library of code that is used, Rainbow supply, and Sun supply However, more importantly, Rainbow puts this in /usr/local, while Sun uses /opt/SUNWconn/sunsecure/lib. The first one is part of your LD_LIBRARY_PATH, and the second is not. The solution is a simple symbolic link from /usr/lib/ to the same name as supplied by Sun in /opt….

I have done this with OpenSSL-Engine-0.9.6b, which is the current release as of this writing. No modifications to the OpenSSL code were required. No modifications to Apache or Mod_SSL were required, other than enabling the EXPERIMENTAL code. The simple check list boils down to:

  • Make sure there is a /usr/lib/
  • Turn off SSLSessionCache for testing to see the counters go up and the orange LED come on.

The broader question of what advantage this proves is yet to be seen. There are known issues with some OpenSSL functionality (eg, “openssl speed rsa -engine cswift” does not work correctly). As to Web SSL (HTTPS) connections: since you have a session cache, and are doing symmetric key encryption on your main CPU any way, it is only a small part that is being off loaded. As to how expensive this part is, I don’t know.

I hope this helps someone else who is in this situation. Thanks goes to Ros at Rainbow and Mike Tan at Sun for their help in getting this sorted. Thanks also to Todd Piket (and his OpenSSL + Crypto Board stats page, plus the people of the Mod-SSL and OpenSSL mailing lists.

FYI, the information I get from cstest from Sun now is:

$ ./cstest
"             API Version: 5.2.2
""          Driver Version: 2.1.3
""            Accelerators: 1
""          Command Bitmap: 7f000000
""     Interrupts Serviced: 47498
""     Interrupts Received: 47498
""      Requests Attempted: 47497
""      Requests Completed: 47497
""Maximum Pending Requests: 1
""Current Pending Requests: 0
""      Accelerator #: 0
""          Last Test: 0
""   Self Test Bitmap: 00000000
""     Command Bitmap: 7f000000
""   Hardware Version: 108e:61.14.7
""   Firmware Version: 2.2.2
""          Signature: 6f3beadd
""Interrupts Serviced: 47499
""Interrupts Received: 47499
"" Requests Attempted: 47498
"" Requests Completed: 47498
""          Idle Time: 0
""               Name: Sun Crypto Accelerator
""       BIOS Version: 0.0.0

The shoddyness of Microsoft: Internet Explorer Update Fiasco

Internet Explorer 6Microsoft Corporation comes under a lot of flack from the IT community for slipshod work. The constant state of software being released by them that is either incompatible with everything they (and anyone else) has done, and an unprecidented number of security holes leads to much ridicule of the organisation.

I’d like here to just make a point of the latest (as at December 15th 2001) blunder that the company has fallen into. They have today released what is being termed as a major patch to their web browsing software, Internext Explorer. This has only been made available for versions 5.5 (Service Pack 2) and 6. While end-of-life’ing older versions is probably acceptable, it should be known that 5.01 SP2 is not that old, and the lack of a patch for this older version will hurt some organisations and their SOE.

Just to not miss other coverage of this, here are stories on Slashdot and The Register.

The main point is thus: take a peek at the image here showing my laptop with its installed MSIE 6.0 under MS Windows Millennium Edition, and me trying to install this update.

Screenshot Which begs the question: what version do I have of MSIE installed? And where is my patch to fix the security vulnerabilities that MS is (perhaps) trying to rectify?