Tuesday, January 28, 2014

H.323Plus 1.26 released

A new H323Plus is out: Version 1.26

  • it allows you to add TLS encryption to your endpoints (including H.460.22 capability negotiation)
  • it supports the upcoming H.235.6 with Diffie-Helman keys up to 8 KB length
  • there is support for media over TCP (H.460.26)
  • support for H.323v8 language features
If you have endpoints based on H323Plus (or OpenH323), I would encourage you to update to the latest library version and enable those new features!

H323Plus v1.26 of course also works great with GnuGk 3.5.

Download H323Plus 1.26 from h323plus.org.

Monday, January 20, 2014

Whats new in GnuGk 3.5 ? Part 2: Language based routing and support for H.323v8

GnuGk 3.5 includes support for routing of calls based on the language signaled by the caller and called party. For example you can route calls to support@company.com to different agents based on the caller language.

If you use the 'sql' or 'forwarding' routing policy for example, you now have the an additional variable available %{language} that you can use to select the agent matching the incoming call the best.

To use this feature, you'll need endpoints that will signal the language. Language support was introduced in H.323v6. To make full use of this feature, you'll need endpoints supporting the upcoming H.323v8 which further improves on the language capabilities. GnuGk 3.5 supports H.323v8.

Starting with H.323v8, you also have the ability to let GnuGk 3.5 assign endpoints a language. That way you don't have to configure each endpoint individually. Use the [AssignedLanguage::SQL] section do do so.

To add language information to your LRQs to other gatekeepers, switch on the EnableLanguageRouting switch:


BTW: If you have your own endpoints based on H323Plus, you should enable the language feature now, its really simple.

Wednesday, January 8, 2014

Whats new in GnuGk 3.5 ? Part 1: New encryption features

Easier TLS configuration

H.323 encryption as implemented by virtually all commercial vendors is easily circumvented by Man-in-the-Middle attacks. So it is very important to secure at least your gatekeeper-to-gatekeeper signaling connections over the internet with TLS. See https://www.gnugk.org/h323-encryption.html for background information. (Its a bit like installing a huge lock and then leaving the key under the doormat for everybody to use.)

GnuGk can close this security hole by encrypting the signaling connection using TLS and verifying  the certificates of clients and servers.

With GnuGk 3.5, you don't have explicitly configure TLS for each partner. On all RAS connections GnuGk will use H.460.22 to signal support for TLS encryption and will automatically use it as when the partner supports it.

Stronger RTP encryption with larger keys

When the media encryption spec (H.235.6) was published by the ITU in 2005, it contained an error that prevents all vendors from using Diffie-Hellman tokens larger than 2048 bits. This error is being corrected by the ITU now and the new spec is about to be published.

GnuGk 3.5 supports the upcoming specification and can be configured to use AES256 with tokens of up to 8192 bits when you configure it to add media encryption to your calls.

Support for legacy authentication with DES-ECB

GnuGk 3.5 adds support for username / password authentication using the DES standard. This kind of authentication is very weak and should only be used for interoperability with old equipment that doesn't support anything else (eg. some Avaya endpoints).

Thursday, January 2, 2014

GNU Gatekeeper Version 3.5 released

I'm happy to announce the release of GNU Gatekeeper version 3.5.
The new version brings a number of new features as well as a number of
important bug fixes and a few changes in configuration options.

As usual, you can download the source code and executable for Linux, Windows, FreeBSD, OpenBSD, NetBSD and Solaris from https://www.gnugk.org/h323download.html.

New features:

  • implement H.460.22 to negotiate the use of TLS
  • language based routing (using the upcoming H.323v8)
  • new command line switch -mlock to prevent GnuGk from being swapped out
  • new section [ModeVendorSelection] to set proxy mode based on endpoint vendor
  • support for challenge/response authentication using DES-ECB, eg. from Avaya endpoints
  • new switch [RoutedMode] FilterEmptyFacility= (Avaya interop)
  • new switch [RoutedMode] ProxyHandlerHighPrio=0 to avoid setting the proxy handler to  high priority; needed to run GnuGk on certain virtualization platforms
  • print number of proxied calls and peak number of calls in statistics on status port
  • new switch [RoutedMode] H46023ForceNat
  • new switch [RewriteSourceAddress] TreatNumberURIDialedDigits
  • more detailed codec descriptions in %{codec} and Radius attribute
  • process multiple terminal-alias VSA from Radius
  • extend [GkStatus::Message] for URQ

 Configuration changes:

  • changed default call signaling port from 1721 to 1720
  • replace H235HalfCallMediaStrength= switch with H235HalfCallMaxTokenLength= switch
  • disable use of SHA1 for TLS by default, the new switch [TLS] CipherList= can be used to customize the cipher selection

Bug fixes:

  • BUGFIX(GkStatus.cxx) disable ssh compression to avoid libssh bug, fix memleak, implement cmdline command execution
  • BUGFIX(Neighbor.cxx) fix H.460 VendorInfo in LCF without TLS or NAT Support
  • BUGFIX(Routing.cxx) fix DNS policy to allow calls by IP:port to endpoint on same IP as gatekeeper
  • BUGFIX(ProxyChannel.cxx) fix RTCP forwarding with EnableRTCPStats=1
  • BUGFIX(ProxyChannel.cxx) fix race condition in call failover
  • BUGFIX(ProxyChannel.cxx) fix use of RTP multiplex port for non-multiplexing calls
  • BUGFIX(ProxyChannel.cxx) offer H.245 tunneling for H.460.18 calls when translation switch is on
  • BUGFIX(ProxyChannel.cxx) fix removal of h245Address in H.245 tunneling translation
  • BUGFIX(ProxyChannel.cxx) fix H.245 tunneling translation when H.245 connection is  actively established by the gatekeeper and there are pending H.245 messages
  • BUGFIX(ProxyChannel.cxx) don't send a ReleaseComplete for Status messages outside of calls
  • BUGFIX(ProxyChannel.cxx) use Facility with reason transportedInformation for  H.245 tunneling translation for H.225 version >= 4
  • BUGFIX(RasSrv.cxx) fix port detection for traversal clients
  • BUGFIX(RasTbl.h) fix translation of 2nd CallProceeding to unregistered endpoint
  • BUGFIX(yasocket.h) fix TLS with LARGE_FDSET