Develop Reference

MQTT java spring app accessing activemq on docker host fails to connect in brigde mode

I have a Spring java app with Paho MQTT v3 connecting ActiveMQ.
The app is working well out of eclipse and started via java -jar and also inside my docker container as long as the network is in host mode. I tried the host mode because the bridge mode is not working. (my issue: connection reset)
I want to use the bridge mode because host mode I see as security issue. The app runs inside the container with limited rights. For testing purposes I have deactivated this so that I tested with uid 0. But this is not the problem.
The issue is, when I am running in bridge mode I get:
2020-11-30 19:58:54.192 ERROR 13 [ main] n.w.s.s.s.MqttSender.startPublisher:53 : MqttException while starting mqtt message publisher. (resons code: 32103) : Unable to connect to server
org.eclipse.paho.client.mqttv3.MqttException: Unable to connect to server
at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:80)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:74)
... 2 common frames omitted
As I wrote I tried this:
runing without docker => ok
running in docker container in host mode => ok
running in docker container in bridge mode => nok
I determined the mqqt host (docker host) by a script using "ip route" (alpine image)
I see in my log, that the default gateway ip is successfully determined and used.
I checked the firewalld setting and tested with netcat, if this could be the issue. But with nc I could not see an issue.
I checked with tcpdump and have seen that the connection is established. But then the mqtt client sends
unsubscribe request
disconnect request
I suppose that ActiveMQ says something like unauthorized because it is not connected of a private network (192...). Instead the network in docker is something with 172.17..*
Otherwise the activemq listens on 0.0.0.0:1883.
Even via ssh tunnel I could connect.
I added the paho reson code to log. I got 32103.
Has anybody an idea what could happen here?
This is the traffic grabbed by tcpdump
1 0.000000 172.17.0.2 172.17.0.1 TCP 74 43482 ? 1883 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=715574721 TSecr=0 WS=128
2 0.000112 172.17.0.1 172.17.0.2 TCP 74 1883 ? 43482 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=715574722 TSecr=715574721 WS=128
3 0.000148 172.17.0.2 172.17.0.1 TCP 66 43482 ? 1883 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=715574722 TSecr=715574722
4 0.328363 172.17.0.2 172.17.0.1 MQTT 100 Connect Command
5 0.328505 172.17.0.1 172.17.0.2 TCP 66 1883 ? 43482 [ACK] Seq=1 Ack=35 Win=29056 Len=0 TSval=715575050 TSecr=715575050
6 0.330538 172.17.0.1 172.17.0.2 MQTT 70 Connect Ack
7 0.330612 172.17.0.2 172.17.0.1 TCP 66 43482 ? 1883 [ACK] Seq=35 Ack=5 Win=29312 Len=0 TSval=715575052 TSecr=715575052
8 0.341795 172.17.0.2 172.17.0.1 MQTT 83 Subscribe Request (id=1) [sensordata]
9 0.343407 172.17.0.1 172.17.0.2 MQTT 71 Subscribe Ack (id=1)
10 0.383106 172.17.0.2 172.17.0.1 TCP 66 43482 ? 1883 [ACK] Seq=52 Ack=10 Win=29312 Len=0 TSval=715575105 TSecr=715575065
11 3.289301 172.17.0.2 172.17.0.1 MQTT 82 Unsubscribe Request (id=2)
12 3.290162 172.17.0.1 172.17.0.2 MQTT 70 Unsubscribe Ack (id=2)
13 3.290252 172.17.0.2 172.17.0.1 TCP 66 43482 ? 1883 [ACK] Seq=68 Ack=14 Win=29312 Len=0 TSval=715578012 TSecr=715578012
14 3.293894 172.17.0.2 172.17.0.1 MQTT 68 Disconnect Req
15 3.295862 172.17.0.1 172.17.0.2 TCP 66 1883 ? 43482 [FIN, ACK] Seq=14 Ack=70 Win=29056 Len=0 TSval=715578017 TSecr=715578015
16 3.335121 172.17.0.2 172.17.0.1 TCP 66 43482 ? 1883 [ACK] Seq=70 Ack=15 Win=29312 Len=0 TSval=715578057 TSecr=715578017
In ActiveMQ I have just enabled the MQTT transort connector. Security I don't enabled.
Do I have to configure something more in ActiveMQ?

absolute_codec_string not working in dialplan

I got some trouble with using absolute_codec_string param.
My call scenario is pretty simple: caller <--> FS <--> callee.
My caller compose m=audio 7078 RTP/AVP 8 0 101 in its INVITE and I'm doing <action application="bridge" data="{absolute_codec_string=PCMU}sofia/gateway/callee/$1"/> in the dialplan.
I expected FS to use only PCMU m=audio 22952 RTP/AVP 0 101 talking to the callee
But FS still use m=audio 22952 RTP/AVP 8 0 101 in the INVITE to the callee.
Note that when I'm using originate application in fs_cli, things are good.
originate {absolute_codec_string=PCMU}sofia/gateway/caller/100 &bridge({absolute_codec_string=PCMA}sofia/gateway/callee/100
then I have FS with proper behavior in transcoding, caller has m=audio 31184 RTP/AVP 0 101 received, and callee has m=audio 21922 RTP/AVP 8 101 received.
Not sure what I'm missing, any help would be appreciated.
Edit
I was using FS media_proxy, so absolute_codec_string won't work, any another way to limit codecs used for callee to fulfill my purpose?
e.g: caller use PCMA,PCMU, I want to cut PCMA out of SDP and offer PCMU only to callee
rgds,
Loi Dang

Guess I have the answer for my own question
Briefly, I modify the whole remote sdp with variable switch_r_sdp instead of dealing with absolute_codec_string
<condition field="${switch_r_sdp}" expression="/(.*)(m=audio \d+ RTP\/AVP)([ \d]+)(.*)/s" break="never">
<action application="set" data="switch_r_sdp=$1$2$ 8 101$4"/>
<!-- Then just call bridge normally -->
</condition>
More info: https://freeswitch.org/confluence/display/FREESWITCH/Codec+Negotiation#CodecNegotiation-Modifyingthecodecwhenusingproxymediamode
rgds,
Loi Dang

How can I rewrite SDP with switch_r_sdp in freeswitch?

v=0
o=- 1358463684 1358463684 IN IP4 xxx.xxx.xxx.xxx
s=Opal SIP Session
c=IN IP4 xxx.xxx.xxx.xxx
t=0 0
m=audio 3144 RTP/AVP 19 3 101 120
c=IN IP4 xxx.xxx.xxx.xxx
a=rtpmap:18 G729/8000/1
a=fmtp:18 annexb=no
a=rtpmap:3 gsm/8000/1
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16,32,36
a=rtpmap:120 NSE/8000
a=fmtp:120 192-193
In the above SDP, I would like to change the IP address xxx.xxx.xxx.xxx
to different yyy.yyy.yyy.yyy. I searched in the internet and found that I need to use "action application="set"![CDATA[(sdp here)]] /action"
But I am not sure what is the exact changes I need to make. Please help me.

If you're behind NAT, you can configure the external RTP in your Sofia SIP Profile:
<param name="ext-rtp-ip" value="yyy.yyy.yyy.yyy"/>
FreeSwitch will then present this IP in outgoing SDP.
https://freeswitch.org/confluence/display/FREESWITCH/Sofia+SIP+Stack

Problems installing Homebrew on a new OS X installation (SSL error)

Have a fresh OS X installation here (new VM), and when trying to install Homebrew I just get an SSL error.
fatal: unable to access 'https://github.com/Homebrew/homebrew/': Unknown SSL protocol error in connection to github.com:-9847
Failed during: git fetch origin master:refs/remotes/origin/master -n --depth=1
This is the command I'm using:
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Checked around a little bit and tried adding --insecure (or -k) and removing the s from https, but it doesn't seem to help. With --insecure I just get that server aborted the SSL handshake.
Anybody have any idea what is wrong here? "xcode-select --install" has been run as well.
EDIT: Following the suggestion below I dumped the packaged with tcpdump to a pcap file and opened that with tshark. From that I'm getting:
1 0.000000 MY_IP_REMOVED -> 192.30.252.130 TCP 78 49451→443 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=170479114 TSecr=0
SACK_PERM=1
2 0.128228 192.30.252.130 -> MY_IP_REMOVED TCP 78
443→49451 [SYN, ACK] Seq=0 Ack=1 Win=14240 Len=0 MSS=1436 SACK_PERM=1
TSval=2830778812 TSecr=170479114 WS=1024 [ETHERNET FRAME CHECK
SEQUENCE INCORRECT]
3 0.128303 MY_IP_REMOVED -> 192.30.252.130 TCP
66 49451→443 [ACK] Seq=1 Ack=1 Win=132416 Len=0 TSval=170479237
TSecr=2830778812
4 0.150128 MY_IP_REMOVED -> 192.30.252.130 SSL
255 Client Hello
5 0.150913 192.30.252.130 -> MY_IP_REMOVED SSL
1158 Continuation Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
6 0.150916 192.30.252.130 -> 81.26.52.196 TCP 64 443→49451 [FIN, ACK] Seq=1101 Ack=190 Win=4237312 Len=0 [ETHERNET FRAME CHECK SEQUENCE
INCORRECT]
7 0.150961 MY_IP_REMOVED -> 192.30.252.130 TCP 66
49451→443 [ACK] Seq=190 Ack=1101 Win=131328 Len=0 TSval=170479257
TSecr=2830778812
8 0.150990 MY_IP_REMOVED -> 192.30.252.130 TCP 66
49451→443 [ACK] Seq=190 Ack=1102 Win=131328 Len=0 TSval=170479257
TSecr=2830778812
9 0.151046 MY_IP_REMOVED -> 192.30.252.130 TCP 66
49451→443 [FIN, ACK] Seq=190 Ack=1102 Win=132416 Len=0 TSval=170479257
TSecr=2830778812
10 0.151156 192.30.252.130 -> MY_IP_REMOVED TCP 64
443→49451 [RST] Seq=1102 Win=4237312 Len=0 [ETHERNET FRAME CHECK
SEQUENCE INCORRECT]

If this is a clean install of OS X I suspect the problem may be a rare issue (bug?) in SecureTransport that could be triggered by a proxy or firewall settings somewhere on your route to github.
Your libcurl is compiled against Security.framework. The error code -9847 means Record overflow:
A record overflow occurred.
Value
–9847
Description
A record overflow occurred.
Available in OS X v10.3 and later.
The error may be pinpointed to this line in tls1Callouts.c. It seems that the client receives a record with unexpected length.
It might be related to similar issue in gnutls:.
There are several issues with TLS connections and the F5 firewall, and
that looks like the case. That firewall terminates a TLS session if
the client hello is between 256 and 512 bytes. If that is the case you
can verify using wireshark.
The solution we adopted in later versions
of gnutls is to add padding:
https://gitlab.com/gnutls/gnutls/commit/b6d29bb1737f96ac44a8ef9cc9fe7f9837e20465
You could try to investigate further with tcpdump/wireshark (replace en0 with your interface name):
$ sudo tcpdump -i en0 —n -s 0 -B 524288 -w test.pcap port 443
View your pcap file in Wireshark (or capture directly in Wireshark) to get detailed info about each phase. There is a good explanation of SSL/TLS on www.sans.org. For comparison, my (successful) conversation goes like this:
$ tshark -r test.pcap
1 0.000000 10.0.0.125 -> 192.30.252.129 TCP 78 51229→443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=235773429 TSecr=0 SACK_PERM=1
2 0.133049 192.30.252.129 -> 10.0.0.125 TCP 74 443→51229 [SYN, ACK] Seq=0 Ack=1 Win=14240 Len=0 MSS=1460 SACK_PERM=1 TSval=1851779047 TSecr=235773429 WS=1024
3 0.133148 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=235773562 TSecr=1851779047
4 0.138296 10.0.0.125 -> 192.30.252.129 SSL 255 Client Hello
5 0.278168 192.30.252.129 -> 10.0.0.125 TLSv1.2 1490 Server Hello
6 0.278567 192.30.252.129 -> 10.0.0.125 TLSv1.2 1490 Certificate
7 0.278696 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=190 Ack=2849 Win=129632 Len=0 TSval=235773707 TSecr=1851779083
8 0.278910 192.30.252.129 -> 10.0.0.125 TLSv1.2 399 Server Key Exchange
9 0.278991 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=190 Ack=3182 Win=130720 Len=0 TSval=235773707 TSecr=1851779083
10 0.339768 10.0.0.125 -> 192.30.252.129 TLSv1.2 141 Client Key Exchange
11 0.551009 192.30.252.129 -> 10.0.0.125 TCP 66 443→51229 [ACK] Seq=3182 Ack=265 Win=15360 Len=0 TSval=1851779144 TSecr=235773767
12 0.551185 10.0.0.125 -> 192.30.252.129 TLSv1.2 157 Change Cipher Spec, Encrypted Handshake Message
13 0.688512 192.30.252.129 -> 10.0.0.125 TCP 66 443→51229 [ACK] Seq=3182 Ack=356 Win=15360 Len=0 TSval=1851779186 TSecr=235773977
14 0.691643 192.30.252.129 -> 10.0.0.125 TLSv1.2 157 Change Cipher Spec, Encrypted Handshake Message
15 0.691720 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=356 Ack=3273 Win=130976 Len=0 TSval=235774117 TSecr=1851779186
16 0.692351 10.0.0.125 -> 192.30.252.129 TLSv1.2 215 Application Data
If this is really the case a workaround for you might be to compile a custom libcurl with openssl support and make git use your new libcurl. Alternatively you could use ssh instead of https for connecting to github (if you have your public key registered at github).

If you just want a workaround to get Homebrew installed, you could try downloading its install script using another tool. E.g. like this:
$ python -c "import urllib ; urllib.urlretrieve('https://raw.githubusercontent.com/Homebrew/install/master/install', 'install.rb')"
$ ruby install.rb

JBoss - ExportException: Port already in use: 1098

I'm getting the following error when I try to start JBoss
10:10:43,298 INFO [WebService] Using RMI server codebase: http://127.0.0.1:8083/
10:10:43,938 ERROR [AbstractKernelController] Error installing to Start: name=jboss:service=Naming state=Create mode=Manual requiredState=Installed
java.rmi.server.ExportException: Port already in use: 1098; nested exception is:
java.net.BindException: Address already in use: JVM_Bind
at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:249)
at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:184)
at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382)
at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:180)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:293)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:256)
However When I try to see what ports are being listened to. I don't see that port!
H:\>netstat -a -n -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 824
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1521 0.0.0.0:0 LISTENING 2036
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 752
TCP 0.0.0.0:7717 0.0.0.0:0 LISTENING 2944
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 1564
TCP 0.0.0.0:31038 0.0.0.0:0 LISTENING 1436
TCP 127.0.0.1:1038 0.0.0.0:0 LISTENING 2036
TCP 127.0.0.1:1052 0.0.0.0:0 LISTENING 2620
TCP 127.0.0.1:5998 127.0.0.1:5999 ESTABLISHED 4036
TCP 127.0.0.1:5999 127.0.0.1:5998 ESTABLISHED 4036
TCP 127.0.0.1:6000 127.0.0.1:6001 ESTABLISHED 4036
TCP 127.0.0.1:6001 127.0.0.1:6000 ESTABLISHED 4036
TCP 142.174.27.74:139 0.0.0.0:0 LISTENING 4
TCP 142.174.27.74:13148 142.174.12.84:445 ESTABLISHED 4
TCP 142.174.27.74:13253 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13255 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13258 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13259 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13260 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13261 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13262 142.174.134.33:8080 ESTABLISHED 4036
TCP 142.174.27.74:13263 142.174.134.33:8080 ESTABLISHED 4036
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:8081 *:* 1564
UDP 0.0.0.0:8082 *:* 1564
UDP 0.0.0.0:19508 *:* 1244
UDP 127.0.0.1:123 *:* 948
UDP 127.0.0.1:1025 *:* 580
UDP 127.0.0.1:1046 *:* 524
UDP 127.0.0.1:1056 *:* 784
UDP 127.0.0.1:1213 *:* 2888
UDP 127.0.0.1:1257 *:* 2404
UDP 127.0.0.1:2172 *:* 3736
UDP 127.0.0.1:2310 *:* 2188
UDP 142.174.27.74:123 *:* 948
UDP 142.174.27.74:137 *:* 4
UDP 142.174.27.74:138 *:* 4
H:\>
any ideas?
Thanks,
Tam

Try TCPView (TCPView v3.05). I get this "port already in use" quite a lot, and TCPView always usually catches the culprit.

Go to jboss-service.xml under conf folder and change the port for RMI from 1098 to 8099 8099
Restart the server .

We ran into this problem some time ago as well, not just with JBoss, but also MySQL.
I wrote about it in more detail here:
Windows TCP Port Conflicts above 1024
What it comes down to is that Windows uses the port range between 1000 and 5000 for so called "ephemeral" ports. This means that it assigns ports from this range for processes that request a random port.
On Windows 2000/2003 Server installations as well as on Windows XP Pro you can reserve port ranges (even if they only cover a single port) for your applications. Effectively they are not reserved for anything specific, but just excluded from the dynamic allocation. To do so, create or edit the following registry value (type REG_MULTI_SZ/Multi-String Value):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts
In this value specify port ranges in the format xxxx-yyyy with xxxx and yyyy being the lowest and highest port of the range to be reserved. To reserve a single port, just use the same values for both (e. g. 1099).

I guess that port is still in use. You can find that using:
netstat -ao
and
netstat -b
If you can't use that port, find another port and change it in the following XML file:
conf/bindings-beans/META-INF/bindings-jboss-beans.xml
The JBoss 5 has a new ServiceBindingManager which uses bean injection to assign ports at runtime. Changing the port here may do the trick for you.
You can also use a different ports configuration and override the ports by a factor.

Based on the ports mentioned in the file referenced by Sam, and the registry key referenced by Daniel Schneller, the following should do the trick for JBoss EAP 5:
1090-1090 1098-1102 1161-1162 3528-3528 4444-4448 4457-4457 4712-4714 5445-5446 8080-8083 8443-8443
Translated in a .reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"ReservedPorts"=hex(7):31,00,30,00,39,00,30,00,2d,00,31,00,30,00,39,00,30,00,\
20,00,31,00,30,00,39,00,38,00,2d,00,31,00,31,00,30,00,32,00,20,00,31,00,31,\
00,36,00,31,00,2d,00,31,00,31,00,36,00,32,00,20,00,33,00,35,00,32,00,38,00,\
2d,00,33,00,35,00,32,00,38,00,20,00,34,00,34,00,34,00,34,00,2d,00,34,00,34,\
00,34,00,38,00,20,00,34,00,34,00,35,00,37,00,2d,00,34,00,34,00,35,00,37,00,\
20,00,34,00,37,00,31,00,32,00,2d,00,34,00,37,00,31,00,34,00,20,00,35,00,34,\
00,34,00,35,00,2d,00,35,00,34,00,34,00,36,00,20,00,38,00,30,00,38,00,30,00,\
2d,00,38,00,30,00,38,00,33,00,20,00,38,00,34,00,34,00,33,00,2d,00,38,00,34,\
00,34,00,33,00,00,00,00,00

The root cause is that JBOSS was not peoperly shut down.
If you are using Windows,
go to task manager and kill the JBOSS processes.

Reserve the port 1098-1099 in registry.
Restart the oracle service if running, then start the JBOss.

This error is also thrown by Jboss if your default IP address changes due to some problem
means
121...89 to 121...90 Just check it and replace it with a newer IP address. It will work.