Log Entry for Attempted Connection to Sever NOT on my list..

[adcprod]

We have some very restrictive firewall policies where I work. We block the default Mumble port in except to approved IPs. Anyway, we've observed attempted connections to:

tylerr.noip.me: 64738

Address lookup

canonical name tylerr.noip.me.

aliases

addresses 50.82.173.5

This appears to resolve to some guy's cable modem.

http://whatismyipaddress.com/ip/50.82.173.5

It also appears to be a valid Murmur/Mumble server:

======================================================================

:~$ openssl s_client -showcerts -connect tylerr.noip.me:64738

CONNECTED(00000003)

depth=0 CN = Murmur Autogenerated Certificate v2

verify error:num=18:self signed certificate

verify return:1

depth=0 CN = Murmur Autogenerated Certificate v2

verify return:1

---

Certificate chain

0 s:/CN=Murmur Autogenerated Certificate v2

i:/CN=Murmur Autogenerated Certificate v2

-----BEGIN CERTIFICATE-----

MIIDSzCCAjOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAuMSwwKgYDVQQDEyNNdXJt

dXIgQXV0b2dlbmVyYXRlZCBDZXJ0aWZpY2F0ZSB2MjAeFw0xNTAzMDcyMTM5NDNa

Fw0zNTAzMDIyMTM5NDNaMC4xLDAqBgNVBAMTI011cm11ciBBdXRvZ2VuZXJhdGVk

IENlcnRpZmljYXRlIHYyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA

2KuHbdeLC+xH3V84nRiqYG0ZHquqNigA1rwUlk+dTu7X0u1xIPuzQg+1/kn474DL

NI6YoXZbYNZEakAvKG1UJgEYn0vJS/oT/lIySoJP+/tIOuG0XM3DQqujdo8JfS+E

YQ3fw+RaFKpbnKb1VLzbkrZ7+V4AKa/CwGIdaw4KODMPsBvqLNF3w2yeR0aw909/

VVc3mU7gymsPn7tn1xFEbXBdlFRu25xwwi7T0ggRiGvBVAqXV4lsnQRNxjshzSfV

gUPUUkH4Aw+EuNTasZACPc5Q/OslKXa3LtaMMZKrOgP7j4Vm6eNBvDtWYEOl/G1U

dBM4InTIXPa+Nt9iTxpgJwIDAQABo3QwcjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW

MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUgeuonJPk+uYLAyleE7jY

+By0lNkwJAYJYIZIAYb4QgENBBcWFUdlbmVyYXRlZCBmcm9tIG11cm11cjANBgkq

hkiG9w0BAQUFAAOCAQEArqRcf4nA4n+h/2yXIAMkicpBwjYi+5Bk+O6Q1FkUOWB6

jO/UNP9Tn4kY63sVvXwR6xaG5eSN9ZY+Z8/JfBN66hM0dAHq3EvV05xENJaLBcNM

ChNUq7pzz3VXs+9Q8xFXqxFS3z2Mb9pCdwwrLtkzCZ05ReEINCr4iuF4J1ftz2dI

Y5LA+Vb2hCp2G0at/CHvEHAgOqsKhJ3ebmx1xW+gJHb+GKO0QE4G/ZdUSl3OkIOc

mVw2pGgkB3NzpdB6v87sV1VZmQ5WF89xHn5Gf/HhY3edlVDfTFrL8m7m4Vs2jGJg

VpgZznGTeoMJm0uixcc4khfD89UHu95Z6QF3+6CtCA==

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=Murmur Autogenerated Certificate v2

issuer=/CN=Murmur Autogenerated Certificate v2

---

No client certificate CA names sent

---

SSL handshake has read 1178 bytes and written 633 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: D99E7D0D1010F01835F927BC72CDA9144C1235A0929A9F9D9BA935B8D199AF48

Session-ID-ctx:

Master-Key: BF57F8696A3D0A05E65B8623B5461C2D78FC9B4323F71DCE8253608DEBE18B1BA49D59FD2601ABB23C85E68AA7CB16AC

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 7200 (seconds)

TLS session ticket:

0000 - 09 52 f9 a3 54 f5 34 9f-20 d6 ee 19 50 d3 90 2f .R..T.4. ...P../

0010 - 7a 1e 85 ee b0 5c 23 91-0b d5 1e d2 8a b0 87 48 z....\#........H

0020 - 09 d6 b0 4f 88 5b 34 bc-d6 4e bc 7b fd d4 73 5c ...O.[4..N.{..s\

0030 - 64 d7 90 1f b5 0e d6 44-ad f5 f3 b1 37 35 3a ec d......D....75:.

0040 - 31 0b 91 88 5c 68 03 bc-f0 60 9e 9a 26 4a 2b 86 1...\h...`..&J+.

0050 - cd 05 2a 10 e1 52 1c bd-99 7f 6a f9 52 a1 c2 bc ..*..R....j.R...

0060 - ce d4 b1 85 d7 41 6a 69-84 48 61 00 bb fd 20 49 .....Aji.Ha... I

0070 - 1d be c0 8f e6 ab 3c 87-a8 51 ac 91 dc d4 5b 70 ......<..Q....[p

0080 - 2e 25 cf 95 cb ba f3 9c-39 22 01 d4 3c 2d 70 99 .%......9"..<-p.

0090 - 44 83 3b 78 9e ed f5 bb-a8 3c cd 53 c5 47 74 cf D.;x.....<.S.Gt.

Start Time: 1460664467

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

==========================================================================================

This seems to be the only automatic connection attempt from the Windows client software (outside of our own servers). Is this by design? If so, why? (BTW, I searched source code from github and did not find reference to this server. I did use pre-compiled binaries though and wonder if something else is stuffed in there.)

This was observed with the most stable Win client code. (I realize this is the snapshots thread, but I'm not sure where else to post this.)

Thanks!

P.S. By the way, I'm new here and this is hands-down the best audio VOIP software I've ever used. Thanks so much for your hard work! :D

[hacst]

That's none of ours. I am not quite sure I understand under what conditions this was seen but the public server list or a custom favourite would seem like obvious culprits that could trigger such an alert.

The name lookup could be a favourite or public server. Though for the public servers you should see much more than those depending on the locale you are in.

If you open Mumble for the first time or don't have any custom servers added the default setting for it is to retrieve the public server list from one of our hosts (*.mumble.hive.no or *.mumble.info). It then uses your locale to decide which country to display to you and expands the list in the connection dialog. To be able to display ping and populations on the servers the dialog displays we perform a name-lookup and send UDP ping (not an ICMP ping) packets to the mumble port (mostly 64738) of the hosts.

If you have one or more favorite servers the public list won't be retrieved. Unless you expand it all you should see is Mumble resolving and pinging your favourites.

In cooperate settings where you don't want to display the publist in the first place you can completely hide the point from the connection dialog by setting "disablepubliclist" to "true" in HKEY_CURRENT_USER\Software\Mumble\Mumble\ui .

Hope that helps