[Freeswitch-dev] ciphers on verto and profile wss

alexis alzrck at gmail.com
Fri Oct 27 17:55:22 UTC 2017 

Hello, im facing a problem with webrtc and i would like to share the
situation and see how wrong i am :)

As you know, google (well, not only google) (mostly of our webrtc users
uses chrome) is pushing about to move to ECC signed X509 certificates, ECC
keys are smaller that RSA, and it benefits in the calculation of
encryption, less data in the cable, etc etc etc. Not the point of this mail
actually.

I have an X509 cert signed with an ECC key (working on nginx, tomcat, etc).
Now i want to use this same cert in freeswitch, i dont use mod_verto (but
im trying with it too in this problem). usually, enabling wss on SIP
internal profile is enough for us, we have a phone developed by us (using
sipjs) that is enough for our needs and works perfect.

Thing is, if i build a wss.pem tls.pem dtls-srtp.pem with this cert (the
ecc signed one) websocket does not work. and here's the the detail of that

. websocket starts? yes (profile, verto), all start, ports are up, ssl is
up, you can connect with openssl s_client and it works
. what's the problem then? that wss on sip profile and/or wss on verto does
not accept any ECDHE-ECDSA cipher at all (chrome, firefox receives a server
handshake failure right after the client hello)
. Could be the cert wrong? yes, but if i enable sip-tls on the internal
profile, i'm able to connect to port 5061 and ECDHE-ECDSA is accepted (sip
tls works perfect with this same certificate)

Im not a good C programmer (i work with java, javascript and python), but
i've been working with mod_verto/mod_verto.c and mod_verto/ws.c trying to
load all ciphers in the ssl_init methods and whenever was at my reach
without success.

FS version is 1.6.19 from source, openssl is 1.0.2g, by now i'm testing on
ubuntu (production is debian 8.6).

if you can lead me where to check or change or any clue to get it working
will be extremely appreciated.

thanks in advance, best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-dev/attachments/20171027/ebd19c55/attachment.html>

More information about the FreeSWITCH-dev mailing list