[Freeswitch-users] xml_cdr ssl
Steven Ayre
steveayre at gmail.com
Wed Oct 3 20:03:23 MSD 2012
First off you should *never* be using a CA private key.
> <param name="ssl-key-path" value="/etc/pki/tls/private/ca.key"/>
That key should only ever be used for signing certs! It should never
be distributed or used anywhere else. Otherwise anyone who gets access
to the key can sign any cert as your CA.
<!-- <param name="ssl-cert-path"
value="$${base_dir}/conf/certs/public_key.pem"/> -->
<!-- <param name="ssl-key-path"
value="$${base_dir}/conf/certs/private_key.pem"/> -->
<!-- <param name="ssl-key-password" value="MyPrivateKeyPassword"/> -->
These are *client* certificates. The HTTPS protocol lets you
authenticate the client just like it authenticates the server, like a
PKI equivalent of a username+password. But it's optional. You almost
certainly don't want this.
<!-- <param name="ssl-cacert-file"
value="$${base_dir}/conf/certs/cacert.pem"/> -->
This is one that you *may* want to set, but again it's optional. It's
only needed to specify a CA that your system doesn't already know
about.
<!--<param name="enable-cacert-check" value="true"/>-->
<!-- <param name="enable-ssl-verifyhost" value="true"/> -->
These are ones you will actually want to enable (otherwise a HTTPS
session might be opened, but will be rather pointless as you're not
checking who you're connecting to).
To actually get mod_xml_cdr to talk to the server via HTTPS, there is
only *one* parameter that you *have* to set... which is to make sure
the URL starts with https://
> <param name="url" value="https://xxx.xxx.xxx.xxx/testLDB"/>
It appears you've done that, so did you reload the mod_xml_cdr module
after saving the changes? The configuration is only read when the
module is loaded, not on each request.
-Steve
On 2 October 2012 07:33, Miha <miha at softnet.si> wrote:
> Hi,
>
> I need a help about ssl configuratin for ssl. On my server where https
> post should be send I set up openssl (which work ok). I also tried it
> with windows and works ok.
>
> In xml_cdr.conf I add :
>
> <param name="ssl-cert-path" value="/etc/pki/tls/certs/test.crt"/>
> <param name="ssl-key-path" value="/etc/pki/tls/private/ca.key"/>
>
> also tried with just:
>
> <param name="ssl-cacert-file" value="/etc/pki/tls/certs/test.crt"/>
> but still no luch. I noticed with wireshark that FS do not send https
> post (I trace it on FS server).
>
> What I am doing wrong?
>
> Thanks!
> MIha
>
>
> <param name="url" value="https://xxx.xxx.xxx.xxx/testLDB"/>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list