[Freeswitch-users] TLS/Freeswitch self signed certs

Peter eidevm5 at gmail.com
Tue Aug 6 10:16:24 MSD 2013 

Finally figured out the issue was related to the gentls_cert script was
generating an openssl template that didn't have the required x509v3
extensions set.

I modified the script where it generates config.tpl to add

                        x509_extensions = v3_ca

to the [req] section, then I added the section:

                        [ v3_ca ]
                        subjectKeyIdentifier=hash
                        authorityKeyIdentifier=keyid:always,issuer
                        basicConstraints=CA:TRUE

Now when you issue:

openssl x509 -noout -inform pem -text -in cafile.pem

you'll see the following section:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
            X509v3 Authority Key Identifier:

keyid:02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5

            X509v3 Basic Constraints:
                CA:TRUE

If these are present, then Android will treat the cert as a standard user
cert.

Then it was a simple matter of copying cafile.pem to cafile.crt on the
sdcard on the Android device and using the "install from device storage"
option.

When the cert installer dialog comes up, it will now detect cafile.crt as a
CA cert and not user cert.

Hope this helps other people, as cert management on Android is a right pain
in the $#%^.

Peter



On Tue, Aug 6, 2013 at 2:31 PM, Peter <eidevm5 at gmail.com> wrote:

> The reason I put it on a webserver is mostly for convenience to make it
> easier to install.
>
> I tried copying cafile.pem to /sdcard on a Galaxy Note II, but when I try
> the "Install from device storage" option, it just comes back with:
>
> "No certificate file found on SD card"
>
>
>
> On Mon, Aug 5, 2013 at 5:51 PM, Mehroz Ashraf <mehroz.ashraf85 at gmail.com>wrote:
>
>> Why do you want to place the cert on webserver and point android browser?
>> If you are doing this to download cert into android then that is probably
>> not the right approach.
>>
>> I used cafile.pem (without converting it into .der format) and placed the
>> file in  SD card or phone memory, and point out linphone to get the CA from
>> the path. You may search in libraries where it need to tell the path.
>>
>>
>> On Mon, Aug 5, 2013 at 12:15 PM, Peter <eidevm5 at gmail.com> wrote:
>>
>>> Has anyone managed to get TLS working between Android Linphone and
>>> Freeswitch?
>>>
>>> I've done the basic TLS setup as per
>>> https://wiki.freeswitch.org/wiki/Tls
>>>
>>> I then convert the CA cert from PEM to DER format with:
>>>
>>> openssl x509  -inform PEM -outform der -in cafile.pem -out fs.crt
>>>
>>> I place fs.crt on a webserver and point my Android browser to it.
>>>
>>> When I click on fs.crt, I get the default Android Certificate installer
>>> popup, but it always says:
>>>
>>> "Package contains: one user certificate"
>>>
>>> ie: it thinks it is a user cert rather than a CA cert.
>>>
>>> Android appears to be a real pain to add a CA to its trusted credential
>>> store.
>>>
>>> Really interested if anyone has managed to get Android to import the CA
>>> cert.
>>>
>>> Thanks
>>>
>>> Peter
>>>
>>> ____________________________________________________________
>>>
>>>
>>>
>>
>> ____________________________________________________________
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130806/ba79785c/attachment.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list