[Freeswitch-users] TLS/Freeswitch self signed certs

Michael Jerris mike at jerris.com
Mon Aug 12 18:50:31 MSD 2013


This sounds like it should be in the script for everyone.  Can you open a bug on jira.freeswitch.org for this issue.

Thanks
Mike

On Aug 6, 2013, at 2:16 AM, Peter <eidevm5 at gmail.com> wrote:

> Finally figured out the issue was related to the gentls_cert script was generating an openssl template that didn't have the required x509v3 extensions set.
> 
> I modified the script where it generates config.tpl to add
> 
>                         x509_extensions = v3_ca
> 
> to the [req] section, then I added the section:
> 
>                         [ v3_ca ]
>                         subjectKeyIdentifier=hash
>                         authorityKeyIdentifier=keyid:always,issuer
>                         basicConstraints=CA:TRUE
> 
> Now when you issue:
> 
> openssl x509 -noout -inform pem -text -in cafile.pem
> 
> you'll see the following section:
> 
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
>             X509v3 Authority Key Identifier:
>                 keyid:02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
> 
>             X509v3 Basic Constraints:
>                 CA:TRUE
> 
> If these are present, then Android will treat the cert as a standard user cert.
> 
> Then it was a simple matter of copying cafile.pem to cafile.crt on the sdcard on the Android device and using the "install from device storage" option.
> 
> When the cert installer dialog comes up, it will now detect cafile.crt as a CA cert and not user cert.
> 
> Hope this helps other people, as cert management on Android is a right pain in the $#%^.
> 
> Peter
> 
> 
> 
> On Tue, Aug 6, 2013 at 2:31 PM, Peter <eidevm5 at gmail.com> wrote:
> The reason I put it on a webserver is mostly for convenience to make it easier to install.
> 
> I tried copying cafile.pem to /sdcard on a Galaxy Note II, but when I try the "Install from device storage" option, it just comes back with:
> 
> "No certificate file found on SD card"
> 
> 
> 
> On Mon, Aug 5, 2013 at 5:51 PM, Mehroz Ashraf <mehroz.ashraf85 at gmail.com> wrote:
> Why do you want to place the cert on webserver and point android browser? If you are doing this to download cert into android then that is probably not the right approach.
> 
> I used cafile.pem (without converting it into .der format) and placed the file in  SD card or phone memory, and point out linphone to get the CA from the path. You may search in libraries where it need to tell the path. 
> 
> 
> On Mon, Aug 5, 2013 at 12:15 PM, Peter <eidevm5 at gmail.com> wrote:
> Has anyone managed to get TLS working between Android Linphone and Freeswitch?
> 
> I've done the basic TLS setup as per https://wiki.freeswitch.org/wiki/Tls
> 
> I then convert the CA cert from PEM to DER format with:
> 
> openssl x509  -inform PEM -outform der -in cafile.pem -out fs.crt
> 
> I place fs.crt on a webserver and point my Android browser to it.
> 
> When I click on fs.crt, I get the default Android Certificate installer popup, but it always says:
> 
> "Package contains: one user certificate"
> 
> ie: it thinks it is a user cert rather than a CA cert.
> 
> Android appears to be a real pain to add a CA to its trusted credential store.
> 
> Really interested if anyone has managed to get Android to import the CA cert.
> 
> Thanks
> 
> Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130812/95fcfd91/attachment.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list