[Freeswitch-users] SIP TLS Issues
Lappe, Adam
Adam.Lappe at qsc.de
Thu Aug 15 13:56:55 MSD 2013
Hi all,
Some more things I tried so far:
openssl x509 -noout -modulus -in agent.pem | openssl md5
(stdin)= ebdfb317206ba89d07217c06e1f0d6eb
openssl rsa -noout -modulus -in agent.pem | openssl md5
(stdin)= ebdfb317206ba89d07217c06e1f0d6eb
At least the certificate and private key in the agent.pem are correct.
There is no output on the cli when I try to register a phone.
My guess is that the content of agent.pem and/or cafile.pem is wrong.
Can someone please confirm this?
Best regards,
Adam
Wed, 14 Aug, 2013 at 16:07 PM, Adam <ala at qsc.de>:
Hi all,
i am trying to configure FreeSWITCH to speak TLS with all Clients.
I followed the tutorial on http://wiki.freeswitch.com/wiki/SIP_TLS but I am still not sure what key / cert belongs in which file.
I have a SSL123 Thawte Wildcard Certificate.
Am I supposed to cat this cert + priv. key into agent.pem and the primary and secondary intermediate into the cafile.pem?
I did this and set the right permissions. The internal sofia profile on port 5061 (TLS) is RUNNING.
But no client (for example Polycom VVX1500) can register now.
If I set it TCP and Port 5060 (which is RUNNING as well) everything works fine.
Wireshark shows me the following
Client -> FS Client Hello
FS -> Client Alert (Level Fatal, Description: Handshake Failure)
I also tested openssl s_client -connect (IP):5061 -showcerts but it only says:
CONNECTED(00000003)
139847050823328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I guess the problem is the agent.pem and/or cafile.pem
agent.pem looks like this
-----BEGIN CERTIFICATE-----
(Thawte SSL123 Wildcard Web Certificate)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Unencrypted Private Key)
-----END RSA PRIVATE KEY-----
cafile.pem like that:
-----BEGIN CERTIFICATE-----
(Thawte Primary Intermediate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Thawte Secondary Intermediate
-----END CERTIFICATE-----
Any suggestions?
Thanks in advance,
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130815/d361c392/attachment.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list