[Freeswitch-users] SIP TLS Issues

Lappe, Adam Adam.Lappe at qsc.de
Thu Aug 15 13:56:55 MSD 2013


Hi all,

Some more things I tried so far:

openssl x509 -noout -modulus -in agent.pem | openssl md5
(stdin)= ebdfb317206ba89d07217c06e1f0d6eb
openssl rsa -noout -modulus -in agent.pem | openssl md5
(stdin)= ebdfb317206ba89d07217c06e1f0d6eb

At least the certificate and private key in the agent.pem are correct.

There is no output on the cli when I try to register a phone.

My guess is that the content of agent.pem and/or cafile.pem is wrong.

Can someone please confirm this?

Best regards,
Adam


Wed, 14 Aug, 2013 at 16:07 PM, Adam <ala at qsc.de>:

Hi all,

i am trying to configure FreeSWITCH to speak TLS with all Clients.
I followed the tutorial on http://wiki.freeswitch.com/wiki/SIP_TLS but I am still not sure what key / cert belongs in which file.

I have a SSL123 Thawte Wildcard Certificate.
Am I supposed to cat this cert + priv. key into agent.pem and the primary and secondary intermediate into the cafile.pem?

I did this and set the right permissions. The internal sofia profile on port 5061 (TLS) is RUNNING.

But no client (for example Polycom VVX1500) can register now.
If I set it TCP and Port 5060 (which is RUNNING as well) everything works fine.

Wireshark shows me the following

Client    ->         FS                    Client Hello
FS        ->         Client                Alert (Level Fatal, Description: Handshake Failure)

I also tested openssl s_client -connect (IP):5061 -showcerts but it only says:
CONNECTED(00000003)
139847050823328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

I guess the problem is the agent.pem and/or cafile.pem

agent.pem looks like this
-----BEGIN CERTIFICATE-----
(Thawte SSL123 Wildcard Web Certificate)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Unencrypted Private Key)
-----END RSA PRIVATE KEY-----

cafile.pem like that:
-----BEGIN CERTIFICATE-----
(Thawte Primary Intermediate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Thawte Secondary Intermediate
-----END CERTIFICATE-----

Any suggestions?

Thanks in advance,
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130815/d361c392/attachment.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list