[Freeswitch-users] TLS with Cisco SPA112

Nick Vines jnvines at gmail.com
Sun Sep 29 06:51:47 MSD 2013 

Success! I guess I hadn't reloaded one of the profiles recently, but my spa112 registers now. 

The setup that works is #2 from the previous email:

Follow directions at the following link: https://supportforums.cisco.com/docs/DOC-9852. Then...
cat `file.crt` `file.key` > agent.pem
cp `combinedca.crt` cafile.pem

And in the sip profile you need to use sslv23 not tlsv1. 
<param name="tls-version" value=sslv23"/>

I updated the interop list on the wiki with that info too.

Nick 

On Sep 28, 2013, at 6:46 PM, Nick Vines <jnvines at gmail.com> wrote:

> Turns out there isn't a way to load any cert onto the spa112, and its logging it not helpful at all. I'm still at a loss of how to get it to work.
> 
> I got https provisioning working with the devices, so perhaps I can reuse some of those files. I haven't been able to figure out what agent.pem/cafile.pem combination to use though.
> 
> For getting the spa112 to work with https provisioning, I did the following:
> 1. (on server, private key) openssl genrsa -out <file.key> 1024
> 2. (on server, generate cert request) openssl req -new -key <file.key> -out <file.csr>
> 3. sent the `file.csr` to cisco and they sent back a `file.crt` with the signed certificate.
> 4. cisco also sent back a combinedca.crt with many certificates in that file.
> 
> In my apache virtual host I put
> #Server Cert
> SSLCertificateFile .../file.crt
> 
> #Server Private Key:
> SSLCertificateKeyFile .../file.key
> 
> #Client authentication Certificate Authority (CA)
> SSLVerifyClient require
> SSLCACertificatePath .../path/
> SSLCACertificateFile .../path/combinedca.crt
> 
> 
> I have tried the following, but neither worked. 
> 
> 1)
> cat `file.crt` `file.key` > agent.pem
> cp `file.crt` cafile.pem
> 
> 2)
> cat `file.crt` `file.key` > agent.pem
> cp `combinedca.crt` cafile.pem
> 
> 
> Any suggestions on how I might use those files to make a TLS profile for the cisco devices? 
> 
> Thanks,
> Nick 
> 
> On Sep 23, 2013, at 12:40 PM, Brian West <brian at freeswitch.org> wrote:
> 
>> Did you load your CA cert into the SPA?  If not then that could be a problem too.. crank up its logging and see what its getting mad about.
>> 
>> 
>> On Sep 23, 2013, at 10:28 AM, Nick Vines <jnvines at gmail.com> wrote:
>> 
>>> Thanks Brian. 
>>> 
>>> I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server. 
>>> 
>>> Changes made to gentls_cert:
>>> setup_ca():
>>>      openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
>>> 
>>> generate_cert():
>>>      openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
>>> 
>> 
>> 
>> 
>> --
>> Brian West
>> brian at freeswitch.org
>> FreeSWITCH Solutions, LLC
>> PO BOX PO BOX 2531
>> Brookfield, WI 53008-2531
>> Twitter: @FreeSWITCH_Wire , @briankwest
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>> 
>> T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
>> iNUM: +883 5100 1420 9001
>> ISN: 410*543
>> Skype:briankwest
>> PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130928/f345cef8/attachment-0001.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list