[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?

François Delawarde fdelawarde at wirelessmundi.com
Tue Aug 5 18:51:01 MSD 2014


Doing these exact steps don't seem to work for me, but WS sockets work
perfectly so using that for now instead of WSS!

Actually it might not even be a certificate issue, FS tells me:

2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210
Client Connect.
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210
Starting client thread.
2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 192.168.10.80:41210
WS SETUP FAILED
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210
Ending client thread.
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210
Thread ended

Which doesn't necessarily point to a TLS issue!

Is importing the CA certificate in the client a necessary step to make
it work with Chrome?

François

On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote:
> I've corrected the how-to and put it in tree:
> 
> 
> 
> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
> 
> 
> 
> Importing the ca.crt into your system keychain for it to be trusted is
> left to the end user to figure out.  If you can't do that step then
> you'll kinda be SOL, I know on my Mac I just open ca.crt and it does
> the import for me... Windows I suspect is similar as for Linux NO
> CLUE.
> 
> 
> 
> On Fri, Jul 25, 2014 at 1:53 PM, William King
> <william.king at quentustech.com> wrote:
> 
>         One correction inline, and did you have any luck getting
>         chrome to work
>         with the custom CA?
>         
>         William King
>         Senior Engineer
>         Quentus Technologies, INC
>         1037 NE 65th St Suite 273
>         Seattle, WA 98115
>         Main:   (877) 211-9337
>         Office: (206) 388-4772
>         Cell:   (253) 686-5518
>         william.king at quentustech.com
>         
>         
>         On 07/25/2014 08:12 AM, Brian West wrote:
>         > Someone should probably turn this into a nice how-to:
>         >
>         > Here is how I did it.
>         >
>         > wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
>         > tar zxfv ssl.ca-0.1.tar.gz
>         > cd ssl.ca-0.1/
>         > perl -i -pe 's/md5/sha1/g' *.sh
>         > perl -i -pe 's/2048/2048/g' *.sh
>         
>         
>         This is a noop. I assume it was suppose to be /2048/4096/
>         or /1024/2048/
>         > ./new-root-ca.sh
>         > ./new-server-cert.sh self.bkw.org <http://self.bkw.org>
>         > ./sign-server-cert.sh self.bkw.org <http://self.bkw.org>
>         
>         > cat self.bkw.org.crt self.bkw.org.key
>         > /usr/local/freeswitch/certs/wss.pem
>         >
>         > Setup Apache:
>         >
>         > default-ssl:
>         >
>         > SSLCertificateFile    /usr/local/freeswitch/certs/wss.pem
>         > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
>         > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
>         >
>         > Setup Sofia TLS:
>         >
>         > cat self.bkw.org.crt self.bkw.org.key >
>         > /usr/local/freeswitch/certs/agent.pem
>         > cat ca.crt > /usr/local/freeswitch/certs/cafile.pem
>         >
>         > vars.xml:
>         >
>         > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
>         
>         
>         > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
>         
>         >
>         > Restart FreeSWITCH.
>         >
>         > Now make sure your system has ca.crt imported so it will
>         trust your new
>         > found hotness.
>         >
>         > TEST:
>         >
>         
>         
>         > openssl s_client -connect self.bkw.org:443
>         <http://self.bkw.org:443>
>         > openssl s_client -connect self.bkw.org:8082
>         <http://self.bkw.org:8082>
>         
>         >
>         >
>         > Depending on what you've setup you'll see:
>         >
>         > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka
>         Truck/OU=Secure Web
>         > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
>         
>         
>         > <http://self.bkw.org/emailAddress=brian@bkw.org>
>         
>         >
>         > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
>         > Bang/OU=Certification Services Division/CN=WBB Root
>         
>         
>         > CA/emailAddress=brian at bkw.org <mailto:brian at bkw.org>
>         >
>         > Or there abouts.
>         >
>         > --
>         >
>         > */Brian West/*
>         > brian at freeswitch.org <mailto:brian at freeswitch.org>
>         >
>         >
>         > */Twitter: @FreeSWITCH , @briankwest/*
>         > http://www.freeswitchbook.com
>         > http://www.freeswitchcookbook.com
>         >
>         > *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST
>         (9378)
>         > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 |
>         *Skype:*briankwest
>         >
>         >
>         >
>         >
>         _________________________________________________________________________
>         > Professional FreeSWITCH Consulting Services:
>         > consulting at freeswitch.org
>         > http://www.freeswitchsolutions.com
>         >
>         > 
>         > 
>         >
>         > Official FreeSWITCH Sites
>         > http://www.freeswitch.org
>         > http://wiki.freeswitch.org
>         > http://www.cluecon.com
>         >
>         > FreeSWITCH-users mailing list
>         > FreeSWITCH-users at lists.freeswitch.org
>         >
>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>         >
>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>         > http://www.freeswitch.org
>         >
>         
>         _________________________________________________________________________
>         Professional FreeSWITCH Consulting Services:
>         consulting at freeswitch.org
>         http://www.freeswitchsolutions.com
>         
>         
>         
>         
>         Official FreeSWITCH Sites
>         http://www.freeswitch.org
>         http://wiki.freeswitch.org
>         http://www.cluecon.com
>         
>         FreeSWITCH-users mailing list
>         FreeSWITCH-users at lists.freeswitch.org
>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>         http://www.freeswitch.org
>         
> 
> 
> 
> 
> 
> 
> 
> -- 
> 
> Brian West
> brian at freeswitch.org
> 
> 
> 
> 
> Twitter: @FreeSWITCH , @briankwest
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
> 
> T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140805/8a4f5345/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list