[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?
François Delawarde
fdelawarde at wirelessmundi.com
Wed Aug 6 17:07:30 MSD 2014
I was of course talking about WSS. The issue is that not all browsers
support TLS 1.2 (required by FreeSWITCH), see explanation below!
François.
On Wed, 2014-08-06 at 07:12 -0500, Brian West wrote:
> TLS shouldn't be required for non secure WS transport. This sounds
> like a browser issue to me.
>
>
>
> On Wed, Aug 6, 2014 at 5:37 AM, François Delawarde
> <fdelawarde at wirelessmundi.com> wrote:
>
> Just found out the reason for my troubles! It was not a
> certificate issue.
>
> The latest google Chrome (36) installed in debian
> wheezy/stable does not support TLS 1.2 because it requires
> libnss >3.15 (wheezy has 3.14). Unfortunately freeswitch
> requires TLS 1.2 for WSS connections.
>
> Any way to authorize TLS 1.1 or is it too insecure for web
> sockets?
>
> ---
>
> A workaround in debian wheezy would be to install the a recent
> Firefox that support TLS 1.2. Keep in mind that mod_verto
> stopped working since Firefox 31 (see FS-6708), but older
> versions should work fine!
>
> François
>
>
>
>
>
> On Tue, 2014-08-05 at 16:51 +0200, François Delawarde wrote:
>
> > Doing these exact steps don't seem to work for me, but WS
> > sockets work perfectly so using that for now instead of WSS!
> >
> > Actually it might not even be a certificate issue, FS tells
> > me:
> >
> > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209
> > 192.168.10.80:41210 Client Connect.
> > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379
> > 192.168.10.80:41210 Starting client thread.
> > 2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292
> > 192.168.10.80:41210 WS SETUP FAILED
> > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405
> > 192.168.10.80:41210 Ending client thread.
> > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412
> > 192.168.10.80:41210 Thread ended
> >
> > Which doesn't necessarily point to a TLS issue!
> >
> > Is importing the CA certificate in the client a necessary
> > step to make it work with Chrome?
> >
> > François
> >
> >
> >
> > On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote:
> >
> > > I've corrected the how-to and put it in tree:
> > >
> > >
> > > https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
> > >
> > >
> > >
> > > Importing the ca.crt into your system keychain for it to
> > > be trusted is left to the end user to figure out. If you
> > > can't do that step then you'll kinda be SOL, I know on my
> > > Mac I just open ca.crt and it does the import for me...
> > > Windows I suspect is similar as for Linux NO CLUE.
> > >
> > >
> > > On Fri, Jul 25, 2014 at 1:53 PM, William King
> > > <william.king at quentustech.com> wrote:
> > >
> > > One correction inline, and did you have any luck
> > > getting chrome to work
> > > with the custom CA?
> > >
> > > William King
> > > Senior Engineer
> > > Quentus Technologies, INC
> > > 1037 NE 65th St Suite 273
> > > Seattle, WA 98115
> > > Main: (877) 211-9337
> > > Office: (206) 388-4772
> > > Cell: (253) 686-5518
> > > william.king at quentustech.com
> > >
> > > On 07/25/2014 08:12 AM, Brian West wrote:
> > > > Someone should probably turn this into a nice
> > > how-to:
> > > >
> > > > Here is how I did it.
> > > >
> > > > wget
> > > http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
> > > > tar zxfv ssl.ca-0.1.tar.gz
> > > > cd ssl.ca-0.1/
> > > > perl -i -pe 's/md5/sha1/g' *.sh
> > > > perl -i -pe 's/2048/2048/g' *.sh
> > >
> > > This is a noop. I assume it was suppose to
> > > be /2048/4096/ or /1024/2048/
> > > > ./new-root-ca.sh
> > > > ./new-server-cert.sh self.bkw.org
> > > <http://self.bkw.org>
> > > > ./sign-server-cert.sh self.bkw.org
> > > <http://self.bkw.org>
> > > > cat self.bkw.org.crt self.bkw.org.key
> > > > /usr/local/freeswitch/certs/wss.pem
> > > >
> > > > Setup Apache:
> > > >
> > > > default-ssl:
> > > >
> > > > SSLCertificateFile
> > > /usr/local/freeswitch/certs/wss.pem
> > > >
> > > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
> > > >
> > > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
> > > >
> > > > Setup Sofia TLS:
> > > >
> > > > cat self.bkw.org.crt self.bkw.org.key >
> > > > /usr/local/freeswitch/certs/agent.pem
> > > > cat ca.crt
> > > > /usr/local/freeswitch/certs/cafile.pem
> > > >
> > > > vars.xml:
> > > >
> > > >
> > > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
> > >
> > > >
> > > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
> > > >
> > > > Restart FreeSWITCH.
> > > >
> > > > Now make sure your system has ca.crt imported so
> > > it will trust your new
> > > > found hotness.
> > > >
> > > > TEST:
> > > >
> > >
> > > > openssl s_client -connect self.bkw.org:443
> > > <http://self.bkw.org:443>
> > > > openssl s_client -connect self.bkw.org:8082
> > > <http://self.bkw.org:8082>
> > > >
> > > >
> > > > Depending on what you've setup you'll see:
> > > >
> > > > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka
> > > Truck/OU=Secure Web
> > > >
> > > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
> > >
> > > >
> > > <http://self.bkw.org/emailAddress=brian@bkw.org>
> > > >
> > > >
> > > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy
> > > Bang
> > > > Bang/OU=Certification Services Division/CN=WBB
> > > Root
> > >
> > > > CA/emailAddress=brian at bkw.org
> > > <mailto:brian at bkw.org>
> > > >
> > > > Or there abouts.
> > > >
> > > > --
> > > >
> > > > */Brian West/*
> > > > brian at freeswitch.org
> > > <mailto:brian at freeswitch.org>
> > > >
> > > >
> > > > */Twitter: @FreeSWITCH , @briankwest/*
> > > > http://www.freeswitchbook.com
> > > > http://www.freeswitchcookbook.com
> > > >
> > > > *T:*+19184209001 | *F:*+19184209002 | *M:*
> > > +1918424WEST (9378)
> > > > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 |
> > > *Skype:*briankwest
> > > >
> > > >
> > > >
> > > >
> > > _________________________________________________________________________
> > > > Professional FreeSWITCH Consulting Services:
> > > > consulting at freeswitch.org
> > > > http://www.freeswitchsolutions.com
> > > >
> > > > FreeSWITCH-powered IP PBX: The CudaTel
> > > Communication Server
> > > >
> > > >
> > > > Official FreeSWITCH Sites
> > > > http://www.freeswitch.org
> > > > http://wiki.freeswitch.org
> > > > http://www.cluecon.com
> > > >
> > > > FreeSWITCH-users mailing list
> > > > FreeSWITCH-users at lists.freeswitch.org
> > > >
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > >
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > > http://www.freeswitch.org
> > > >
> > >
> > > _________________________________________________________________________
> > > Professional FreeSWITCH Consulting Services:
> > > consulting at freeswitch.org
> > > http://www.freeswitchsolutions.com
> > >
> > > FreeSWITCH-powered IP PBX: The CudaTel
> > > Communication Server
> > >
> > >
> > > Official FreeSWITCH Sites
> > > http://www.freeswitch.org
> > > http://wiki.freeswitch.org
> > > http://www.cluecon.com
> > >
> > > FreeSWITCH-users mailing list
> > > FreeSWITCH-users at lists.freeswitch.org
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Brian West
> > > brian at freeswitch.org
> > >
> > >
> > >
> > >
> > > Twitter: @FreeSWITCH , @briankwest
> > > http://www.freeswitchbook.com
> > > http://www.freeswitchcookbook.com
> > >
> > > T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> > > iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
> > >
> > >
> > >
> > > _________________________________________________________________________
> > > Professional FreeSWITCH Consulting Services:
> > > consulting at freeswitch.org
> > > http://www.freeswitchsolutions.com
> > >
> > >
> > >
> > >
> > > Official FreeSWITCH Sites
> > > http://www.freeswitch.org
> > > http://wiki.freeswitch.org
> > > http://www.cluecon.com
> > >
> > > FreeSWITCH-users mailing list
> > > FreeSWITCH-users at lists.freeswitch.org
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
>
>
>
> --
>
> Brian West
> brian at freeswitch.org
>
>
>
>
> Twitter: @FreeSWITCH , @briankwest
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140806/31e51c9b/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list