[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?
François Delawarde
fdelawarde at wirelessmundi.com
Wed Aug 6 17:25:44 MSD 2014
See also FS-6727:
https://jira.freeswitch.org/browse/FS-6727
François.
On Wed, 2014-08-06 at 15:07 +0200, François Delawarde wrote:
> I was of course talking about WSS. The issue is that not all browsers
> support TLS 1.2 (required by FreeSWITCH), see explanation below!
>
> François.
>
>
> On Wed, 2014-08-06 at 07:12 -0500, Brian West wrote:
>
> > TLS shouldn't be required for non secure WS transport. This sounds
> > like a browser issue to me.
> >
> >
> > On Wed, Aug 6, 2014 at 5:37 AM, François Delawarde
> > <fdelawarde at wirelessmundi.com> wrote:
> >
> > Just found out the reason for my troubles! It was not a
> > certificate issue.
> >
> > The latest google Chrome (36) installed in debian
> > wheezy/stable does not support TLS 1.2 because it requires
> > libnss >3.15 (wheezy has 3.14). Unfortunately freeswitch
> > requires TLS 1.2 for WSS connections.
> >
> > Any way to authorize TLS 1.1 or is it too insecure for web
> > sockets?
> >
> > ---
> >
> > A workaround in debian wheezy would be to install the a
> > recent Firefox that support TLS 1.2. Keep in mind that
> > mod_verto stopped working since Firefox 31 (see FS-6708),
> > but older versions should work fine!
> >
> > François
> >
> >
> >
> >
> >
> > On Tue, 2014-08-05 at 16:51 +0200, François Delawarde wrote:
> >
> > > Doing these exact steps don't seem to work for me, but WS
> > > sockets work perfectly so using that for now instead of
> > > WSS!
> > >
> > > Actually it might not even be a certificate issue, FS
> > > tells me:
> > >
> > > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209
> > > 192.168.10.80:41210 Client Connect.
> > > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379
> > > 192.168.10.80:41210 Starting client thread.
> > > 2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292
> > > 192.168.10.80:41210 WS SETUP FAILED
> > > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405
> > > 192.168.10.80:41210 Ending client thread.
> > > 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412
> > > 192.168.10.80:41210 Thread ended
> > >
> > > Which doesn't necessarily point to a TLS issue!
> > >
> > > Is importing the CA certificate in the client a necessary
> > > step to make it work with Chrome?
> > >
> > > François
> > >
> > >
> > >
> > >
> > > On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote:
> > >
> > > > I've corrected the how-to and put it in tree:
> > > >
> > > >
> > > > https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
> > > >
> > > >
> > > >
> > > > Importing the ca.crt into your system keychain for it to
> > > > be trusted is left to the end user to figure out. If
> > > > you can't do that step then you'll kinda be SOL, I know
> > > > on my Mac I just open ca.crt and it does the import for
> > > > me... Windows I suspect is similar as for Linux NO CLUE.
> > > >
> > > >
> > > > On Fri, Jul 25, 2014 at 1:53 PM, William King
> > > > <william.king at quentustech.com> wrote:
> > > >
> > > > One correction inline, and did you have any luck
> > > > getting chrome to work
> > > > with the custom CA?
> > > >
> > > > William King
> > > > Senior Engineer
> > > > Quentus Technologies, INC
> > > > 1037 NE 65th St Suite 273
> > > > Seattle, WA 98115
> > > > Main: (877) 211-9337
> > > > Office: (206) 388-4772
> > > > Cell: (253) 686-5518
> > > > william.king at quentustech.com
> > > >
> > > > On 07/25/2014 08:12 AM, Brian West wrote:
> > > > > Someone should probably turn this into a nice
> > > > how-to:
> > > > >
> > > > > Here is how I did it.
> > > > >
> > > > > wget
> > > > http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
> > > > > tar zxfv ssl.ca-0.1.tar.gz
> > > > > cd ssl.ca-0.1/
> > > > > perl -i -pe 's/md5/sha1/g' *.sh
> > > > > perl -i -pe 's/2048/2048/g' *.sh
> > > >
> > > > This is a noop. I assume it was suppose to
> > > > be /2048/4096/ or /1024/2048/
> > > > > ./new-root-ca.sh
> > > > > ./new-server-cert.sh self.bkw.org
> > > > <http://self.bkw.org>
> > > > > ./sign-server-cert.sh self.bkw.org
> > > > <http://self.bkw.org>
> > > > > cat self.bkw.org.crt self.bkw.org.key
> > > > > /usr/local/freeswitch/certs/wss.pem
> > > > >
> > > > > Setup Apache:
> > > > >
> > > > > default-ssl:
> > > > >
> > > > > SSLCertificateFile
> > > > /usr/local/freeswitch/certs/wss.pem
> > > > >
> > > > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
> > > > >
> > > > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
> > > > >
> > > > > Setup Sofia TLS:
> > > > >
> > > > > cat self.bkw.org.crt self.bkw.org.key >
> > > > > /usr/local/freeswitch/certs/agent.pem
> > > > > cat ca.crt
> > > > > /usr/local/freeswitch/certs/cafile.pem
> > > > >
> > > > > vars.xml:
> > > > >
> > > > >
> > > > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
> > > >
> > > > >
> > > > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
> > > > >
> > > > > Restart FreeSWITCH.
> > > > >
> > > > > Now make sure your system has ca.crt imported
> > > > so it will trust your new
> > > > > found hotness.
> > > > >
> > > > > TEST:
> > > > >
> > > >
> > > > > openssl s_client -connect self.bkw.org:443
> > > > <http://self.bkw.org:443>
> > > > > openssl s_client -connect self.bkw.org:8082
> > > > <http://self.bkw.org:8082>
> > > > >
> > > > >
> > > > > Depending on what you've setup you'll see:
> > > > >
> > > > > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka
> > > > Truck/OU=Secure Web
> > > > >
> > > > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
> > > >
> > > > >
> > > > <http://self.bkw.org/emailAddress=brian@bkw.org>
> > > > >
> > > > >
> > > > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
> > > > > Bang/OU=Certification Services Division/CN=WBB
> > > > Root
> > > >
> > > > > CA/emailAddress=brian at bkw.org
> > > > <mailto:brian at bkw.org>
> > > > >
> > > > > Or there abouts.
> > > > >
> > > > > --
> > > > >
> > > > > */Brian West/*
> > > > > brian at freeswitch.org
> > > > <mailto:brian at freeswitch.org>
> > > > >
> > > > >
> > > > > */Twitter: @FreeSWITCH , @briankwest/*
> > > > > http://www.freeswitchbook.com
> > > > > http://www.freeswitchcookbook.com
> > > > >
> > > > > *T:*+19184209001 | *F:*+19184209002 | *M:*
> > > > +1918424WEST (9378)
> > > > > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 |
> > > > *Skype:*briankwest
> > > > >
> > > > >
> > > > >
> > > > >
> > > > _________________________________________________________________________
> > > > > Professional FreeSWITCH Consulting Services:
> > > > > consulting at freeswitch.org
> > > > > http://www.freeswitchsolutions.com
> > > > >
> > > > > FreeSWITCH-powered IP PBX: The CudaTel
> > > > Communication Server
> > > > >
> > > > >
> > > > > Official FreeSWITCH Sites
> > > > > http://www.freeswitch.org
> > > > > http://wiki.freeswitch.org
> > > > > http://www.cluecon.com
> > > > >
> > > > > FreeSWITCH-users mailing list
> > > > > FreeSWITCH-users at lists.freeswitch.org
> > > > >
> > > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > > >
> > > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > > > http://www.freeswitch.org
> > > > >
> > > >
> > > > _________________________________________________________________________
> > > > Professional FreeSWITCH Consulting Services:
> > > > consulting at freeswitch.org
> > > > http://www.freeswitchsolutions.com
> > > >
> > > > FreeSWITCH-powered IP PBX: The CudaTel
> > > > Communication Server
> > > >
> > > >
> > > > Official FreeSWITCH Sites
> > > > http://www.freeswitch.org
> > > > http://wiki.freeswitch.org
> > > > http://www.cluecon.com
> > > >
> > > > FreeSWITCH-users mailing list
> > > > FreeSWITCH-users at lists.freeswitch.org
> > > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > > http://www.freeswitch.org
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Brian West
> > > > brian at freeswitch.org
> > > >
> > > >
> > > >
> > > >
> > > > Twitter: @FreeSWITCH , @briankwest
> > > > http://www.freeswitchbook.com
> > > > http://www.freeswitchcookbook.com
> > > >
> > > > T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> > > > iNUM:+883 5100 1420 9001 | ISN:410*543
> > > > | Skype:briankwest
> > > >
> > > >
> > > >
> > > > _________________________________________________________________________
> > > > Professional FreeSWITCH Consulting Services:
> > > > consulting at freeswitch.org
> > > > http://www.freeswitchsolutions.com
> > > >
> > > >
> > > >
> > > >
> > > > Official FreeSWITCH Sites
> > > > http://www.freeswitch.org
> > > > http://wiki.freeswitch.org
> > > > http://www.cluecon.com
> > > >
> > > > FreeSWITCH-users mailing list
> > > > FreeSWITCH-users at lists.freeswitch.org
> > > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > > http://www.freeswitch.org
> > >
> > > _________________________________________________________________________
> > > Professional FreeSWITCH Consulting Services:
> > > consulting at freeswitch.org
> > > http://www.freeswitchsolutions.com
> > >
> > >
> > >
> > >
> > > Official FreeSWITCH Sites
> > > http://www.freeswitch.org
> > > http://wiki.freeswitch.org
> > > http://www.cluecon.com
> > >
> > > FreeSWITCH-users mailing list
> > > FreeSWITCH-users at lists.freeswitch.org
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> >
> >
> >
> >
> >
> > --
> > Brian West
> > brian at freeswitch.org
> >
> >
> >
> >
> > Twitter: @FreeSWITCH , @briankwest
> > http://www.freeswitchbook.com
> > http://www.freeswitchcookbook.com
> >
> > T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> > iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
> >
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140806/c6393eba/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list