[Freeswitch-users] Need help setting up Freeswitch with commercial SSL certificate

Szeto, Steven steven_szeto at mitel.com
Tue Aug 26 21:21:07 MSD 2014


I have also had issues with using third party certs with FreeSwitch. If I
generated my own certs and used them with a FSClient, I can get the
FSClient to register via TLS to my FreeSwitch server.

However, I was unable to install the generated certs into my SIP phones and
get them to register with my FreeSwitch server. I think there is a bit of
work required here to get FreeSwitch to be a bit more flexible in its TLS
registration protocol.

Ideally, we should also be able to install multiple root certificates for
various phones and allow these phones to register with the FreeSwitch
server. As far as I am aware, multiple root certificate support is not
supported.


On Tue, Aug 26, 2014 at 9:12 AM, Tim Smith <gb10hkzo-fs1 at yahoo.co.uk> wrote:

> Hi,
>
> The story so far :
>
> • I've installed new certs
> • checked config in vars.xml is pointing to the right place
> • restarted freeswitch entirely
> • it is still using some sort of internal certificates ?? cafile and agent
> contain my certs and not those referred to in the openssl output ??
>
> What am I missing ??
>
> Thanks
>
> Tim
>
>
>
> FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git
> 1fe89f5 2014-08-21 18:57:58Z 64bit)
>
>
> /usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem agent.pem
> agent.pem: OK
>
> /usr/local/freeswitch/conf# cat vars.xml | grep ssl
>      valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
>   <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>   <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
>   <X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
>   <X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/>
>
> $ openssl s_client -showcerts -connect my.server:5061
> CONNECTED(00000003)
> depth=0 /C=US/CN=FreeSWITCH
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=US/CN=FreeSWITCH
> verify return:1
> ---
> Certificate chain
>  0 s:/C=US/CN=FreeSWITCH
>    i:/C=US/CN=FreeSWITCH
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=US/CN=FreeSWITCH
> issuer=/C=US/CN=FreeSWITCH
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 615 bytes and written 328 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     Start Time:
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> 
> 
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org




-- 

*Regards,*

*Steve Szeto*

*MiContact Center IVR Team*

*Software Designer*

Tel.: 613-592-5660 Ext. 71698

Email: steven_szeto at mitel.com <steven_szeto at mitel.com_>






350 Legget Drive

Kanata, ON

Canada K2K 2W7

*www.mitel.com <http://www.mitel.com/_>*

-- 
This e-mail (including any attachments) is for the sole use of the intended 
recipient(s) and may contain information that is confidential and/or 
protected by legal privilege. Any unauthorized review, use, copy, 
disclosure or distribution of this e-mail is strictly prohibited. If you 
are not the intended recipient, please notify Mitel immediately and destroy 
all copies of this e-mail.  Mitel does not accept any liability for breach 
of security, error or virus that may result from the transmission of this 
message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140826/07a41115/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list