[Freeswitch-users] Need help setting up Freeswitch with commercial SSL certificate

Tim Smith randomdev4 at gmail.com
Tue Aug 26 21:29:23 MSD 2014 

Hi Steve,

My issue isn't so much on the internal side (because obviously self-signed
would be just fine and dandy for internal use), but rather talking to
external services who need to be able to validate me against the commercial
roots.

Tim


On 26 August 2014 18:21, Szeto, Steven <steven_szeto at mitel.com> wrote:

> I have also had issues with using third party certs with FreeSwitch. If I
> generated my own certs and used them with a FSClient, I can get the
> FSClient to register via TLS to my FreeSwitch server.
>
> However, I was unable to install the generated certs into my SIP phones
> and get them to register with my FreeSwitch server. I think there is a bit
> of work required here to get FreeSwitch to be a bit more flexible in its
> TLS registration protocol.
>
> Ideally, we should also be able to install multiple root certificates for
> various phones and allow these phones to register with the FreeSwitch
> server. As far as I am aware, multiple root certificate support is not
> supported.
>
>
> On Tue, Aug 26, 2014 at 9:12 AM, Tim Smith <gb10hkzo-fs1 at yahoo.co.uk>
> wrote:
>
>> Hi,
>>
>> The story so far :
>>
>> • I've installed new certs
>> • checked config in vars.xml is pointing to the right place
>> • restarted freeswitch entirely
>> • it is still using some sort of internal certificates ?? cafile and
>> agent contain my certs and not those referred to in the openssl output ??
>>
>> What am I missing ??
>>
>> Thanks
>>
>> Tim
>>
>>
>>
>> FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git
>> 1fe89f5 2014-08-21 18:57:58Z 64bit)
>>
>>
>> /usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem
>> agent.pem
>> agent.pem: OK
>>
>> /usr/local/freeswitch/conf# cat vars.xml | grep ssl
>>      valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
>>   <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>>   <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
>>   <X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
>>   <X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/>
>>
>> $ openssl s_client -showcerts -connect my.server:5061
>> CONNECTED(00000003)
>> depth=0 /C=US/CN=FreeSWITCH
>> verify error:num=18:self signed certificate
>> verify return:1
>> depth=0 /C=US/CN=FreeSWITCH
>> verify return:1
>> ---
>> Certificate chain
>>  0 s:/C=US/CN=FreeSWITCH
>>    i:/C=US/CN=FreeSWITCH
>> -----BEGIN CERTIFICATE-----
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=US/CN=FreeSWITCH
>> issuer=/C=US/CN=FreeSWITCH
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 615 bytes and written 328 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES256-SHA
>>     Session-ID:
>>     Session-ID-ctx:
>>     Master-Key:
>>     Key-Arg   : None
>>     Start Time:
>>     Timeout   : 300 (sec)
>>     Verify return code: 18 (self signed certificate)
>> ---
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> 
>> 
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
>
>
> --
>
> *Regards,*
>
> *Steve Szeto*
>
> *MiContact Center IVR Team*
>
> *Software Designer*
>
> Tel.: 613-592-5660 Ext. 71698
>
> Email: steven_szeto at mitel.com <steven_szeto at mitel.com_>
>
>
>
>
>
>
> 350 Legget Drive
>
> Kanata, ON
>
> Canada K2K 2W7
>
> *www.mitel.com <http://www.mitel.com/_>*
>
> This e-mail (including any attachments) is for the sole use of the
> intended recipient(s) and may contain information that is confidential
> and/or protected by legal privilege. Any unauthorized review, use, copy,
> disclosure or distribution of this e-mail is strictly prohibited. If you
> are not the intended recipient, please notify Mitel immediately and destroy
> all copies of this e-mail.  Mitel does not accept any liability for breach
> of security, error or virus that may result from the transmission of this
> message.
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> 
> 
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140826/79fb44ac/attachment.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list