[Freeswitch-users] Need help setting up Freeswitch with commercial SSL certificate
Brian West
brian at freeswitch.org
Tue Aug 26 22:03:08 MSD 2014
If you've installed from packages you may end up with things not where you
think, we are working on this.
<param name="tls-cert-dir" value="/usr/local/freeswitch/certs"/>
Is what I set in my internal.xml, The pending issue is base_dir sometimes
doesn't point where you might expect.
On Tue, Aug 26, 2014 at 12:41 PM, Tim Smith <randomdev4 at gmail.com> wrote:
> Chain verifcation wasn't my problem ! My problem was that the FreeSwitch
> default self-signed certs were showing up in openssl because Freeswitch
> seems to ignore you telling it to look in internal_ssl_dir and
> external_ssl_dir !
>
>
> On 26 August 2014 18:31, Brian West <brian at freeswitch.org> wrote:
>
>> http://www.sslshopper.com/ssl-checker.html
>>
>> I use this to test, if your OpenSSL install doesn't have the chain certs
>> it can't verify the chain unless you provide it.
>>
>>
>> On Tue, Aug 26, 2014 at 12:21 PM, Szeto, Steven <steven_szeto at mitel.com>
>> wrote:
>>
>>> I have also had issues with using third party certs with FreeSwitch. If
>>> I generated my own certs and used them with a FSClient, I can get the
>>> FSClient to register via TLS to my FreeSwitch server.
>>>
>>> However, I was unable to install the generated certs into my SIP phones
>>> and get them to register with my FreeSwitch server. I think there is a bit
>>> of work required here to get FreeSwitch to be a bit more flexible in its
>>> TLS registration protocol.
>>>
>>> Ideally, we should also be able to install multiple root certificates
>>> for various phones and allow these phones to register with the FreeSwitch
>>> server. As far as I am aware, multiple root certificate support is not
>>> supported.
>>>
>>>
>>> On Tue, Aug 26, 2014 at 9:12 AM, Tim Smith <gb10hkzo-fs1 at yahoo.co.uk>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> The story so far :
>>>>
>>>> • I've installed new certs
>>>> • checked config in vars.xml is pointing to the right place
>>>> • restarted freeswitch entirely
>>>> • it is still using some sort of internal certificates ?? cafile and
>>>> agent contain my certs and not those referred to in the openssl output ??
>>>>
>>>> What am I missing ??
>>>>
>>>> Thanks
>>>>
>>>> Tim
>>>>
>>>>
>>>>
>>>> FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git
>>>> 1fe89f5 2014-08-21 18:57:58Z 64bit)
>>>>
>>>>
>>>> /usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem
>>>> agent.pem
>>>> agent.pem: OK
>>>>
>>>> /usr/local/freeswitch/conf# cat vars.xml | grep ssl
>>>> valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
>>>> <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>>>> <X-PRE-PROCESS cmd="set"
>>>> data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
>>>> <X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
>>>> <X-PRE-PROCESS cmd="set"
>>>> data="external_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>
>>>> $ openssl s_client -showcerts -connect my.server:5061
>>>> CONNECTED(00000003)
>>>> depth=0 /C=US/CN=FreeSWITCH
>>>> verify error:num=18:self signed certificate
>>>> verify return:1
>>>> depth=0 /C=US/CN=FreeSWITCH
>>>> verify return:1
>>>> ---
>>>> Certificate chain
>>>> 0 s:/C=US/CN=FreeSWITCH
>>>> i:/C=US/CN=FreeSWITCH
>>>> -----BEGIN CERTIFICATE-----
>>>> -----END CERTIFICATE-----
>>>> ---
>>>> Server certificate
>>>> subject=/C=US/CN=FreeSWITCH
>>>> issuer=/C=US/CN=FreeSWITCH
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 615 bytes and written 328 bytes
>>>> ---
>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>> Server public key is 1024 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>> Protocol : TLSv1
>>>> Cipher : AES256-SHA
>>>> Session-ID:
>>>> Session-ID-ctx:
>>>> Master-Key:
>>>> Key-Arg : None
>>>> Start Time:
>>>> Timeout : 300 (sec)
>>>> Verify return code: 18 (self signed certificate)
>>>> ---
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>>
>>>>
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Regards,*
>>>
>>> *Steve Szeto*
>>>
>>> *MiContact Center IVR Team*
>>>
>>> *Software Designer*
>>>
>>> Tel.: 613-592-5660 Ext. 71698
>>>
>>> Email: steven_szeto at mitel.com <steven_szeto at mitel.com_>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 350 Legget Drive
>>>
>>> Kanata, ON
>>>
>>> Canada K2K 2W7
>>>
>>> *www.mitel.com <http://www.mitel.com/_>*
>>>
>>> This e-mail (including any attachments) is for the sole use of the
>>> intended recipient(s) and may contain information that is confidential
>>> and/or protected by legal privilege. Any unauthorized review, use, copy,
>>> disclosure or distribution of this e-mail is strictly prohibited. If you
>>> are not the intended recipient, please notify Mitel immediately and destroy
>>> all copies of this e-mail. Mitel does not accept any liability for breach
>>> of security, error or virus that may result from the transmission of this
>>> message.
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>>
>>>
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>>
>>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
>
>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
*Brian West*
brian at freeswitch.org
*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com
*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140826/f895a939/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list