[Freeswitch-users] Need help setting up Freeswitch with commercial SSL certificate
Steven Ayre
steveayre at gmail.com
Wed Aug 27 14:59:31 MSD 2014
vars.xml doesn't tell FS to do anything - all the variables you define
there are simply for convenience to be used elsewhere in the configuration.
If you're setting the variable but not actually using it in the SIP profile
then it's having no effect.
On 26 August 2014 18:27, Tim Smith <randomdev4 at gmail.com> wrote:
> Hi Brian,
>
> Yup, that doc came up on my Google searches.
>
> And yes, I've done all that as per my original post.
>
> Or are you telling me that despite vars.xml telling it otherwise
> Freeswitch ignores whatever I put in $base/conf/ssl/ and that I should put
> the stuff in $base/certs instead because that's where Freeswitch is
> hardcoded to look?
>
> Tim
>
>
> On 26 August 2014 18:17, Brian West <brian at freeswitch.org> wrote:
>
>>
>> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?at=ed7aa96778597f521f0bb2e830277a0d95b21fd7&raw
>>
>> Its very similar to commercial SSL Certs.
>>
>>
>> On Tue, Aug 26, 2014 at 12:07 PM, Tim Smith <randomdev4 at gmail.com> wrote:
>>
>>> Hi Steven,
>>>
>>> As you can see, per default config, the only place "tls-cert-der" is
>>> mentioned is commented out. I don't have it in any individual profiles
>>> either....
>>>
>>> /usr/local/freeswitch/conf$ find . -name '*.xml' -print0 | xargs -0
>>> grep 'tls-cert-dir'
>>> ./sip_profiles/internal.xml: <!--<param name="tls-cert-dir"
>>> value=""/>-->
>>> ./sip_profiles/external.xml: <!--<param name="tls-cert-dir"
>>> value=""/>-->
>>>
>>>
>>> Tim
>>>
>>>
>>> On 26 August 2014 17:50, Steven Ayre <steveayre at gmail.com> wrote:
>>>
>>>> Check the tls-cert-dir parameter of the SIP profile. Those are only
>>>> setting variables, they may or may not be used by the actual profile.
>>>>
>>>>
>>>> On 26 August 2014 14:12, Tim Smith <gb10hkzo-fs1 at yahoo.co.uk> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> The story so far :
>>>>>
>>>>> • I've installed new certs
>>>>> • checked config in vars.xml is pointing to the right place
>>>>> • restarted freeswitch entirely
>>>>> • it is still using some sort of internal certificates ?? cafile and
>>>>> agent contain my certs and not those referred to in the openssl output ??
>>>>>
>>>>> What am I missing ??
>>>>>
>>>>> Thanks
>>>>>
>>>>> Tim
>>>>>
>>>>>
>>>>>
>>>>> FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git
>>>>> 1fe89f5 2014-08-21 18:57:58Z 64bit)
>>>>>
>>>>>
>>>>> /usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem
>>>>> agent.pem
>>>>> agent.pem: OK
>>>>>
>>>>> /usr/local/freeswitch/conf# cat vars.xml | grep ssl
>>>>> valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
>>>>> <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>>>>> <X-PRE-PROCESS cmd="set"
>>>>> data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>> <X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
>>>>> <X-PRE-PROCESS cmd="set"
>>>>> data="external_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>>
>>>>> $ openssl s_client -showcerts -connect my.server:5061
>>>>> CONNECTED(00000003)
>>>>> depth=0 /C=US/CN=FreeSWITCH
>>>>> verify error:num=18:self signed certificate
>>>>> verify return:1
>>>>> depth=0 /C=US/CN=FreeSWITCH
>>>>> verify return:1
>>>>> ---
>>>>> Certificate chain
>>>>> 0 s:/C=US/CN=FreeSWITCH
>>>>> i:/C=US/CN=FreeSWITCH
>>>>> -----BEGIN CERTIFICATE-----
>>>>> -----END CERTIFICATE-----
>>>>> ---
>>>>> Server certificate
>>>>> subject=/C=US/CN=FreeSWITCH
>>>>> issuer=/C=US/CN=FreeSWITCH
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> ---
>>>>> SSL handshake has read 615 bytes and written 328 bytes
>>>>> ---
>>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>>> Server public key is 1024 bit
>>>>> Secure Renegotiation IS supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>> Protocol : TLSv1
>>>>> Cipher : AES256-SHA
>>>>> Session-ID:
>>>>> Session-ID-ctx:
>>>>> Master-Key:
>>>>> Key-Arg : None
>>>>> Start Time:
>>>>> Timeout : 300 (sec)
>>>>> Verify return code: 18 (self signed certificate)
>>>>> ---
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>>
>>>>
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>>
>>>
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>>
>>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
>
>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140827/04b7fc0c/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list