[Freeswitch-users] Need help setting up Freeswitch with commercial SSL certificate
Brian West
brian at freeswitch.org
Wed Aug 27 18:15:34 MSD 2014
good to remind this, I sometimes forget that and not everyone would follow
or understand what vars.xml does.
On Wed, Aug 27, 2014 at 5:59 AM, Steven Ayre <steveayre at gmail.com> wrote:
> vars.xml doesn't tell FS to do anything - all the variables you define
> there are simply for convenience to be used elsewhere in the configuration.
>
> If you're setting the variable but not actually using it in the SIP
> profile then it's having no effect.
>
>
> On 26 August 2014 18:27, Tim Smith <randomdev4 at gmail.com> wrote:
>
>> Hi Brian,
>>
>> Yup, that doc came up on my Google searches.
>>
>> And yes, I've done all that as per my original post.
>>
>> Or are you telling me that despite vars.xml telling it otherwise
>> Freeswitch ignores whatever I put in $base/conf/ssl/ and that I should put
>> the stuff in $base/certs instead because that's where Freeswitch is
>> hardcoded to look?
>>
>> Tim
>>
>>
>> On 26 August 2014 18:17, Brian West <brian at freeswitch.org> wrote:
>>
>>>
>>> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?at=ed7aa96778597f521f0bb2e830277a0d95b21fd7&raw
>>>
>>> Its very similar to commercial SSL Certs.
>>>
>>>
>>> On Tue, Aug 26, 2014 at 12:07 PM, Tim Smith <randomdev4 at gmail.com>
>>> wrote:
>>>
>>>> Hi Steven,
>>>>
>>>> As you can see, per default config, the only place "tls-cert-der" is
>>>> mentioned is commented out. I don't have it in any individual profiles
>>>> either....
>>>>
>>>> /usr/local/freeswitch/conf$ find . -name '*.xml' -print0 | xargs -0
>>>> grep 'tls-cert-dir'
>>>> ./sip_profiles/internal.xml: <!--<param name="tls-cert-dir"
>>>> value=""/>-->
>>>> ./sip_profiles/external.xml: <!--<param name="tls-cert-dir"
>>>> value=""/>-->
>>>>
>>>>
>>>> Tim
>>>>
>>>>
>>>> On 26 August 2014 17:50, Steven Ayre <steveayre at gmail.com> wrote:
>>>>
>>>>> Check the tls-cert-dir parameter of the SIP profile. Those are only
>>>>> setting variables, they may or may not be used by the actual profile.
>>>>>
>>>>>
>>>>> On 26 August 2014 14:12, Tim Smith <gb10hkzo-fs1 at yahoo.co.uk> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> The story so far :
>>>>>>
>>>>>> • I've installed new certs
>>>>>> • checked config in vars.xml is pointing to the right place
>>>>>> • restarted freeswitch entirely
>>>>>> • it is still using some sort of internal certificates ?? cafile and
>>>>>> agent contain my certs and not those referred to in the openssl output ??
>>>>>>
>>>>>> What am I missing ??
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>>
>>>>>>
>>>>>> FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git
>>>>>> 1fe89f5 2014-08-21 18:57:58Z 64bit)
>>>>>>
>>>>>>
>>>>>> /usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem
>>>>>> agent.pem
>>>>>> agent.pem: OK
>>>>>>
>>>>>> /usr/local/freeswitch/conf# cat vars.xml | grep ssl
>>>>>> valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
>>>>>> <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>>>>>> <X-PRE-PROCESS cmd="set"
>>>>>> data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>>> <X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
>>>>>> <X-PRE-PROCESS cmd="set"
>>>>>> data="external_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>>>
>>>>>> $ openssl s_client -showcerts -connect my.server:5061
>>>>>> CONNECTED(00000003)
>>>>>> depth=0 /C=US/CN=FreeSWITCH
>>>>>> verify error:num=18:self signed certificate
>>>>>> verify return:1
>>>>>> depth=0 /C=US/CN=FreeSWITCH
>>>>>> verify return:1
>>>>>> ---
>>>>>> Certificate chain
>>>>>> 0 s:/C=US/CN=FreeSWITCH
>>>>>> i:/C=US/CN=FreeSWITCH
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> -----END CERTIFICATE-----
>>>>>> ---
>>>>>> Server certificate
>>>>>> subject=/C=US/CN=FreeSWITCH
>>>>>> issuer=/C=US/CN=FreeSWITCH
>>>>>> ---
>>>>>> No client certificate CA names sent
>>>>>> ---
>>>>>> SSL handshake has read 615 bytes and written 328 bytes
>>>>>> ---
>>>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>>>> Server public key is 1024 bit
>>>>>> Secure Renegotiation IS supported
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>> Protocol : TLSv1
>>>>>> Cipher : AES256-SHA
>>>>>> Session-ID:
>>>>>> Session-ID-ctx:
>>>>>> Master-Key:
>>>>>> Key-Arg : None
>>>>>> Start Time:
>>>>>> Timeout : 300 (sec)
>>>>>> Verify return code: 18 (self signed certificate)
>>>>>> ---
>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>>
>>>>
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>>
>>>
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>>
>>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
>
>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
*Brian West*
brian at freeswitch.org
*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com
*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140827/4c62eb94/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list