[Freeswitch-users] Freeswitch + TLS with a commercial certificate
Iskren Hadzhinedev
iskren.hadzhinedev at ikiji.com
Wed Jan 8 20:19:14 MSK 2014
Problem was a garbled certificate chain. Browsers validate it fine,
because they have the needed root/chain certificates from vendors preinstalled. SIP phones/softphones don't.
Bottom line, TLS will work when the command
openssl verify -CAfile /etc/freeswitch/ssl/cafile.pem /etc/freeswitch/ssl/agent.pem
returns "agent.pem: OK".
Hope this helps someone.
Cheers,
--
Iskren Hadzhinedev
System Administrator
The Idea Factory | 20 Mearns Street | Aberdeen | AB11 5AT | UK
T: 01224 607500
VAT Reg No: 982 4936 74. Company registered in Scotland, SC237116
On Tuesday 07 January 2014 18:46:01 Iskren Hadzhinedev wrote:
> Hello.
> I've attached the tport log.
> This is the output from a single attempt to connect to freeswitch with TLS
> enabled. Thank you,
>
> > hi , enable tport log on freeswith and post these log ...
> >
> >
> >
> >
> > On Thu, Jan 2, 2014 at 11:23 PM, Iskren Hadzhinedev <
> >
> > iskren.hadzhinedev at ikiji.com> wrote:
> > > Greetings.
> > >
> > > I'm unable to setup TLS and SRTP. I have a valid certificate from
> > > GlobalSign and my setup is currently the following:
> > >
> > > My certificate and key (merged with cat keyfile certfile > agent.pem) in
> > > /opt/freeswitch/conf/ssl/agent.pem
> > >
> > > The GlobalSign root certificate is in
> > > /opt/freeswitch/conf/ssl/cafile.pem
> > >
> > >
> > >
> > > I edited vars.xml as instructed from
> > > http://wiki.freeswitch.org/wiki/SIP_TLS#Configuration
> > >
> > > I tried running with tlsv1 and sslv23 in vars.xml, verified that FS is
> > > listening on ports 5061 and 5081 with netstat -nltp | grep freeswitch
> > >
> > > Also I get TLS listeners with "sofia status" so it should be working.
> > > Connecting to ports 5061 and 5081 with openssl s_client connect
> > > freeswitch.lan:<port> is successful,
> > >
> > > but I get a 'Verify return code: 21 (unable to verify the first
> > > certificate)'. Running nginx with the agent.pem as a certificate is
> > > working
> > > without any issues.
> > >
> > > When I try to connect to Freeswitch via TLS with Bria and Linphone 3.6.1
> > > I
> > > get errors 408 or 503 and I don't see any output into the freeswitch
> > > console where I enabled sofia siptrace globally.
> > >
> > >
> > >
> > > What is the correct way to setup Freeswitch with a commercial
> > > certificate
> > > in order to enable TLS and SRTP ?
> > >
> > > Thank you!
> > >
> > >
> > >
> > > Kind regards,
> > >
> > > --
> > >
> > > Iskren Hadzhinedev
> > >
> > > System Administrator
> > >
> > >
> > >
> > > The Idea Factory | 20 Mearns Street | Aberdeen | AB11 5AT | UK
> > >
> > > T: 01224 607500
> > >
> > > VAT Reg No: 982 4936 74. Company registered in Scotland, SC237116
> > >
> > > ________________________________________________________________________
> > > _
> > > Professional FreeSWITCH Consulting Services:
> > > consulting at freeswitch.org
> > > http://www.freeswitchsolutions.com
> > >
> > >
> > >
> > >
> > > Official FreeSWITCH Sites
> > > http://www.freeswitch.org
> > > http://wiki.freeswitch.org
> > > http://www.cluecon.com
> > >
> > > FreeSWITCH-users mailing list
> > > FreeSWITCH-users at lists.freeswitch.org
> > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140108/6025dba1/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 4641 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140108/6025dba1/attachment-0001.png
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list