[Freeswitch-users] SSL cert required fields

sangdrax8 sangdrax8 at gmail.com
Tue Jul 29 19:09:35 MSD 2014


I'll read through the documentation and see if I can fix it!

The agent.pem and the cafile.pem that I am using are working just fine on
my current freeswitch build.  I am certain I have the server cert, the
dates/times are valid still, and the files have the correct permissions.
 In the latest head they no longer work.  Since the ones generated by the
script do work, I was hoping someone knew that there is now a required
field that I should be adding.  The fields that I listed I thought were all
optional, but I'll look through the documentation and try again.


On Tue, Jul 29, 2014 at 11:01 AM, Brian West <brian at freeswitch.org> wrote:

> It sounds like you used the CA cert as your certificate instead of
> creating one.
>
> I would highly recommend you read this:
>
>
> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
>
> gen_tls should work also, but I had to do these steps last week as
> everyone kept reporting that they couldn't use their self signed certs, So
> I did a little how to on setting up a CA from scratch that would work.
>
>
> On Tue, Jul 29, 2014 at 8:36 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>
>> I am not sure I follow, if you could elaborate any more?  I was following
>> https://wiki.freeswitch.org/wiki/SIP_TLS#Configuration and using the
>> provided gentls_cert script.  I believe this creates a CA (if one wasn't
>> already created) and then generate and signs certificates.  Finally it
>> outputs eveything needed into the agent.pem and cafile.pem files.  Since
>> these work, I assume these are the correct type of cert? (Not positive
>> where WSS comes into play).
>>
>> My only issue is when I use my existing certificates that I am using on
>> my current freeswitch, I do not get a certificate passed to the client.
>>  Looking at sofia status shows the profile started with (TLS) after it.  If
>> I just swap out my certs for the ones the script generated, and restart,
>> everything works again.  So I assume there is some requirement that has
>> changed for certs, but I can't figure out what it is wanting.
>>
>> Using the script for my test/dev works just fine, but when I go to
>> replace my running machines I would like to use the existing certs.  If I
>> need to recreate them to add something to the cert, I can do that as well,
>> but I will need to do it with the CA I have been using so I need to figure
>> out what options I am missing (assuming that is my problem).
>>
>>
>> On Mon, Jul 28, 2014 at 5:23 PM, Brian West <brian at freeswitch.org> wrote:
>>
>>> The one generated for DTLS isn't the same one you would setup for your
>>> WSS connectivity.
>>>
>>>
>>> On Mon, Jul 28, 2014 at 2:10 PM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>>>
>>>> I can get my latest freeswitch to run TLS profiles if I use the
>>>> provided scripts to genenrate the CA and the server certs, but not with my
>>>> own certs.  The TLS profile does start with my cert, but when I connect, it
>>>> does not provide a cert to the client.
>>>>
>>>> The only differences I can see in the server cert are the following
>>>> fields:
>>>>
>>>> X509v3 Authority Key Identifier:
>>>>     DirName:/CN=FreeSWITCH CA/O=FreeSWITCH
>>>>     serial:91:F9:22:5D:22:38:6B:09
>>>>
>>>> X509v3 Subject Alternative Name:
>>>>     DNS:test.freeswitch.org
>>>> Netscape Cert Type:
>>>>     SSL Server
>>>> X509v3 Extended Key Usage:
>>>>     TLS Web Server Authentication
>>>>
>>>>
>>>> As I understand it, the Netscape and Usage designations are not used by
>>>> freeswitch at this time.  So I wouldn't expect them to cause an issue,
>>>> unless this has changed since the documentation was written.
>>>>
>>>> I have the x509v3 Authority Key Identifier, with a keyid field, but I
>>>> don't have these other two fields which the script puts.  Are these
>>>> required?
>>>>
>>>> I also do not have a Alt name defined in my cert, but I wouldn't have
>>>> thought this would be a required field either.
>>>>
>>>> I can't find anything else that appears different to me.  If someone
>>>> can clarify what is required for Freeswitch to use a cert, it would be
>>>> greatly appreciated!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140729/6717cb38/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list