[Freeswitch-users] SSL cert required fields

sangdrax8 sangdrax8 at gmail.com
Tue Jul 29 20:43:27 MSD 2014


It would appear that the x509v3 Extended Key Usage for serverAuth is
needed. (extendedKeyUsage=serverAuth)

My current certificates that I use with freeswitch do not set this, and
work just fine with the version I am running. I never set it since the
documentation indicates that freeswitch will not use it anyway.  With the
latest head, freeswitch will still start with my certs, but when you
connect it does not return a cert to the client.  After re-generating a
test certificate and only adding the above additional extension, freeswitch
now will provide a certificate to my client.

Since this extension must exist, is it still true that it doesn't actually
perform checks with it?  There are cases where I use a specific profile for
connecting to another freeswitch.  In that case the profile could be a
server if it is inbound from the other switch, or it could be a client if I
am placing an outbound call to that switch.



On Tue, Jul 29, 2014 at 11:09 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:

> I'll read through the documentation and see if I can fix it!
>
> The agent.pem and the cafile.pem that I am using are working just fine on
> my current freeswitch build.  I am certain I have the server cert, the
> dates/times are valid still, and the files have the correct permissions.
>  In the latest head they no longer work.  Since the ones generated by the
> script do work, I was hoping someone knew that there is now a required
> field that I should be adding.  The fields that I listed I thought were all
> optional, but I'll look through the documentation and try again.
>
>
> On Tue, Jul 29, 2014 at 11:01 AM, Brian West <brian at freeswitch.org> wrote:
>
>> It sounds like you used the CA cert as your certificate instead of
>> creating one.
>>
>> I would highly recommend you read this:
>>
>>
>> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
>>
>> gen_tls should work also, but I had to do these steps last week as
>> everyone kept reporting that they couldn't use their self signed certs, So
>> I did a little how to on setting up a CA from scratch that would work.
>>
>>
>> On Tue, Jul 29, 2014 at 8:36 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>>
>>> I am not sure I follow, if you could elaborate any more?  I was
>>> following https://wiki.freeswitch.org/wiki/SIP_TLS#Configuration and
>>> using the provided gentls_cert script.  I believe this creates a CA (if one
>>> wasn't already created) and then generate and signs certificates.  Finally
>>> it outputs eveything needed into the agent.pem and cafile.pem files.  Since
>>> these work, I assume these are the correct type of cert? (Not positive
>>> where WSS comes into play).
>>>
>>> My only issue is when I use my existing certificates that I am using on
>>> my current freeswitch, I do not get a certificate passed to the client.
>>>  Looking at sofia status shows the profile started with (TLS) after it.  If
>>> I just swap out my certs for the ones the script generated, and restart,
>>> everything works again.  So I assume there is some requirement that has
>>> changed for certs, but I can't figure out what it is wanting.
>>>
>>> Using the script for my test/dev works just fine, but when I go to
>>> replace my running machines I would like to use the existing certs.  If I
>>> need to recreate them to add something to the cert, I can do that as well,
>>> but I will need to do it with the CA I have been using so I need to figure
>>> out what options I am missing (assuming that is my problem).
>>>
>>>
>>> On Mon, Jul 28, 2014 at 5:23 PM, Brian West <brian at freeswitch.org>
>>> wrote:
>>>
>>>> The one generated for DTLS isn't the same one you would setup for your
>>>> WSS connectivity.
>>>>
>>>>
>>>> On Mon, Jul 28, 2014 at 2:10 PM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>>>>
>>>>> I can get my latest freeswitch to run TLS profiles if I use the
>>>>> provided scripts to genenrate the CA and the server certs, but not with my
>>>>> own certs.  The TLS profile does start with my cert, but when I connect, it
>>>>> does not provide a cert to the client.
>>>>>
>>>>> The only differences I can see in the server cert are the following
>>>>> fields:
>>>>>
>>>>> X509v3 Authority Key Identifier:
>>>>>     DirName:/CN=FreeSWITCH CA/O=FreeSWITCH
>>>>>     serial:91:F9:22:5D:22:38:6B:09
>>>>>
>>>>> X509v3 Subject Alternative Name:
>>>>>     DNS:test.freeswitch.org
>>>>> Netscape Cert Type:
>>>>>     SSL Server
>>>>> X509v3 Extended Key Usage:
>>>>>     TLS Web Server Authentication
>>>>>
>>>>>
>>>>> As I understand it, the Netscape and Usage designations are not used
>>>>> by freeswitch at this time.  So I wouldn't expect them to cause an issue,
>>>>> unless this has changed since the documentation was written.
>>>>>
>>>>> I have the x509v3 Authority Key Identifier, with a keyid field, but I
>>>>> don't have these other two fields which the script puts.  Are these
>>>>> required?
>>>>>
>>>>> I also do not have a Alt name defined in my cert, but I wouldn't have
>>>>> thought this would be a required field either.
>>>>>
>>>>> I can't find anything else that appears different to me.  If someone
>>>>> can clarify what is required for Freeswitch to use a cert, it would be
>>>>> greatly appreciated!
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Brian West*
>>>> brian at freeswitch.org
>>>>
>>>>
>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>> http://www.freeswitchbook.com
>>>> http://www.freeswitchcookbook.com
>>>>
>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140729/424486b8/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list