[Freeswitch-users] SIP Contact Header Issue When Using TLS
Kristian Kielhofner
kris at kriskinc.com
Mon Mar 31 23:28:59 MSD 2014
On Mon, Mar 31, 2014 at 3:15 PM, JP <jaykris at gmail.com> wrote:
> This is what I had to do to get TLS working for me...
>
>
> In order to get client authenticated TLS to work between 2 FreeSWITCH
> servers, I had to add a "transport=tls" parameter to the dial string of the
> outbound call:
>
>
>
> ex. sofia/sip-ua/sips:10.191.210.23:5081;transport=tls
>
>
>
> Without this parameter, the UAC does not add a "transport=tls" parameter to
> the contact address of its initial INVITE request. This seems to cause the
> UAS to try to send all its subsequent requests (such as a BYE) over UDP
> instead of TLS.
This is normal.
> Also, generating the public certificate and private key store files using
> FreeSWITCH's "gentls_cert" script as described in
> "http://wiki.freeswitch.org/wiki/SIP_TLS" won't work by default for client
> authenticated TLS. This is because the script generates the certs with
> attributes making them specific for either the server side or client side of
> a TLS handshake. The TLS handshake will fail Purpose Validation if you try
> to configure a UAC with a cert that was generated specifically for a server.
> To get around this, I had to comment out the "nsCertType" and
> "extendedKeyUsage" attributes from the "gentls_cert" script.
This is strange. What was on the other side?
nsCertType checking is largely deprecated (only OpenVPN uses it
AFAIK). Typically the standard client and server OIDs are used
instead:
http://www.openssl.org/docs/apps/x509.html#CERTIFICATE_EXTENSIONS
IIRC the FreeSWITCH gentls_cert script properly sets both client and
server purpose, which is what you would expect because the cert is set
on a per profile basis and depending on call direction any given
profile can be a SIP UAS or SIP UAC.
--
Kristian Kielhofner
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list