[Freeswitch-users] tls-verify-policy in internal.xml
Brian May
brian at linuxpenguins.xyz
Mon Dec 28 12:30:19 MSK 2015
Yücel ALTUNAY <is.yaltunay at gmail.com> writes:
> i am using tls + srtp without tls-verify-policy=all in internal.xml. i use
> tls-verify-policy none or out. if i set it all i can't connect to
> freeswitch.
> when i set to all and capture network with wireshark i get "TLSv1 Alert
> (Level: Fatal, Description: Unknown CA)". on client i am using csipsimple
> nightly build version.
Is the client or the server complaining that the CA is unknown?
Was this a self-signed certificate for Freeswitch? If so, this might be
a problem, I don't know if you can setup certificates with CSIPsimple (I
don't have the latest nightly release however).
I tried recently getting CSIPsimple working with TLS, but
failed.
Not sure this means anything however, as TLS failed to work with other
clients I tried too :-( - it looks like the server is unhappy
(freeswitch debug log reports SSL error code 5 IIRC), however I can't
see any reason why the server should be unhappy.
openssl s_client reports no problems:
openssl s_client -showcerts -connect sip.hostname:5061 --CAfile ~/cafile.pem
I believe I have (hopefully) setup freeswitch not to require a client
side certificate, but just in case I passed one through anyway. It
didn't help.
In addition, old versions of SFLPhone have problems with audio breaking
up went transmitted to the remote caller (I posted about this a while
back and got no responses) while new versions fail to authenticate with
Freeswitch (spent ages trying to work this out but got nowhere).
--
Brian May <brian at linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list