[Freeswitch-users] tls-verify-policy in internal.xml

Brian May brian at linuxpenguins.xyz
Mon Dec 28 12:30:19 MSK 2015


Yücel ALTUNAY <is.yaltunay at gmail.com> writes:

> i am using tls + srtp without tls-verify-policy=all in internal.xml. i use
> tls-verify-policy none or out. if i set it all i can't connect to
> freeswitch.
> when i set to all and capture network with wireshark i get "TLSv1  Alert
> (Level: Fatal, Description: Unknown CA)". on client i am using csipsimple
> nightly build version.

Is the client or the server complaining that the CA is unknown?

Was this a self-signed certificate for Freeswitch? If so, this might be
a problem, I don't know if you can setup certificates with CSIPsimple (I
don't have the latest nightly release however).

I tried recently getting CSIPsimple working with TLS, but
failed.

Not sure this means anything however, as TLS failed to work with other
clients I tried too :-( - it looks like the server is unhappy
(freeswitch debug log reports SSL error code 5 IIRC), however I can't
see any reason why the server should be unhappy.

openssl s_client reports no problems:
openssl s_client -showcerts -connect sip.hostname:5061 --CAfile ~/cafile.pem

I believe I have (hopefully) setup freeswitch not to require a client
side certificate, but just in case I passed one through anyway. It
didn't help.

In addition, old versions of SFLPhone have problems with audio breaking
up went transmitted to the remote caller (I posted about this a while
back and got no responses) while new versions fail to authenticate with
Freeswitch (spent ages trying to work this out but got nowhere).
-- 
Brian May <brian at linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/



Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list