[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?

Nandy Dagondon nandy1925 at gmail.com
Thu Jul 2 06:54:39 MSD 2015


Tried to point "secure-chain" parameter to (self-signed) CAcert.pem. The
same error code returned 21 (unable to verify ... ).


On Thu, Jul 2, 2015 at 10:47 AM, Nandy Dagondon <nandy1925 at gmail.com> wrote:

> Hi Luis,
>
> I'm aware of that.  I've digged into SSL/TLS certificates (just
> self-signed for my intranet setup) and WebRTC - one by one.  Now, all ports
> are listening for mod_verto 8081, 8082 and 7443. However, FS log shows this
> error messages like:
>
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210 Client
> Connect.
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210 Starting
> client thread.
> 2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 192.168.10.80:41210 WS
> SETUP FAILED
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210 Ending
> client thread.
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210 Thread
> ended
>
> Upon testing with openssl s_client,  port 443 returned Verify code: 19
> (self signed certificate in certificate chain). But in port 7443, it's
> code: 21 (unable to verify the first certificate).  I encountered this same
> error code in port 443 before. Solution: added self-signed CA certificate
> in my web server configuration.
>
> I think I can zero in the solution - how to add the CA certificate to
> certs/wss.pem?
>
> Or ... the secure-chain parameter in verto.conf.xml, should point to the
> CA certificate file?
>       <param name="secure-combined" value=
> "/usr/local/freeswitch/certs/wss.pem"/>
>       <param name="secure-chain" value=
> "/usr/local/freeswitch/certs/wss.pem"/>
>
> Any input?
>
> Tks,
> /Nandy
>
> On Wed, Jul 1, 2015 at 10:13 PM, Luis Daniel Lucio Quiroz <
> luis.daniel.lucio at gmail.com> wrote:
>
>> More than a script, it would be better if you post minimum cert
>> requirements to let the FS work
>>
>> Luis Daniel Lucio Quiroz
>> CISSP, CISM, CISA
>> Linux, VoIP and much more fun
>> www.okay.com.mx
>>
>> Need LCR? Check out LCR for FusionPBX with FreeSWITCH
>> Need Billing? Check out Billing for FusionPBX with FreeSWITCH
>>
>> 2015-06-30 23:52 GMT-04:00 Nandy Dagondon <nandy1925 at gmail.com>:
>>
>>> Hi Brian,
>>>
>>> I used your script to generate the certificates to test mod_verto in an
>>> intranet setup. Questions on your script:
>>>
>>> 1) Is 4096 bits required? Or 2048 bits will work, too?
>>> 2) Examining certs/wss.pem, there should be a  <chain> certificate at
>>> the end. But the script, inputs only 2 - *.crt and *.key. What should be
>>> the 3rd?
>>>
>>> Tks,
>>> /Nandy
>>>
>>>
>>> On Sat, Jul 26, 2014 at 2:59 AM, Brian West <brian at freeswitch.org>
>>> wrote:
>>>
>>>> I've corrected the how-to and put it in tree:
>>>>
>>>>
>>>> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
>>>>
>>>> Importing the ca.crt into your system keychain for it to be trusted is
>>>> left to the end user to figure out.  If you can't do that step then you'll
>>>> kinda be SOL, I know on my Mac I just open ca.crt and it does the import
>>>> for me... Windows I suspect is similar as for Linux NO CLUE.
>>>>
>>>>
>>>> On Fri, Jul 25, 2014 at 1:53 PM, William King <
>>>> william.king at quentustech.com> wrote:
>>>>
>>>>> One correction inline, and did you have any luck getting chrome to work
>>>>> with the custom CA?
>>>>>
>>>>> William King
>>>>> Senior Engineer
>>>>> Quentus Technologies, INC
>>>>> 1037 NE 65th St Suite 273
>>>>> Seattle, WA 98115
>>>>> Main:   (877) 211-9337
>>>>> Office: (206) 388-4772
>>>>> Cell:   (253) 686-5518
>>>>> william.king at quentustech.com
>>>>>
>>>>> On 07/25/2014 08:12 AM, Brian West wrote:
>>>>> > Someone should probably turn this into a nice how-to:
>>>>> >
>>>>> > Here is how I did it.
>>>>> >
>>>>> > wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
>>>>> > tar zxfv ssl.ca-0.1.tar.gz
>>>>> > cd ssl.ca-0.1/
>>>>> > perl -i -pe 's/md5/sha1/g' *.sh
>>>>> > perl -i -pe 's/2048/2048/g' *.sh
>>>>> This is a noop. I assume it was suppose to be /2048/4096/ or
>>>>> /1024/2048/
>>>>> > ./new-root-ca.sh
>>>>> > ./new-server-cert.sh self.bkw.org <http://self.bkw.org>
>>>>> > ./sign-server-cert.sh self.bkw.org <http://self.bkw.org>
>>>>> > cat self.bkw.org.crt self.bkw.org.key >
>>>>> /usr/local/freeswitch/certs/wss.pem
>>>>> >
>>>>> > Setup Apache:
>>>>> >
>>>>> > default-ssl:
>>>>> >
>>>>> > SSLCertificateFile    /usr/local/freeswitch/certs/wss.pem
>>>>> > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
>>>>> > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
>>>>> >
>>>>> > Setup Sofia TLS:
>>>>> >
>>>>> > cat self.bkw.org.crt self.bkw.org.key >
>>>>> > /usr/local/freeswitch/certs/agent.pem
>>>>> > cat ca.crt > /usr/local/freeswitch/certs/cafile.pem
>>>>> >
>>>>> > vars.xml:
>>>>> >
>>>>> > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
>>>>> > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
>>>>> >
>>>>> > Restart FreeSWITCH.
>>>>> >
>>>>> > Now make sure your system has ca.crt imported so it will trust your
>>>>> new
>>>>> > found hotness.
>>>>> >
>>>>> > TEST:
>>>>> >
>>>>> > openssl s_client -connect self.bkw.org:443 <http://self.bkw.org:443>
>>>>> > openssl s_client -connect self.bkw.org:8082 <
>>>>> http://self.bkw.org:8082>
>>>>> >
>>>>> >
>>>>> > Depending on what you've setup you'll see:
>>>>> >
>>>>> > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web
>>>>> > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
>>>>> > <http://self.bkw.org/emailAddress=brian@bkw.org>
>>>>> >
>>>>> > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
>>>>> > Bang/OU=Certification Services Division/CN=WBB Root
>>>>> > CA/emailAddress=brian at bkw.org <mailto:brian at bkw.org>
>>>>> >
>>>>> > Or there abouts.
>>>>> >
>>>>> > --
>>>>> >
>>>>> > */Brian West/*
>>>>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>>>>> >
>>>>> >
>>>>> > */Twitter: @FreeSWITCH , @briankwest/*
>>>>> > http://www.freeswitchbook.com
>>>>> > http://www.freeswitchcookbook.com
>>>>> >
>>>>> > *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>> > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> _________________________________________________________________________
>>>>> > Professional FreeSWITCH Consulting Services:
>>>>> > consulting at freeswitch.org
>>>>> > http://www.freeswitchsolutions.com
>>>>> >
>>>>> > FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>>> > http://www.cudatel.com
>>>>> >
>>>>> > Official FreeSWITCH Sites
>>>>> > http://www.freeswitch.org
>>>>> > http://wiki.freeswitch.org
>>>>> > http://www.cluecon.com
>>>>> >
>>>>> > FreeSWITCH-users mailing list
>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> > UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> > http://www.freeswitch.org
>>>>> >
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>>> http://www.cudatel.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Brian West*
>>>> brian at freeswitch.org
>>>>
>>>>
>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>> http://www.freeswitchbook.com
>>>> http://www.freeswitchcookbook.com
>>>>
>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>> http://www.cudatel.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150702/43cf43b5/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list