[Freeswitch-users] TLS and 5061 doesn't seem to work
Michael Nielsen
mic.niel84 at gmail.com
Tue Sep 15 23:14:49 MSD 2015
I ran global_getvar certs_dir and got "/etc/freeswitch/tls".
My tls directory contains the following (created by gentls_cert):
CA/
agent.pem
cafile.pem
Setting internal_ssl_enable=true still fails FS with Error Creating SIP UA
for profile: internal-ipv6 (sip:mod_sofia@[::1]:5060;transport=udp,tcp)
ATTEMPT 1 (RETRY IN 5 SEC)
Setting it to false and everything works again.
On Tue, Sep 15, 2015 at 3:28 PM, Ítalo Rossi <italo at freeswitch.org> wrote:
> If you enable internal_ssl_enable then your sip profile will set tls=true
> (vanilla config) and FreeSWITCH will look for certificates in
> $${certs_dir}, which is created dynamically. (/usr/local/freeswitch/certs
> if you compiled or /etc/freeswitch/certs if you installed from packages)
>
> global_getvar certs_dir will output the current value for this var, put
> your certs there in the right format and see if your profile starts.
>
> On Tue, Sep 15, 2015 at 8:42 AM, Michael Nielsen <mic.niel84 at gmail.com>
> wrote:
>
>> Nothing is running on port 5060 and blocking this. When setting the
>>
>> internal_ssl_enable=true
>>
>> it doesnt work, when setting this to false everything works.
>> Netstat doesn't show anything on port 5060... or 5061.
>>
>> On Tue, Sep 15, 2015 at 9:36 AM, Michael Nielsen <mic.niel84 at gmail.com>
>> wrote:
>>
>>> wss-binding is not set - looking in internal.xml and running grep after
>>> wss-binding does not find anything.
>>> Looking at $${internal_ssl_dir} I'm not able to find where this is.
>>> grep'ing after internal_ssl_dir doesn't find anything.
>>>
>>> I'm running freeswitch as freeswitch user - so I guess the same user
>>> should be on the certificates.
>>>
>>> On Mon, Sep 14, 2015 at 10:55 PM, Thomas <lists at virtues.net> wrote:
>>>
>>>> The "none" option for the policy is part of the old standard config, no
>>>> idea why it doesn't work (anymore?). Seen that error a lot, but it never
>>>> prevented the profile from setting up the socket.
>>>>
>>>> You sure none of these ports are already in use? (netstat -lpn) Does
>>>> the box have an IPv6 interface? Is 159.122.89.10 configured on any
>>>> interface?
>>>>
>>>> If you did not get this error and the SIP profiles were loading
>>>> properly before your TLS changes, revert and do it step by step. You can
>>>> issue a "reload mod_sofia" to test the new config without restarting FS.
>>>>
>>>>
>>>>
>>>> On 14.09.2015 17:21, Michael Nielsen wrote:
>>>>
>>>> none, but I've also tried with in.
>>>>
>>>> On Monday, September 14, 2015, Ítalo Rossi < <italo at freeswitch.org>
>>>> italo at freeswitch.org> wrote:
>>>>
>>>>> What you have in your tls-verify-policy ?
>>>>>
>>>>> Check the valid values here:
>>>>> https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Configuration+Files#SofiaConfigurationFiles-Settings
>>>>>
>>>>> On Mon, Sep 14, 2015 at 10:23 AM, Michael Nielsen <
>>>>> mic.niel84 at gmail.com> wrote:
>>>>>
>>>>>> When doing so I get the following error in fs_cli:
>>>>>>
>>>>>> 2015-09-14 08:23:24.120749 [ERR] sofia_glue.c:329 Invalid
>>>>>> tls-verify-policy value: none
>>>>>>
>>>>>> 2015-09-14 08:23:24.160528 [ERR] sofia.c:2935 Error Creating SIP UA
>>>>>> for profile: internal-ipv6 (sip:mod_sofia@[::1]:5060;transport=udp,tcp)
>>>>>> ATTEMPT 1 (RETRY IN 5 SEC)
>>>>>>
>>>>>> 2015-09-14 08:23:24.180781 [ERR] sofia.c:2935 Error Creating SIP UA
>>>>>> for profile: internal (
>>>>>> sip:mod_sofia at 159.122.89.10:5060;transport=udp,tcp) ATTEMPT 1 (RETRY
>>>>>> IN 5 SEC)
>>>>>>
>>>>>> And then sofia status only shows port 5080 running...
>>>>>>
>>>>>> On Mon, Sep 14, 2015 at 9:01 AM, Michael Nielsen <
>>>>>> mic.niel84 at gmail.com> wrote:
>>>>>>
>>>>>>> I'm running this clean installation of FS:
>>>>>>> https://github.com/voxserv/freeswitch_conf_minimal
>>>>>>>
>>>>>>> Everything seems to work and I would now like to add TLS and SRTP
>>>>>>> encryption - for use on public WiFi and such.
>>>>>>>
>>>>>>> I've tried the following from this
>>>>>>> <http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption>
>>>>>>> http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption
>>>>>>> :
>>>>>>>
>>>>>>> ./gentls_cert setup -cn pbx.freeswitch.org -alt DNS:pbx.freeswitch.org -org freeswitch.org
>>>>>>> ./gentls_cert create_server -cn pbx.freeswitch.org -alt DNS:pbx.freeswitch.org -org freeswitch.org
>>>>>>>
>>>>>>> And in vars.xml:
>>>>>>>
>>>>>>> <X-PRE-PROCESS cmd="set" data="sip_tls_version=sslv23"/>
>>>>>>> <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>>>>>>>
>>>>>>> Of course with my own domain when generating certificates.
>>>>>>>
>>>>>>> Restarting FS and trying to connect to 5061 over TLS doesn't work.
>>>>>>> Looking in fs_cli with debug 7 doesn't output anything when the
>>>>>>> client tries to connect.
>>>>>>>
>>>>>>> How to debug or does anyone know what's wrong? My certificates are
>>>>>>> generated automatically in /usr/conf/ssl.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Ítalo Rossi
>>>>> italo at freeswitch.org
>>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services: consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://confluence.freeswitch.orghttp://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Ítalo Rossi
> italo at freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150915/8e4e3231/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list