[Freeswitch-users] multiple sip profiles

Andrew Cassidy andrew at cassidywebservices.co.uk
Tue Apr 4 23:11:26 MSD 2017


I also have DST Root CA X3 on my T48, is working fine for HTTPS. Haven't
tried TLS, though.

On 4 April 2017 at 16:34, Rick Jarvis <rick at magicmail.mooo.com> wrote:

> Ah tshark is telling me:
>
> TLSv1 75 Alert (Level: Fatal, Description: Unknown CA)
>
> And yet I added what I thought was the letsencrypt CA from here:
>
> https://letsencrypt.org/certs/isrgrootx1.pem.txt
>
> The client device is a Yealink T48, number 2 is the above certificate:
>
>
>
> On 4 Apr 2017, at 14:07, Stefan Davids <freeswitch at stefan.davids.uk.net>
> wrote:
>
>
> Do you have siptrace turned on for that profile?
>
> If that's on and logging nothing check you can see a successful TLS
> handshake with tshark; eg run
>
> sudo tshark -i any -f "port 5061"
>
> and then get something to try to register (make sure any previous session
> has timed out).  I get, for example:
>
> 1   0.000000 82.132.240.202 -> 81.187.168.242 TCP 76 38035&#8594;5061
> [SYN] Seq=0
> Win=14600 Len=0 MSS=1432 SACK_PERM=1 TSval=405135258 TSecr=0 WS=512
>  2   0.000241 81.187.168.242 -> 82.132.240.202 TCP 76 5061&#8594;38035
> [SYN, ACK] Seq=0
> Ack=1 Win=28800 Len=0 MSS=1452 SACK_PERM=1 TSval=1319863800
> TSecr=405135258 WS=128
>  3   0.028737 82.132.240.202 -> 81.187.168.242 TCP 68 38035&#8594;5061
> [ACK] Seq=1
> Ack=1 Win=14848 Len=0 TSval=405135287 TSecr=1319863800
>  4   0.029051 82.132.240.202 -> 81.187.168.242 SSL 259 Client Hello
>  5   0.029207 81.187.168.242 -> 82.132.240.202 TCP 68 5061&#8594;38035
> [ACK] Seq=1
> Ack=192 Win=29952 Len=0 TSval=1319863803 TSecr=405135287
>  6   0.263779 81.187.168.242 -> 82.132.240.202 TLSv1 1488 Server Hello
>  7   0.263871 81.187.168.242 -> 82.132.240.202 TLSv1 1488 Certificate
>  8   0.263944 81.187.168.242 -> 82.132.240.202 TLSv1 635 Server Key
> Exchange
>
> etc.
>
> I've seen old clients which only support SSLv2 or SSLv3 whereas Freeswitch
> by default
> won't (for security reasons).  Maybe say what client you're trying to
> use?  It might
> have some known quirks...
>
> On Tue, April 4, 2017 11:05 am, Rick Jarvis wrote:
>
> I can see it in ngrep, and the conversations look similar to when the
> register is
> occurring in TCP, i.e.
>
> phone:randomport -> server:5061
> server:5061 -> phone:randomport
>
> But it fails to register as if it’s timing out, and I can’t find any
> logging on FS
> to confirm that the conversation took place.
>
> On 3 Apr 2017, at 20:29, David Villasmil <david.villasmil.work at gmail.com>
> wrote:
>
> If you don't see anything coming in, it's not freeswitch. I mean if you
> don't see
> anything with tshark/ngrep , then It's not freeswitch. Look elsewhere...
>
>
> On Mon, Apr 3, 2017 at 8:53 PM Rick Jarvis <rick at magicmail.mooo.com
> <mailto:rick at magicmail.mooo.com <rick at magicmail.mooo.com>>> wrote:
> Have to confess I don’t know what wss is? Stefan suggested I cat my
> certs into
> wss.pem as per below, which seems to have worked to get the port listening
> but not
> sure if that’s what you mean?
>
> I can’t see anything coming in at all, it’s as if the firewall isn’t
> open on
> 5061 but it’s open to every port so can’t be that...
>
>
> On 3 Apr 2017, at 18:42, David Villasmil <david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com <david.villasmil.work at gmail.com>>>
> wrote:
>
> Do you see registers coming in? If so, check nothing is also listening
> there, this
> happened to me once (on a different port) and it was wss, which also shows
> as
> freeswitch listening
> On Mon, Apr 3, 2017 at 7:39 PM Rick Jarvis <rick at magicmail.mooo.com
> <mailto:rick at magicmail.mooo.com <rick at magicmail.mooo.com>>> wrote:
> This was really helpful, thank you!
>
> Struggling now with the registration over TLS for some reason. sofia shows
> TLS on
> 5061, netstat shows listening on port 5061, firewall is completely open,
> sip internal
> tls enabled, but whilst handsets register fine on TCP, they timeout on
> TLS. Is TLS
> somehow more problematic with NAT traversal maybe? Nothing showing in
> freeswitch.log,
> should I be looking elsewhere or increasing the logging maybe?
>
> Thanks again!
> R
>
>
> On 21 Mar 2017, at 09:24, Stefan Davids <freeswitch at stefan.davids.uk.net
> <mailto:freeswitch at stefan.davids.uk.net <freeswitch at stefan.davids.uk.net>>>
> wrote:
>
>
>
> It probably depends on the client configuration if you get an invalid
> certificate for self signed or not.  Most seem happy by default when
> I've tried.
>
> I've had no problems using letsencrypt certificates for TLS.
>
> If it is a certificate issue (you can check by turning up the logging)
> I'd imagine either the certificate isn't readable by freeswitch (by
> default I think it'll be chmod 600 and owned by root) or it's wrongly
> constructed.
>
> I have wss.pem as a symlink
>
> wss.pem -> /etc/letsencrypt/wss.pem
>
> # ls -l /etc/letsencrypt/wss.pem
> -rw-r----- 1 freeswitch freeswitch 10868 Mar  8 18:46
> /etc/letsencrypt/wss.pem
>
> and created wss.pem via
>
>
> cat /etc/letsencrypt/live/sip.netscum.org.uk/cert.pem
> <http://sip.netscum.org.uk/cert.pem>
> /etc/letsencrypt/live/sip.netscum.org.uk/privkey.pem
> <http://sip.netscum.org.uk/privkey.pem>
> /etc/letsencrypt/live/sip.netscum.org.uk/chain.pem
> <http://sip.netscum.org.uk/chain.pem>/etc/letsencrypt/live/
> sip.netscum.org.uk/fullchain.pem
> <http://sip.netscum.org.uk/fullchain.pem> > /etc/letsencrypt/wss.pem
>
>
>
>
>
>
>
> On 20/03/17 22:08, Rick Jarvis wrote:
>
> Thanks Stefan, that’s a huge help - hadn’t crossed my mind it could be
> a cert
> error, given the description. I’m currently using letsencrypt’s
> certbot to
> download the certs and symbolic linking to them. Maybe I should just try
> the
> generator that the docs recommend, but am wondering if that will present
> the
> non-valid CA issues one gets with web browsers (I’m not all that clear
> on whether
> this applies to SIP clients or not?!)...
>
> On 20 Mar 2017, at 15:36, Stefan Davids <freeswitch at stefan.davids.uk.net
> <mailto:freeswitch at stefan.davids.uk.net <freeswitch at stefan.davids.uk.net>>>
> wrote:
>
>
> For what it's worth I've had this error when freeswitch couldn't open the
> required
> certificates for SSL.
>
> Turning up the freeswitch logging revealed the system call to open the
> certicate
> was
> failing with no such file...
>
> On Fri, March 17, 2017 8:25 pm, Rick Jarvis wrote:
>
> also, the thing that’s really bugging me ATM is that if I enable
> TLS, just
> by setting
> the following:
>
> <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>
> I get:
>
> 2017-03-17 20:22:05.762756 [ERR] sofia.c:2863 Error Creating SIP UA for
> profile:
> internal (sip:mod_sofia at 12.34.56.78:5060;transport=udp,tcp <>)
> The likely causes for this are:
> 1) Another application is already listening on the specified address.
> 2) The IP the profile is attempting to bind to is not local to this system.
>
> Yet the TLS port is set to 5061, so how can this be?
>
>
> On 17 Mar 2017, at 19:32, Sergey Safarov <s.safarov at gmail.com
> <mailto:s.safarov at gmail.com <s.safarov at gmail.com>>> wrote:
>
> Try NAPTR and SRV records. In this case required only one certificate.
> Requirements sip clients must support NAPRT or SRV records for TLS
> connection
>
>
> à ¿Ñ‚, 17 à ¼à °Ñ€Ñ‚à ° 2017, 22:28 Rick Jarvis
> <rick at magicmail.mooo.com <mailto:rick at magicmail.mooo.com
> <rick at magicmail.mooo.com>>
> <mailto:rick at magicmail.mooo.com <rick at magicmail.mooo.com> <
> mailto:rick at magicmail.mooo.com <rick at magicmail.mooo.com>>>>:
> <freeswitch at stefan.davids.uk.net <mailto:freeswitch at stefan.davids.uk.net
> <freeswitch at stefan.davids.uk.net>>>
> Trying to get my head around setting TLS up. I have one internal sip
> profile,
> but
> multiple domains & dialplans.
>
> If I want to enable TLS on multiple domains, I think I’m right in
> saying
> that I will
> then need multiple sip profiles, in order to set the TLS up in each?
>
> I guess my confusion comes from understanding the difference between
> domains,
> profiles
> and sip profiles. I’m not even sure exactly what question I’m
> asking here, so
> apologies!
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> <mailto:consulting at freeswitch.org <consulting at freeswitch.org> <
> mailto:consulting at freeswitch.org <consulting at freeswitch.org>>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> <http://www.freeswitchsolutions.com/ <http://www.freeswitchsolutions.com/
> >>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> <http://www.freeswitch.org/ <http://www.freeswitch.org/>>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> <http://confluence.freeswitch.org/ <http://confluence.freeswitch.org/>>
> http://www.cluecon.com <http://www.cluecon.com/> <http://www.cluecon.com/
> <http://www.cluecon.com/>>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> <mailto:FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> <http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> <http://www.freeswitch.org/
> <http://www.freeswitch.org/>>_______________________________
> __________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users@
> lists.freeswitch.org <FreeSWITCH-users at lists.freeswitch.org>>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org
> <http://www.freeswitch.org/>________________________________
> _________________________________________
>
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users@
> lists.freeswitch.org <FreeSWITCH-users at lists.freeswitch.org>>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org
> <http://www.freeswitch.org/>________________________________
> _________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users@
> lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org
> <consulting at freeswitch.org>>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users@
> lists.freeswitch.org <FreeSWITCH-users at lists.freeswitch.org>>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org
> <http://www.freeswitch.org/>________________________________
> _________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
*Andrew Cassidy BSc (Hons) MBCS SSCA*
Managing Director

03303 880 960 andrew at cassidyweb.co.uk <andrew at cassidywebservices.co.uk>
www.cassidyweb.co.uk <http://www.cassidywebservices.co.uk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170404/94d4bb21/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2017-04-04 16.32.32.png
Type: image/png
Size: 126311 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170404/94d4bb21/attachment-0001.png 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list