[Freeswitch-users] TLS and SRTP commercial certs go in which file?

[Gregor Nanger]

Hi!

I have  wss.pem as you described

And for tls, I just copied wss.pem.

Regards, Gregor

2017-09-18 12:32 GMT+02:00 Bipin Patel <bipin at xbipin.com>:

> hi,
>
> after playing around i figured this, some corrections i need to make for
> others willing to use the same:
>
> agent.pem file needs to have ur commercial cert followed by the private
> key but if u just use that zoiper for android will give a warning about
> untrusted cert so we need to also add the intermediary followed by the root
> CA cert in the the cafile.pem to avoid this warning on client side.
> wss.pem is used for verto which needs to have ur commercial cert followed
> by its private key followed by intermediary cert followed by root CA cert,
> if u dont use verto then ignore this file and FS will self create it when
> using only TLS and SRTP.
> tls.pem file i think is used as default cert but i just copied the data
> from agent.pem to this
> dtls-srtp.pem is used for verto so i think that got created by default also
>
> bear in mind zoiper for android doesnt allow to import ur own certs but
> just uses its own self signed cert so i add to set tls-verify-policy to
> none to make it work
>
>
> Regards,
> Bipin
>
>
> ------------------------------
> -------- Original Message --------
> Subject: Re: [Freeswitch-users] TLS and SRTP commercial certs go in which
> file?
> From: Shaun Stokes <shaun.stokes at itec-support.co.uk>
> <shaun.stokes at itec-support.co.uk>
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> <freeswitch-users at lists.freeswitch.org>
> Date: 9/18/2017, 12:03:47 PM
>
> Hi Bipin,
>
>
>
> Putting the same into all 4 pem’s certainly works, and that’s correct no
> intermediary or root ca required providing you have the public and private
> key in your pem files.
>
>
>
> The wiki article for SIP_TLS could do with being updated, but I don’t know
> exactly what each of the 4 certs are used for.
>
>
>
> This is my best guess at what each of the certificates are used for.
>
> agent.pem – FreeSWITCH public server cert
>
> tls.pem – Used for TLS communication
>
> dtls-srtp.pem – Used for DTLS\SRTP communication
>
> wss.pem – Used for WebRTC communication
>
>
>
> Shaun
>
>
>
> *From:* FreeSWITCH-users [mailto:freeswitch-users-
> bounces at lists.freeswitch.org
> <freeswitch-users-bounces at lists.freeswitch.org>] *On Behalf Of *Bipin
> Patel
> *Sent:* 17 September 2017 05:43
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> <freeswitch-users at lists.freeswitch.org>
> *Subject:* Re: [Freeswitch-users] TLS and SRTP commercial certs go in
> which file?
>
>
>
> Hi,
>
> Thanks for that info so if I understood it right the agent.pem file will
> have my cert and key inside it only and no intermediary or root ca cert is
> required at all, but what goes in the tls.pem file?
>
> On September 17, 2017 5:45:28 AM Shaun Stokes <
> shaun.stokes at itec-support.co.uk> wrote:
>
> Hi Bipin,
>
>
>
> We've found that these are the certs which FreeSWITCH will use, the pem
> file will need the public and private key (same as your wss cert). You'll
> also need to make sure the user for FreeSWITCH has read permission to the
> certs.
>
> agent.pem
>
> dtls-srtp.pem
>
> tls.pem
>
> wss.pem
>
>
>
> FreeSWITCH doesn't seem to need the intermediary and root cert of the CA.
>
>
>
> Here are some of the TLS parameters you might also want on your SIP
> profile.
>
>
>
> Name: tls
>
> Value: true
>
>
>
> Name: tls-bind-params
>
> Value: transport=tls
>
>
>
> Name: tls-cert-dir
>
> Value: "Your Cert Directory Path"
>
>
>
> Name: tls-sip-port
>
> Value: 5061
>
>
>
> Name: tls-verify-date
>
> Value: true
>
>
>
> Name: tls-verify-depth
>
> Value: 2
>
>
>
> Name: tls-verify-policy
>
> Value: all|subjects_all
>
>
>
> Name: tls-version
>
> Value: tlsv1.2
>
>
>
>
>
> Shaun
>
>
>
> *From:* FreeSWITCH-users [mailto:freeswitch-users-
> bounces at lists.freeswitch.org
> <freeswitch-users-bounces at lists.freeswitch.org>] *On Behalf Of *Bipin
> Patel
> *Sent:* 16 September 2017 06:49
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Subject:* Re: [Freeswitch-users] TLS and SRTP commercial certs go in
> which file?
>
>
>
> hi,
>
> no one?
>
> Regards,
> Bipin
> ------------------------------
>
> -------- Original Message --------
> Subject: [Freeswitch-users] TLS and SRTP commercial certs go in which file?
> From: Bipin Patel <bipin at xbipin.com> <bipin at xbipin.com>
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> <freeswitch-users at lists.freeswitch.org>
> Date: 9/15/2017, 3:44:33 PM
>
> hi,
>
> when i setup verto on my server i used commercial certificates with
> wss.pem containing the following and all that works brilliant:
> -----BEGIN CERTIFICATE-----
> <lots of gibberish from the actual certificate>
> -----END CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> <lots of gibberish from the actual certificate>
> -----END RSA PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> <lots of gibberish from the intermediate certificate>
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> <even more gibberish from the root certificate>
> -----END CERTIFICATE-----
>
> now i want to use the same certificate for TLS and SRTP and i was reading
> the docs and it mentioned to create a agent.pem file with the actual server
> cert and key but where do i copy the intermediatory and root cert of the
> CA, which folders do both go in and with what filename?
>
> any help is appreciated
>
> --
> Regards,
> Bipin
> ------------------------------
>
>
>
> _________________________________________________________________________
>
> Professional FreeSWITCH Consulting Services:
>
> consulting at freeswitch.org
>
> http://www.freeswitchsolutions.com
>
>
>
> Official FreeSWITCH Sites
>
> http://www.freeswitch.org
>
> http://confluence.freeswitch.org
>
> http://www.cluecon.com
>
>
>
> FreeSWITCH-users mailing list
>
> FreeSWITCH-users at lists.freeswitch.org
>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>
> http://www.freeswitch.org
>
>
>
> ______________________________________________________________________
> This message has been checked for all known viruses by MessageLabs Virus
> Scanning Service.
> ______________________________________________________________________
>
> Shaun Stokes - Infrastructure Analyst
>
>
> T :
>
> 01453 700713
>
> E :
>
> shaun.stokes at itec-support.co.uk
>
> W :
>
> www.itec-support.co.uk
>
> Registered Address :- ITEC Support, Suite 2 Prospect House, Bath Road,
> Stroud, Gloucestershire GL5 3QF
> Company No. 06908001
>
>
> CONFIDENTIALITY NOTICE
> This communication and the information it contains are intended for the
> person or organisation to which it is addressed. Its contents are
> confidential and may be protected in law. Unauthorised use, copying or
> disclosure of any of it may be unlawful. If you are not the intended
> recipient, please contact us immediately.
> The contents of any attachments in this e-mail may contain software
> viruses, which could damage your own computer system. While ITEC Support
> has taken every reasonable precaution to minimise this risk, we cannot
> accept liability for any damage which you sustain as a result of software
> viruses. You should carry out your own virus checking procedure before
> opening any attachment.
>
>
> ______________________________________________________________________
> This message has been checked for all known viruses by MessageLabs Virus
> Scanning Service.
> ______________________________________________________________________
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> ______________________________________________________________________
> This message has been checked for all known viruses by MessageLabs Virus
> Scanning Service.
> ______________________________________________________________________
>
> ______________________________________________________________________
> This message has been checked for all known viruses by MessageLabs Virus
> Scanning Service.
> ______________________________________________________________________
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://confluence.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Gregor Nanger

*CTO*
t./f.: 00386 (0) 7 6000 308/309 • m:. 00386 (0)41 756485
• Infomedia d.o.o. • Jerebova 3, Novo mesto, Slovenia
• www.infomedia.si
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170918/3762b8f8/attachment-0001.html>