[Freeswitch-users] TLS and SRTP commercial certs go in which file?

Bipin Patel bipin at xbipin.com
Mon Sep 18 12:19:05 UTC 2017


Hi,

So it would mean if you put the cert, key, intermediary cert and root ca 
cert all in agent.pem and delete the cafile.pem file then it should work 
although I didn't try that with zoiper if it gives a warning or no.

Frankly if the devs gave a reply to this cleaning the doubts I could update 
the docs on what file is required for what function and it needs to have 
what all certs and key inside it when using commercial certificates.




On September 18, 2017 2:46:03 PM Gregor Nanger <gregor at infomedia.si> wrote:

> Hi!
>
> I have  wss.pem as you described
>
> And for tls, I just copied wss.pem.
>
> Regards, Gregor
>
> 2017-09-18 12:32 GMT+02:00 Bipin Patel <bipin at xbipin.com>:
>
>> hi,
>>
>> after playing around i figured this, some corrections i need to make for
>> others willing to use the same:
>>
>> agent.pem file needs to have ur commercial cert followed by the private
>> key but if u just use that zoiper for android will give a warning about
>> untrusted cert so we need to also add the intermediary followed by the root
>> CA cert in the the cafile.pem to avoid this warning on client side.
>> wss.pem is used for verto which needs to have ur commercial cert followed
>> by its private key followed by intermediary cert followed by root CA cert,
>> if u dont use verto then ignore this file and FS will self create it when
>> using only TLS and SRTP.
>> tls.pem file i think is used as default cert but i just copied the data
>> from agent.pem to this
>> dtls-srtp.pem is used for verto so i think that got created by default also
>>
>> bear in mind zoiper for android doesnt allow to import ur own certs but
>> just uses its own self signed cert so i add to set tls-verify-policy to
>> none to make it work
>>
>>
>> Regards,
>> Bipin
>>
>>
>> ------------------------------
>> -------- Original Message --------
>> Subject: Re: [Freeswitch-users] TLS and SRTP commercial certs go in which
>> file?
>> From: Shaun Stokes <shaun.stokes at itec-support.co.uk>
>> <shaun.stokes at itec-support.co.uk>
>> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>> <freeswitch-users at lists.freeswitch.org>
>> Date: 9/18/2017, 12:03:47 PM
>>
>> Hi Bipin,
>>
>>
>>
>> Putting the same into all 4 pem’s certainly works, and that’s correct no
>> intermediary or root ca required providing you have the public and private
>> key in your pem files.
>>
>>
>>
>> The wiki article for SIP_TLS could do with being updated, but I don’t know
>> exactly what each of the 4 certs are used for.
>>
>>
>>
>> This is my best guess at what each of the certificates are used for.
>>
>> agent.pem – FreeSWITCH public server cert
>>
>> tls.pem – Used for TLS communication
>>
>> dtls-srtp.pem – Used for DTLS\SRTP communication
>>
>> wss.pem – Used for WebRTC communication
>>
>>
>>
>> Shaun
>>
>>
>>
>> *From:* FreeSWITCH-users [mailto:freeswitch-users-
>> bounces at lists.freeswitch.org
>> <freeswitch-users-bounces at lists.freeswitch.org>] *On Behalf Of *Bipin
>> Patel
>> *Sent:* 17 September 2017 05:43
>> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>> <freeswitch-users at lists.freeswitch.org>
>> *Subject:* Re: [Freeswitch-users] TLS and SRTP commercial certs go in
>> which file?
>>
>>
>>
>> Hi,
>>
>> Thanks for that info so if I understood it right the agent.pem file will
>> have my cert and key inside it only and no intermediary or root ca cert is
>> required at all, but what goes in the tls.pem file?
>>
>> On September 17, 2017 5:45:28 AM Shaun Stokes <
>> shaun.stokes at itec-support.co.uk> wrote:
>>
>> Hi Bipin,
>>
>>
>>
>> We've found that these are the certs which FreeSWITCH will use, the pem
>> file will need the public and private key (same as your wss cert). You'll
>> also need to make sure the user for FreeSWITCH has read permission to the
>> certs.
>>
>> agent.pem
>>
>> dtls-srtp.pem
>>
>> tls.pem
>>
>> wss.pem
>>
>>
>>
>> FreeSWITCH doesn't seem to need the intermediary and root cert of the CA.
>>
>>
>>
>> Here are some of the TLS parameters you might also want on your SIP
>> profile.
>>
>>
>>
>> Name: tls
>>
>> Value: true
>>
>>
>>
>> Name: tls-bind-params
>>
>> Value: transport=tls
>>
>>
>>
>> Name: tls-cert-dir
>>
>> Value: "Your Cert Directory Path"
>>
>>
>>
>> Name: tls-sip-port
>>
>> Value: 5061
>>
>>
>>
>> Name: tls-verify-date
>>
>> Value: true
>>
>>
>>
>> Name: tls-verify-depth
>>
>> Value: 2
>>
>>
>>
>> Name: tls-verify-policy
>>
>> Value: all|subjects_all
>>
>>
>>
>> Name: tls-version
>>
>> Value: tlsv1.2
>>
>>
>>
>>
>>
>> Shaun
>>
>>
>>
>> *From:* FreeSWITCH-users [mailto:freeswitch-users-
>> bounces at lists.freeswitch.org
>> <freeswitch-users-bounces at lists.freeswitch.org>] *On Behalf Of *Bipin
>> Patel
>> *Sent:* 16 September 2017 06:49
>> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>> *Subject:* Re: [Freeswitch-users] TLS and SRTP commercial certs go in
>> which file?
>>
>>
>>
>> hi,
>>
>> no one?
>>
>> Regards,
>> Bipin
>> ------------------------------
>>
>> -------- Original Message --------
>> Subject: [Freeswitch-users] TLS and SRTP commercial certs go in which file?
>> From: Bipin Patel <bipin at xbipin.com> <bipin at xbipin.com>
>> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>> <freeswitch-users at lists.freeswitch.org>
>> Date: 9/15/2017, 3:44:33 PM
>>
>> hi,
>>
>> when i setup verto on my server i used commercial certificates with
>> wss.pem containing the following and all that works brilliant:
>> -----BEGIN CERTIFICATE-----
>> <lots of gibberish from the actual certificate>
>> -----END CERTIFICATE-----
>> -----BEGIN RSA PRIVATE KEY-----
>> <lots of gibberish from the actual certificate>
>> -----END RSA PRIVATE KEY-----
>> -----BEGIN CERTIFICATE-----
>> <lots of gibberish from the intermediate certificate>
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> <even more gibberish from the root certificate>
>> -----END CERTIFICATE-----
>>
>> now i want to use the same certificate for TLS and SRTP and i was reading
>> the docs and it mentioned to create a agent.pem file with the actual server
>> cert and key but where do i copy the intermediatory and root cert of the
>> CA, which folders do both go in and with what filename?
>>
>> any help is appreciated
>>
>> --
>> Regards,
>> Bipin
>> ------------------------------
>>
>>
>>
>> _________________________________________________________________________
>>
>> Professional FreeSWITCH Consulting Services:
>>
>> consulting at freeswitch.org
>>
>> http://www.freeswitchsolutions.com
>>
>>
>>
>> Official FreeSWITCH Sites
>>
>> http://www.freeswitch.org
>>
>> http://confluence.freeswitch.org
>>
>> http://www.cluecon.com
>>
>>
>>
>> FreeSWITCH-users mailing list
>>
>> FreeSWITCH-users at lists.freeswitch.org
>>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>
>> http://www.freeswitch.org
>>
>>
>>
>> ______________________________________________________________________
>> This message has been checked for all known viruses by MessageLabs Virus
>> Scanning Service.
>> ______________________________________________________________________
>>
>> Shaun Stokes - Infrastructure Analyst
>>
>>
>> T :
>>
>> 01453 700713
>>
>> E :
>>
>> shaun.stokes at itec-support.co.uk
>>
>> W :
>>
>> www.itec-support.co.uk
>>
>> Registered Address :- ITEC Support, Suite 2 Prospect House, Bath Road,
>> Stroud, Gloucestershire GL5 3QF
>> Company No. 06908001
>>
>>
>> CONFIDENTIALITY NOTICE
>> This communication and the information it contains are intended for the
>> person or organisation to which it is addressed. Its contents are
>> confidential and may be protected in law. Unauthorised use, copying or
>> disclosure of any of it may be unlawful. If you are not the intended
>> recipient, please contact us immediately.
>> The contents of any attachments in this e-mail may contain software
>> viruses, which could damage your own computer system. While ITEC Support
>> has taken every reasonable precaution to minimise this risk, we cannot
>> accept liability for any damage which you sustain as a result of software
>> viruses. You should carry out your own virus checking procedure before
>> opening any attachment.
>>
>>
>> ______________________________________________________________________
>> This message has been checked for all known viruses by MessageLabs Virus
>> Scanning Service.
>> ______________________________________________________________________
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> ______________________________________________________________________
>> This message has been checked for all known viruses by MessageLabs Virus
>> Scanning Service.
>> ______________________________________________________________________
>>
>> ______________________________________________________________________
>> This message has been checked for all known viruses by MessageLabs Virus
>> Scanning Service.
>> ______________________________________________________________________
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting 
>> Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH 
>> Siteshttp://www.freeswitch.orghttp://confluence.freeswitch.orghttp://www.cluecon.com
>>
>> FreeSWITCH-users mailing 
>> listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Gregor Nanger
>
> *CTO*
> t./f.: 00386 (0) 7 6000 308/309 • m:. 00386 (0)41 756485
> • Infomedia d.o.o. • Jerebova 3, Novo mesto, Slovenia
> • www.infomedia.si
>
>
>
> ----------
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170918/0c5a4217/attachment-0001.html>


More information about the FreeSWITCH-users mailing list