<div dir="ltr"><div><div>Yes, I'll open a jira ticket.<br><br>Also, just wanted to correct something I wrote in my last email.<br><br></div>Where I said:<br><br>"If these are present, then Android will treat the cert as a standard user cert."<br>
<br></div>I meant<br><br>"If these are NOT present, then Android will treat the cert as a standard user cert."</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 13, 2013 at 12:50 AM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">This sounds like it should be in the script for everyone. Can you open a bug on <a href="http://jira.freeswitch.org" target="_blank">jira.freeswitch.org</a> for this issue.<div>
<br></div><div>Thanks</div><div>Mike</div><div><div class="h5"><div><br><div><div>On Aug 6, 2013, at 2:16 AM, Peter <<a href="mailto:eidevm5@gmail.com" target="_blank">eidevm5@gmail.com</a>> wrote:</div><br><blockquote type="cite">
<div dir="ltr"><div><div><div><div><div><div><div><div><div>Finally figured out the issue was related to the gentls_cert script was generating an openssl template that didn't have the required x509v3 extensions set.<br>
<br></div>I modified the script where it generates config.tpl to add<br><br> x509_extensions = v3_ca<br><br></div>to the [req] section, then I added the section:<br><br> [ v3_ca ]<br>
subjectKeyIdentifier=hash<br> authorityKeyIdentifier=keyid:always,issuer<br> basicConstraints=CA:TRUE<br><br></div>Now when you issue:<br><br>openssl x509 -noout -inform pem -text -in cafile.pem<br>
<br></div>you'll see the following section:<br><br> X509v3 extensions:<br> X509v3 Subject Key Identifier:<br> 02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5<br> X509v3 Authority Key Identifier:<br>
keyid:02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5<br><br> X509v3 Basic Constraints:<br> CA:TRUE<br><br></div>If these are present, then Android will treat the cert as a standard user cert.<br>
<br></div>Then it was a simple matter of copying cafile.pem to cafile.crt on the sdcard on the Android device and using the "install from device storage" option.<br><br></div>When the cert installer dialog comes up, it will now detect cafile.crt as a CA cert and not user cert.<br>
<br></div>Hope this helps other people, as cert management on Android is a right pain in the $#%^.<br><br></div>Peter<br><br><div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, Aug 6, 2013 at 2:31 PM, Peter <span dir="ltr"><<a href="mailto:eidevm5@gmail.com" target="_blank">eidevm5@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><div><div>The reason I put it on a webserver is mostly for convenience to make it easier to install.<br><br></div>I tried copying cafile.pem to /sdcard on a Galaxy Note II, but when I try the "Install from device storage" option, it just comes back with:<br>
<br></div>"No certificate file found on SD card"<br><br><div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Mon, Aug 5, 2013 at 5:51 PM, Mehroz Ashraf <span dir="ltr"><<a href="mailto:mehroz.ashraf85@gmail.com" target="_blank">mehroz.ashraf85@gmail.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div><div dir="ltr"><div>Why do you want to place the cert on webserver and point android browser? If you are doing this to download cert into android then that is probably not the right approach.<br>
<br></div>I used cafile.pem (without converting it into .der format) and placed the file in SD card or phone memory, and point out linphone to get the CA from the path. You may search in libraries where it need to tell the path. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Mon, Aug 5, 2013 at 12:15 PM, Peter <span dir="ltr"><<a href="mailto:eidevm5@gmail.com" target="_blank">eidevm5@gmail.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div>
<div dir="ltr"><div><div><div><div><div><div><div><div><div>Has anyone managed to get TLS working between Android Linphone and Freeswitch?<br><br></div>I've done the basic TLS setup as per <a href="https://wiki.freeswitch.org/wiki/Tls" target="_blank">https://wiki.freeswitch.org/wiki/Tls</a><br>
<br></div>I then convert the CA cert from PEM to DER format with:<br><br>openssl x509 -inform PEM -outform der -in cafile.pem -out fs.crt<br><br></div>I place fs.crt on a webserver and point my Android browser to it.<br>
<br></div>When I click on fs.crt, I get the default Android Certificate installer popup, but it always says:<br><br></div>"Package contains: one user certificate"<br><br></div>ie: it thinks it is a user cert rather than a CA cert.<br>
<br></div>Android appears to be a real pain to add a CA to its trusted credential store.<br><br></div>Really interested if anyone has managed to get Android to import the CA cert.<br><br></div>Thanks<span><font color="#888888"><br>
<br>Peter<br></font></span></div>
</div></blockquote></div></div></div></blockquote></div></div></div></div></blockquote></div></div></div></div></blockquote></div><br></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>