<div dir="ltr">Can't help you with what the issue would be (though I'd verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.</div><div class="gmail_extra">
<br><br><div class="gmail_quote">On 22 April 2014 13:46, Assaf Dahary <span dir="ltr"><<a href="mailto:adahary@gmail.com" target="_blank">adahary@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">Hi,<u></u><u></u></span></p>
<p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif"">I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.<u></u><u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and PsitivieSSL CA but this time I cannot connect over TLS. <u></u><u></u></span></p>
<p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif"">It seems that FS has no cipher to response with and it fails on negotiations.<u></u><u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.<u></u><u></u></span></p>
<p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif"">My ssl/ pem files are made with (like I did with the first server - OK):<u></u><u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif"">#cat mysite_com.crt myserver.key > agent.pem<u></u><u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem<u></u><u></u></span></p>
<p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""># chown freeswitch.freeswitch *.pem<u></u><u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr">
<span style="font-size:12.0pt;font-family:"Arial","sans-serif"">#chmod 640 *.pem<u></u><u></u></span></p><p class="MsoNormal" style="text-align:left;direction:ltr"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">When issuing "</span><span style="font-size:9.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm">$ sslscan <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a> | grep Accepted "</span><span style="font-size:12.0pt;font-family:"Arial","sans-serif""> <u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">I get no single cipher. I get long list of 'Rejected' ciphers.<u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">When I'm running the same command for my first server I get </span><span style="font-size:9.0pt;font-family:Consolas;color:#333333">a list of supported ciphers – which is OK.<u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">When <u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">[root@www ~]# openssl s_client -connect <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a><u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">CONNECTED(00000003)<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2<u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = <a href="http://myfs.com" target="_blank">myfs.com</a><u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40<u></u><u></u></span></pre>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm;background:#f3f3f3"><pre style="background:#f3f3f3;vertical-align:baseline;border:none;padding:0cm"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:<u></u><u></u></span></pre>
</div><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"><u></u> <u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas">I've already re-installed FS with clean config files.<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="font-size:9.0pt;font-family:Consolas"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas">Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.<u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif"">I would appreciate any help/tip on this TLS fail issue.<u></u><u></u></span></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif"">Regards<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></span></pre>
<span class="HOEnZb"><font color="#888888"><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="font-family:"Arial","sans-serif"">Assaf<u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"><u></u> <u></u></span></pre>
</font></span></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>