<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Hi,<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and PsitivieSSL CA but this time I cannot connect over TLS. <o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>It seems that FS has no cipher to response with and it fails on negotiations.<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>My ssl/ pem files are made with (like I did with the first server - OK):<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>#cat mysite_com.crt myserver.key > agent.pem<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'># chown freeswitch.freeswitch *.pem<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>#chmod 640 *.pem<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>When issuing "</span><span style='font-size:9.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm'>$ sslscan myfs.com:5091 | grep Accepted "</span><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'> <o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>I get no single cipher. I get long list of 'Rejected' ciphers.<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>When I'm running the same command for my first server I get </span><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>a list of supported ciphers – which is OK.<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>When <o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>[root@www ~]# openssl s_client -connect myfs.com:5091<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>CONNECTED(00000003)<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>verify return:1<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>verify return:1<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = myfs.com<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>verify return:1<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40<o:p></o:p></span></pre><div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm;background:#F3F3F3'><pre style='background:#F3F3F3;vertical-align:baseline;border:none;padding:0cm'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:<o:p></o:p></span></pre></div><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'>I've already re-installed FS with clean config files.<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'>Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'>I would appreciate any help/tip on this TLS fail issue.<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'>Regards<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'>Assaf<o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'><o:p> </o:p></span></pre></div></body></html>