<div dir="ltr">It would appear that the x509v3 Extended Key Usage for serverAuth is needed. (extendedKeyUsage=serverAuth)<div><br></div><div>My current certificates that I use with freeswitch do not set this, and work just fine with the version I am running. I never set it since the documentation indicates that freeswitch will not use it anyway. With the latest head, freeswitch will still start with my certs, but when you connect it does not return a cert to the client. After re-generating a test certificate and only adding the above additional extension, freeswitch now will provide a certificate to my client.</div>
<div><br></div><div>Since this extension must exist, is it still true that it doesn't actually perform checks with it? There are cases where I use a specific profile for connecting to another freeswitch. In that case the profile could be a server if it is inbound from the other switch, or it could be a client if I am placing an outbound call to that switch.</div>
<div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 11:09 AM, sangdrax8 <span dir="ltr"><<a href="mailto:sangdrax8@gmail.com" target="_blank">sangdrax8@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'll read through the documentation and see if I can fix it!<div><br></div><div>The agent.pem and the cafile.pem that I am using are working just fine on my current freeswitch build. I am certain I have the server cert, the dates/times are valid still, and the files have the correct permissions. In the latest head they no longer work. Since the ones generated by the script do work, I was hoping someone knew that there is now a required field that I should be adding. The fields that I listed I thought were all optional, but I'll look through the documentation and try again.</div>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 11:01 AM, Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It sounds like you used the CA cert as your certificate instead of creating one.<div><br></div><div>I would highly recommend you read this:</div>
<div><br></div><div><a href="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw" target="_blank">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw</a><br>
</div><div><br></div><div>gen_tls should work also, but I had to do these steps last week as everyone kept reporting that they couldn't use their self signed certs, So I did a little how to on setting up a CA from scratch that would work.</div>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 8:36 AM, sangdrax8 <span dir="ltr"><<a href="mailto:sangdrax8@gmail.com" target="_blank">sangdrax8@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am not sure I follow, if you could elaborate any more? I was following <a href="https://wiki.freeswitch.org/wiki/SIP_TLS#Configuration" target="_blank">https://wiki.freeswitch.org/wiki/SIP_TLS#Configuration</a> and using the provided gentls_cert script. I believe this creates a CA (if one wasn't already created) and then generate and signs certificates. Finally it outputs eveything needed into the agent.pem and cafile.pem files. Since these work, I assume these are the correct type of cert? (Not positive where WSS comes into play).<div>
<br></div><div>My only issue is when I use my existing certificates that I am using on my current freeswitch, I do not get a certificate passed to the client. Looking at sofia status shows the profile started with (TLS) after it. If I just swap out my certs for the ones the script generated, and restart, everything works again. So I assume there is some requirement that has changed for certs, but I can't figure out what it is wanting. </div>
<div><br></div><div>Using the script for my test/dev works just fine, but when I go to replace my running machines I would like to use the existing certs. If I need to recreate them to add something to the cert, I can do that as well, but I will need to do it with the CA I have been using so I need to figure out what options I am missing (assuming that is my problem).</div>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 28, 2014 at 5:23 PM, Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The one generated for DTLS isn't the same one you would setup for your WSS connectivity.</div><div class="gmail_extra">
<br><br><div class="gmail_quote"><div><div>On Mon, Jul 28, 2014 at 2:10 PM, sangdrax8 <span dir="ltr"><<a href="mailto:sangdrax8@gmail.com" target="_blank">sangdrax8@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">I can get my latest freeswitch to run TLS profiles if I use the provided scripts to genenrate the CA and the server certs, but not with my own certs. The TLS profile does start with my cert, but when I connect, it does not provide a cert to the client. <div>
<br></div><div>The only differences I can see in the server cert are the following fields:</div><div><br></div><div><div>X509v3 Authority Key Identifier: </div><div> DirName:/CN=FreeSWITCH CA/O=FreeSWITCH</div><div> serial:91:F9:22:5D:22:38:6B:09</div>
<div><br></div><div>X509v3 Subject Alternative Name: </div><div> DNS:<a href="http://test.freeswitch.org" target="_blank">test.freeswitch.org</a></div><div>Netscape Cert Type: </div><div> SSL Server</div><div>X509v3 Extended Key Usage: </div>
<div> TLS Web Server Authentication</div></div><div><br></div><div><br></div><div>As I understand it, the Netscape and Usage designations are not used by freeswitch at this time. So I wouldn't expect them to cause an issue, unless this has changed since the documentation was written.</div>
<div><br></div><div>I have the x509v3 Authority Key Identifier, with a keyid field, but I don't have these other two fields which the script puts. Are these required?</div><div><br></div><div>I also do not have a Alt name defined in my cert, but I wouldn't have thought this would be a required field either.</div>
<div><br></div><div>I can't find anything else that appears different to me. If someone can clarify what is required for Freeswitch to use a cert, it would be greatly appreciated!</div><div><br></div><div><br></div>
<div>
<br></div></div>
<br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br>
<b>iNUM:</b><a href="tel:%2B883%205100%201420%209001" value="+883510014209001" target="_blank">+883 5100 1420 9001</a> | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br>
<b>iNUM:</b><a href="tel:%2B883%205100%201420%209001" value="+883510014209001" target="_blank">+883 5100 1420 9001</a> | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>