<div dir="ltr">I'll read through the documentation and see if I can fix it!<div><br></div><div>The agent.pem and the cafile.pem that I am using are working just fine on my current freeswitch build. I am certain I have the server cert, the dates/times are valid still, and the files have the correct permissions. In the latest head they no longer work. Since the ones generated by the script do work, I was hoping someone knew that there is now a required field that I should be adding. The fields that I listed I thought were all optional, but I'll look through the documentation and try again.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 11:01 AM, Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It sounds like you used the CA cert as your certificate instead of creating one.<div><br></div><div>I would highly recommend you read this:</div>
<div><br></div><div><a href="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw" target="_blank">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw</a><br>
</div><div><br></div><div>gen_tls should work also, but I had to do these steps last week as everyone kept reporting that they couldn't use their self signed certs, So I did a little how to on setting up a CA from scratch that would work.</div>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 8:36 AM, sangdrax8 <span dir="ltr"><<a href="mailto:sangdrax8@gmail.com" target="_blank">sangdrax8@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am not sure I follow, if you could elaborate any more? I was following <a href="https://wiki.freeswitch.org/wiki/SIP_TLS#Configuration" target="_blank">https://wiki.freeswitch.org/wiki/SIP_TLS#Configuration</a> and using the provided gentls_cert script. I believe this creates a CA (if one wasn't already created) and then generate and signs certificates. Finally it outputs eveything needed into the agent.pem and cafile.pem files. Since these work, I assume these are the correct type of cert? (Not positive where WSS comes into play).<div>
<br></div><div>My only issue is when I use my existing certificates that I am using on my current freeswitch, I do not get a certificate passed to the client. Looking at sofia status shows the profile started with (TLS) after it. If I just swap out my certs for the ones the script generated, and restart, everything works again. So I assume there is some requirement that has changed for certs, but I can't figure out what it is wanting. </div>
<div><br></div><div>Using the script for my test/dev works just fine, but when I go to replace my running machines I would like to use the existing certs. If I need to recreate them to add something to the cert, I can do that as well, but I will need to do it with the CA I have been using so I need to figure out what options I am missing (assuming that is my problem).</div>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 28, 2014 at 5:23 PM, Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The one generated for DTLS isn't the same one you would setup for your WSS connectivity.</div><div class="gmail_extra">
<br><br><div class="gmail_quote"><div><div>On Mon, Jul 28, 2014 at 2:10 PM, sangdrax8 <span dir="ltr"><<a href="mailto:sangdrax8@gmail.com" target="_blank">sangdrax8@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">I can get my latest freeswitch to run TLS profiles if I use the provided scripts to genenrate the CA and the server certs, but not with my own certs. The TLS profile does start with my cert, but when I connect, it does not provide a cert to the client. <div>
<br></div><div>The only differences I can see in the server cert are the following fields:</div><div><br></div><div><div>X509v3 Authority Key Identifier: </div><div> DirName:/CN=FreeSWITCH CA/O=FreeSWITCH</div><div> serial:91:F9:22:5D:22:38:6B:09</div>
<div><br></div><div>X509v3 Subject Alternative Name: </div><div> DNS:<a href="http://test.freeswitch.org" target="_blank">test.freeswitch.org</a></div><div>Netscape Cert Type: </div><div> SSL Server</div><div>X509v3 Extended Key Usage: </div>
<div> TLS Web Server Authentication</div></div><div><br></div><div><br></div><div>As I understand it, the Netscape and Usage designations are not used by freeswitch at this time. So I wouldn't expect them to cause an issue, unless this has changed since the documentation was written.</div>
<div><br></div><div>I have the x509v3 Authority Key Identifier, with a keyid field, but I don't have these other two fields which the script puts. Are these required?</div><div><br></div><div>I also do not have a Alt name defined in my cert, but I wouldn't have thought this would be a required field either.</div>
<div><br></div><div>I can't find anything else that appears different to me. If someone can clarify what is required for Freeswitch to use a cert, it would be greatly appreciated!</div><div><br></div><div><br></div>
<div>
<br></div></div>
<br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br>
<b>iNUM:</b><a href="tel:%2B883%205100%201420%209001" value="+883510014209001" target="_blank">+883 5100 1420 9001</a> | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br>
<b>iNUM:</b><a href="tel:%2B883%205100%201420%209001" value="+883510014209001" target="_blank">+883 5100 1420 9001</a> | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>