<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.4.4">
</HEAD>
<BODY>
Just found out the reason for my troubles! It was not a certificate issue.<BR>
<BR>
The latest google Chrome (36) installed in debian wheezy/stable does not support TLS 1.2 because it requires libnss &gt;3.15 (wheezy has 3.14). Unfortunately freeswitch requires TLS 1.2 for WSS connections.<BR>
<BR>
Any way to authorize TLS 1.1 or is it too insecure for web sockets?<BR>
<BR>
---<BR>
<BR>
A workaround in debian wheezy would be to install the a recent Firefox that support TLS 1.2. Keep in mind that mod_verto stopped working since Firefox 31 (see FS-6708), but older versions should work fine!<BR>
<BR>
Fran&#231;ois<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
<BR>
</TD>
</TR>
</TABLE>
On Tue, 2014-08-05 at 16:51 +0200, Fran&#231;ois Delawarde wrote:<BR>
<BLOCKQUOTE TYPE=CITE>
    Doing these exact steps don't seem to work for me, but WS sockets work perfectly so using that for now instead of WSS!<BR>
    <BR>
    Actually it might not even be a certificate issue, FS tells me:<BR>
    <BR>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210 Client Connect.<BR>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210 Starting client thread.<BR>
    2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 192.168.10.80:41210 WS SETUP FAILED<BR>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210 Ending client thread.<BR>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210 Thread ended<BR>
    <BR>
    Which doesn't necessarily point to a TLS issue!<BR>
    <BR>
    Is importing the CA certificate in the client a necessary step to make it work with Chrome?<BR>
    <BR>
    <TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
Fran&#231;ois<BR>
<BR>
<BR>
</TD>
</TR>
</TABLE>
    On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote: <BR>
    <BLOCKQUOTE TYPE=CITE>
        I've corrected the how-to and put it in tree:<BR>
        <BR>
        <BR>
        <A HREF="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw</A><BR>
        <BR>
        <BR>
        <BR>
        Importing the ca.crt into your system keychain for it to be trusted is left to the end user to figure out. &nbsp;If you can't do that step then you'll kinda be SOL, I know on my Mac I just open ca.crt and it does the import for me... Windows I suspect is similar as for Linux NO CLUE.<BR>
        <BR>
        <BR>
        On Fri, Jul 25, 2014 at 1:53 PM, William King &lt;<A HREF="mailto:william.king@quentustech.com">william.king@quentustech.com</A>&gt; wrote:<BR>
        <BLOCKQUOTE>
            One correction inline, and did you have any luck getting chrome to work<BR>
            with the custom CA?<BR>
            <BR>
            William King<BR>
            Senior Engineer<BR>
            Quentus Technologies, INC<BR>
            1037 NE 65th St Suite 273<BR>
            Seattle, WA 98115<BR>
            Main: &nbsp; <A HREF="tel:%28877%29%20211-9337">(877) 211-9337</A><BR>
            Office: <A HREF="tel:%28206%29%20388-4772">(206) 388-4772</A><BR>
            Cell: &nbsp; <A HREF="tel:%28253%29%20686-5518">(253) 686-5518</A><BR>
            <A HREF="mailto:william.king@quentustech.com">william.king@quentustech.com</A> <BR>
            <BR>
            On 07/25/2014 08:12 AM, Brian West wrote:<BR>
            &gt; Someone should probably turn this into a nice how-to:<BR>
            &gt;<BR>
            &gt; Here is how I did it.<BR>
            &gt;<BR>
            &gt; wget <A HREF="http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz">http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz</A><BR>
            &gt; tar zxfv ssl.ca-0.1.tar.gz<BR>
            &gt; cd ssl.ca-0.1/<BR>
            &gt; perl -i -pe 's/md5/sha1/g' *.sh<BR>
            &gt; perl -i -pe 's/2048/2048/g' *.sh<BR>
            <BR>
            This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/<BR>
            &gt; ./new-root-ca.sh<BR>
            &gt; ./new-server-cert.sh <A HREF="http://self.bkw.org">self.bkw.org</A> &lt;<A HREF="http://self.bkw.org">http://self.bkw.org</A>&gt;<BR>
            &gt; ./sign-server-cert.sh <A HREF="http://self.bkw.org">self.bkw.org</A> &lt;<A HREF="http://self.bkw.org">http://self.bkw.org</A>&gt; <BR>
            &gt; cat self.bkw.org.crt self.bkw.org.key &gt; /usr/local/freeswitch/certs/wss.pem<BR>
            &gt;<BR>
            &gt; Setup Apache:<BR>
            &gt;<BR>
            &gt; default-ssl:<BR>
            &gt;<BR>
            &gt; SSLCertificateFile &nbsp; &nbsp;/usr/local/freeswitch/certs/wss.pem<BR>
            &gt; SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem<BR>
            &gt; SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem<BR>
            &gt;<BR>
            &gt; Setup Sofia TLS:<BR>
            &gt;<BR>
            &gt; cat self.bkw.org.crt self.bkw.org.key &gt;<BR>
            &gt; /usr/local/freeswitch/certs/agent.pem<BR>
            &gt; cat ca.crt &gt; /usr/local/freeswitch/certs/cafile.pem<BR>
            &gt;<BR>
            &gt; vars.xml:<BR>
            &gt;<BR>
            &gt; &lt;X-PRE-PROCESScmd=&quot;set&quot;data=&quot;internal_ssl_enable=true&quot;/&gt;<BR>
            <BR>
            &gt; &lt;X-PRE-PROCESScmd=&quot;set&quot;data=&quot;external_ssl_enable=true&quot;/&gt; <BR>
            &gt;<BR>
            &gt; Restart FreeSWITCH.<BR>
            &gt;<BR>
            &gt; Now make sure your system has ca.crt imported so it will trust your new<BR>
            &gt; found hotness.<BR>
            &gt;<BR>
            &gt; TEST:<BR>
            &gt;<BR>
            <BR>
            &gt; openssl s_client -connect <A HREF="http://self.bkw.org:443">self.bkw.org:443</A> &lt;<A HREF="http://self.bkw.org:443">http://self.bkw.org:443</A>&gt;<BR>
            &gt; openssl s_client -connect <A HREF="http://self.bkw.org:8082">self.bkw.org:8082</A> &lt;<A HREF="http://self.bkw.org:8082">http://self.bkw.org:8082</A>&gt; <BR>
            &gt;<BR>
            &gt;<BR>
            &gt; Depending on what you've setup you'll see:<BR>
            &gt;<BR>
            &gt; subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web<BR>
            &gt; Server/CN=<A HREF="http://self.bkw.org/emailAddress=brian@bkw.org">self.bkw.org/emailAddress=brian@bkw.org</A><BR>
            <BR>
            &gt; &lt;<A HREF="http://self.bkw.org/emailAddress=brian@bkw.org">http://self.bkw.org/emailAddress=brian@bkw.org</A>&gt; <BR>
            &gt;<BR>
            &gt; issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang<BR>
            &gt; Bang/OU=Certification Services Division/CN=WBB Root<BR>
            <BR>
            &gt; CA/emailAddress=<A HREF="mailto:brian@bkw.org">brian@bkw.org</A> &lt;mailto:<A HREF="mailto:brian@bkw.org">brian@bkw.org</A>&gt;<BR>
            &gt;<BR>
            &gt; Or there abouts.<BR>
            &gt;<BR>
            &gt; --<BR>
            &gt;<BR>
            &gt; */Brian West/*<BR>
            &gt; <A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A> &lt;mailto:<A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A>&gt;<BR>
            &gt;<BR>
            &gt;<BR>
            &gt; */Twitter: @FreeSWITCH , @briankwest/*<BR>
            &gt; <A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
            &gt; <A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
            &gt;<BR>
            &gt; *T:*<A HREF="tel:%2B19184209001">+19184209001</A> | *F:*<A HREF="tel:%2B19184209002">+19184209002</A> | *M:*+1918424WEST (9378)<BR>
            &gt; *iNUM:*<A HREF="tel:%2B883%205100%201420%209001">+883 5100 1420 9001</A> | *ISN:*410*543 | *Skype:*briankwest<BR>
            &gt;<BR>
            &gt;<BR>
            &gt;<BR>
            &gt; _________________________________________________________________________<BR>
            &gt; Professional FreeSWITCH Consulting Services:<BR>
            &gt; <A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
            &gt; <A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
            &gt;<BR>
            &gt; FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
            &gt; <A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
            &gt;<BR>
            &gt; Official FreeSWITCH Sites<BR>
            &gt; <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
            &gt; <A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
            &gt; <A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
            &gt;<BR>
            &gt; FreeSWITCH-users mailing list<BR>
            &gt; <A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
            &gt; <A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
            &gt; UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
            &gt; <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
            &gt;<BR>
            <BR>
            _________________________________________________________________________<BR>
            Professional FreeSWITCH Consulting Services:<BR>
            <A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
            <A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
            <BR>
            FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
            <A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
            <BR>
            Official FreeSWITCH Sites<BR>
            <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
            <A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
            <A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
            <BR>
            FreeSWITCH-users mailing list<BR>
            <A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
            <A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
            UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
            <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
            <BR>
        </BLOCKQUOTE>
        <BR>
        <BR>
        <BR>
        <BR>
        -- <BR>
        <B><I><FONT SIZE="4">Brian West</FONT></I></B><BR>
        <A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A><BR>
        <BR>
        <IMG SRC="http://bkw.org/whmcslogo.png" ALIGN="bottom" BORDER="0"><BR>
        <BR>
        <BR>
        <B><I>Twitter: @FreeSWITCH , @briankwest</I></B><BR>
        <A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
        <A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
        <BR>
        <B>T:</B>+19184209001 | <B>F:</B>+19184209002 | <B>M:</B>+1918424WEST (9378)<BR>
        <B>iNUM:</B>+883 5100 1420 9001 |&nbsp;<B>ISN:</B>410*543 |&nbsp;<B>Skype:</B>briankwest<BR>
        <BR>
        <BR>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>

Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>

FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
    </BLOCKQUOTE>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>

Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>

FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>