<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/4.4.4">
</HEAD>
<BODY>
Just found out the reason for my troubles! It was not a certificate issue.<BR>
<BR>
The latest google Chrome (36) installed in debian wheezy/stable does not support TLS 1.2 because it requires libnss >3.15 (wheezy has 3.14). Unfortunately freeswitch requires TLS 1.2 for WSS connections.<BR>
<BR>
Any way to authorize TLS 1.1 or is it too insecure for web sockets?<BR>
<BR>
---<BR>
<BR>
A workaround in debian wheezy would be to install the a recent Firefox that support TLS 1.2. Keep in mind that mod_verto stopped working since Firefox 31 (see FS-6708), but older versions should work fine!<BR>
<BR>
François<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
<BR>
</TD>
</TR>
</TABLE>
On Tue, 2014-08-05 at 16:51 +0200, François Delawarde wrote:<BR>
<BLOCKQUOTE TYPE=CITE>
Doing these exact steps don't seem to work for me, but WS sockets work perfectly so using that for now instead of WSS!<BR>
<BR>
Actually it might not even be a certificate issue, FS tells me:<BR>
<BR>
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210 Client Connect.<BR>
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210 Starting client thread.<BR>
2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 192.168.10.80:41210 WS SETUP FAILED<BR>
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210 Ending client thread.<BR>
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210 Thread ended<BR>
<BR>
Which doesn't necessarily point to a TLS issue!<BR>
<BR>
Is importing the CA certificate in the client a necessary step to make it work with Chrome?<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
François<BR>
<BR>
<BR>
</TD>
</TR>
</TABLE>
On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote: <BR>
<BLOCKQUOTE TYPE=CITE>
I've corrected the how-to and put it in tree:<BR>
<BR>
<BR>
<A HREF="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw</A><BR>
<BR>
<BR>
<BR>
Importing the ca.crt into your system keychain for it to be trusted is left to the end user to figure out. If you can't do that step then you'll kinda be SOL, I know on my Mac I just open ca.crt and it does the import for me... Windows I suspect is similar as for Linux NO CLUE.<BR>
<BR>
<BR>
On Fri, Jul 25, 2014 at 1:53 PM, William King <<A HREF="mailto:william.king@quentustech.com">william.king@quentustech.com</A>> wrote:<BR>
<BLOCKQUOTE>
One correction inline, and did you have any luck getting chrome to work<BR>
with the custom CA?<BR>
<BR>
William King<BR>
Senior Engineer<BR>
Quentus Technologies, INC<BR>
1037 NE 65th St Suite 273<BR>
Seattle, WA 98115<BR>
Main: <A HREF="tel:%28877%29%20211-9337">(877) 211-9337</A><BR>
Office: <A HREF="tel:%28206%29%20388-4772">(206) 388-4772</A><BR>
Cell: <A HREF="tel:%28253%29%20686-5518">(253) 686-5518</A><BR>
<A HREF="mailto:william.king@quentustech.com">william.king@quentustech.com</A> <BR>
<BR>
On 07/25/2014 08:12 AM, Brian West wrote:<BR>
> Someone should probably turn this into a nice how-to:<BR>
><BR>
> Here is how I did it.<BR>
><BR>
> wget <A HREF="http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz">http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz</A><BR>
> tar zxfv ssl.ca-0.1.tar.gz<BR>
> cd ssl.ca-0.1/<BR>
> perl -i -pe 's/md5/sha1/g' *.sh<BR>
> perl -i -pe 's/2048/2048/g' *.sh<BR>
<BR>
This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/<BR>
> ./new-root-ca.sh<BR>
> ./new-server-cert.sh <A HREF="http://self.bkw.org">self.bkw.org</A> <<A HREF="http://self.bkw.org">http://self.bkw.org</A>><BR>
> ./sign-server-cert.sh <A HREF="http://self.bkw.org">self.bkw.org</A> <<A HREF="http://self.bkw.org">http://self.bkw.org</A>> <BR>
> cat self.bkw.org.crt self.bkw.org.key > /usr/local/freeswitch/certs/wss.pem<BR>
><BR>
> Setup Apache:<BR>
><BR>
> default-ssl:<BR>
><BR>
> SSLCertificateFile /usr/local/freeswitch/certs/wss.pem<BR>
> SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem<BR>
> SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem<BR>
><BR>
> Setup Sofia TLS:<BR>
><BR>
> cat self.bkw.org.crt self.bkw.org.key ><BR>
> /usr/local/freeswitch/certs/agent.pem<BR>
> cat ca.crt > /usr/local/freeswitch/certs/cafile.pem<BR>
><BR>
> vars.xml:<BR>
><BR>
> <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/><BR>
<BR>
> <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/> <BR>
><BR>
> Restart FreeSWITCH.<BR>
><BR>
> Now make sure your system has ca.crt imported so it will trust your new<BR>
> found hotness.<BR>
><BR>
> TEST:<BR>
><BR>
<BR>
> openssl s_client -connect <A HREF="http://self.bkw.org:443">self.bkw.org:443</A> <<A HREF="http://self.bkw.org:443">http://self.bkw.org:443</A>><BR>
> openssl s_client -connect <A HREF="http://self.bkw.org:8082">self.bkw.org:8082</A> <<A HREF="http://self.bkw.org:8082">http://self.bkw.org:8082</A>> <BR>
><BR>
><BR>
> Depending on what you've setup you'll see:<BR>
><BR>
> subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web<BR>
> Server/CN=<A HREF="http://self.bkw.org/emailAddress=brian@bkw.org">self.bkw.org/emailAddress=brian@bkw.org</A><BR>
<BR>
> <<A HREF="http://self.bkw.org/emailAddress=brian@bkw.org">http://self.bkw.org/emailAddress=brian@bkw.org</A>> <BR>
><BR>
> issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang<BR>
> Bang/OU=Certification Services Division/CN=WBB Root<BR>
<BR>
> CA/emailAddress=<A HREF="mailto:brian@bkw.org">brian@bkw.org</A> <mailto:<A HREF="mailto:brian@bkw.org">brian@bkw.org</A>><BR>
><BR>
> Or there abouts.<BR>
><BR>
> --<BR>
><BR>
> */Brian West/*<BR>
> <A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A> <mailto:<A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A>><BR>
><BR>
><BR>
> */Twitter: @FreeSWITCH , @briankwest/*<BR>
> <A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
> <A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
><BR>
> *T:*<A HREF="tel:%2B19184209001">+19184209001</A> | *F:*<A HREF="tel:%2B19184209002">+19184209002</A> | *M:*+1918424WEST (9378)<BR>
> *iNUM:*<A HREF="tel:%2B883%205100%201420%209001">+883 5100 1420 9001</A> | *ISN:*410*543 | *Skype:*briankwest<BR>
><BR>
><BR>
><BR>
> _________________________________________________________________________<BR>
> Professional FreeSWITCH Consulting Services:<BR>
> <A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
> <A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
><BR>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
> <A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
><BR>
> Official FreeSWITCH Sites<BR>
> <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
> <A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
> <A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
><BR>
> FreeSWITCH-users mailing list<BR>
> <A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
> <A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
> UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
> <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
><BR>
<BR>
_________________________________________________________________________<BR>
Professional FreeSWITCH Consulting Services:<BR>
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
<BR>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
<BR>
Official FreeSWITCH Sites<BR>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
<BR>
FreeSWITCH-users mailing list<BR>
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
<BR>
</BLOCKQUOTE>
<BR>
<BR>
<BR>
<BR>
-- <BR>
<B><I><FONT SIZE="4">Brian West</FONT></I></B><BR>
<A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A><BR>
<BR>
<IMG SRC="http://bkw.org/whmcslogo.png" ALIGN="bottom" BORDER="0"><BR>
<BR>
<BR>
<B><I>Twitter: @FreeSWITCH , @briankwest</I></B><BR>
<A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
<A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
<BR>
<B>T:</B>+19184209001 | <B>F:</B>+19184209002 | <B>M:</B>+1918424WEST (9378)<BR>
<B>iNUM:</B>+883 5100 1420 9001 | <B>ISN:</B>410*543 | <B>Skype:</B>briankwest<BR>
<BR>
<BR>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>
Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>
FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
</BLOCKQUOTE>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>
Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>
FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>