<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.4.4">
</HEAD>
<BODY>
I was of course talking about WSS. The issue is that not all browsers support TLS 1.2 (required by FreeSWITCH), see explanation below!<BR>
<BR>
Fran&#231;ois.<BR>
<BR>
<BR>
On Wed, 2014-08-06 at 07:12 -0500, Brian West wrote:
<BLOCKQUOTE TYPE=CITE>
    TLS shouldn't be required for non secure WS transport. &nbsp;This sounds like a browser issue to me.
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    On Wed, Aug 6, 2014 at 5:37 AM, Fran&#231;ois Delawarde &lt;<A HREF="mailto:fdelawarde@wirelessmundi.com">fdelawarde@wirelessmundi.com</A>&gt; wrote:
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE>
        Just found out the reason for my troubles! It was not a certificate issue.<BR>
        <BR>
        The latest google Chrome (36) installed in debian wheezy/stable does not support TLS 1.2 because it requires libnss &gt;3.15 (wheezy has 3.14). Unfortunately freeswitch requires TLS 1.2 for WSS connections.<BR>
        <BR>
        Any way to authorize TLS 1.1 or is it too insecure for web sockets?<BR>
        <BR>
        ---<BR>
        <BR>
        A workaround in debian wheezy would be to install the a recent Firefox that support TLS 1.2. Keep in mind that mod_verto stopped working since Firefox 31 (see FS-6708), but older versions should work fine!<BR>
        <BR>
        <FONT COLOR="#888888">Fran&#231;ois</FONT>
    </BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE>
        <BR>
        <TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
<BR>
<BR>
</TD>
</TR>
</TABLE>
        On Tue, 2014-08-05 at 16:51 +0200, Fran&#231;ois Delawarde wrote:<BR>
        <BLOCKQUOTE TYPE=CITE>
            Doing these exact steps don't seem to work for me, but WS sockets work perfectly so using that for now instead of WSS!<BR>
            <BR>
            Actually it might not even be a certificate issue, FS tells me:<BR>
            <BR>
            2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 <A HREF="http://192.168.10.80:41210">192.168.10.80:41210</A> Client Connect.<BR>
            2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 <A HREF="http://192.168.10.80:41210">192.168.10.80:41210</A> Starting client thread.<BR>
            2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 <A HREF="http://192.168.10.80:41210">192.168.10.80:41210</A> WS SETUP FAILED<BR>
            2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 <A HREF="http://192.168.10.80:41210">192.168.10.80:41210</A> Ending client thread.<BR>
            2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 <A HREF="http://192.168.10.80:41210">192.168.10.80:41210</A> Thread ended<BR>
            <BR>
            Which doesn't necessarily point to a TLS issue!<BR>
            <BR>
            Is importing the CA certificate in the client a necessary step to make it work with Chrome?<BR>
            <BR>
            <TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
Fran&#231;ois<BR>
<BR>
<BR>
<BR>
</TD>
</TR>
</TABLE>
            On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote: <BR>
            <BLOCKQUOTE TYPE=CITE>
                I've corrected the how-to and put it in tree:<BR>
                <BR>
                <BR>
                <A HREF="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw</A><BR>
                <BR>
                <BR>
                <BR>
                Importing the ca.crt into your system keychain for it to be trusted is left to the end user to figure out. &nbsp;If you can't do that step then you'll kinda be SOL, I know on my Mac I just open ca.crt and it does the import for me... Windows I suspect is similar as for Linux NO CLUE.<BR>
                <BR>
                <BR>
                On Fri, Jul 25, 2014 at 1:53 PM, William King &lt;<A HREF="mailto:william.king@quentustech.com">william.king@quentustech.com</A>&gt; wrote:<BR>
                <BLOCKQUOTE>
                    One correction inline, and did you have any luck getting chrome to work<BR>
                    with the custom CA?<BR>
                    <BR>
                    William King<BR>
                    Senior Engineer<BR>
                    Quentus Technologies, INC<BR>
                    1037 NE 65th St Suite 273<BR>
                    Seattle, WA 98115<BR>
                    Main: &nbsp; <A HREF="tel:%28877%29%20211-9337">(877) 211-9337</A><BR>
                    Office: <A HREF="tel:%28206%29%20388-4772">(206) 388-4772</A><BR>
                    Cell: &nbsp; <A HREF="tel:%28253%29%20686-5518">(253) 686-5518</A><BR>
                    <A HREF="mailto:william.king@quentustech.com">william.king@quentustech.com</A> <BR>
                    <BR>
                    On 07/25/2014 08:12 AM, Brian West wrote:<BR>
                    &gt; Someone should probably turn this into a nice how-to:<BR>
                    &gt;<BR>
                    &gt; Here is how I did it.<BR>
                    &gt;<BR>
                    &gt; wget <A HREF="http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz">http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz</A><BR>
                    &gt; tar zxfv ssl.ca-0.1.tar.gz<BR>
                    &gt; cd ssl.ca-0.1/<BR>
                    &gt; perl -i -pe 's/md5/sha1/g' *.sh<BR>
                    &gt; perl -i -pe 's/2048/2048/g' *.sh<BR>
                    <BR>
                    This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/<BR>
                    &gt; ./new-root-ca.sh<BR>
                    &gt; ./new-server-cert.sh <A HREF="http://self.bkw.org">self.bkw.org</A> &lt;<A HREF="http://self.bkw.org">http://self.bkw.org</A>&gt;<BR>
                    &gt; ./sign-server-cert.sh <A HREF="http://self.bkw.org">self.bkw.org</A> &lt;<A HREF="http://self.bkw.org">http://self.bkw.org</A>&gt; <BR>
                    &gt; cat self.bkw.org.crt self.bkw.org.key &gt; /usr/local/freeswitch/certs/wss.pem<BR>
                    &gt;<BR>
                    &gt; Setup Apache:<BR>
                    &gt;<BR>
                    &gt; default-ssl:<BR>
                    &gt;<BR>
                    &gt; SSLCertificateFile &nbsp; &nbsp;/usr/local/freeswitch/certs/wss.pem<BR>
                    &gt; SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem<BR>
                    &gt; SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem<BR>
                    &gt;<BR>
                    &gt; Setup Sofia TLS:<BR>
                    &gt;<BR>
                    &gt; cat self.bkw.org.crt self.bkw.org.key &gt;<BR>
                    &gt; /usr/local/freeswitch/certs/agent.pem<BR>
                    &gt; cat ca.crt &gt; /usr/local/freeswitch/certs/cafile.pem<BR>
                    &gt;<BR>
                    &gt; vars.xml:<BR>
                    &gt;<BR>
                    &gt; &lt;X-PRE-PROCESScmd=&quot;set&quot;data=&quot;internal_ssl_enable=true&quot;/&gt;<BR>
                    <BR>
                    &gt; &lt;X-PRE-PROCESScmd=&quot;set&quot;data=&quot;external_ssl_enable=true&quot;/&gt; <BR>
                    &gt;<BR>
                    &gt; Restart FreeSWITCH.<BR>
                    &gt;<BR>
                    &gt; Now make sure your system has ca.crt imported so it will trust your new<BR>
                    &gt; found hotness.<BR>
                    &gt;<BR>
                    &gt; TEST:<BR>
                    &gt;<BR>
                    <BR>
                    &gt; openssl s_client -connect <A HREF="http://self.bkw.org:443">self.bkw.org:443</A> &lt;<A HREF="http://self.bkw.org:443">http://self.bkw.org:443</A>&gt;<BR>
                    &gt; openssl s_client -connect <A HREF="http://self.bkw.org:8082">self.bkw.org:8082</A> &lt;<A HREF="http://self.bkw.org:8082">http://self.bkw.org:8082</A>&gt; <BR>
                    &gt;<BR>
                    &gt;<BR>
                    &gt; Depending on what you've setup you'll see:<BR>
                    &gt;<BR>
                    &gt; subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web<BR>
                    &gt; Server/CN=<A HREF="http://self.bkw.org/emailAddress=brian@bkw.org">self.bkw.org/emailAddress=brian@bkw.org</A><BR>
                    <BR>
                    &gt; &lt;<A HREF="http://self.bkw.org/emailAddress=brian@bkw.org">http://self.bkw.org/emailAddress=brian@bkw.org</A>&gt; <BR>
                    &gt;<BR>
                    &gt; issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang<BR>
                    &gt; Bang/OU=Certification Services Division/CN=WBB Root<BR>
                    <BR>
                    &gt; CA/emailAddress=<A HREF="mailto:brian@bkw.org">brian@bkw.org</A> &lt;mailto:<A HREF="mailto:brian@bkw.org">brian@bkw.org</A>&gt;<BR>
                    &gt;<BR>
                    &gt; Or there abouts.<BR>
                    &gt;<BR>
                    &gt; --<BR>
                    &gt;<BR>
                    &gt; */Brian West/*<BR>
                    &gt; <A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A> &lt;mailto:<A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A>&gt;<BR>
                    &gt;<BR>
                    &gt;<BR>
                    &gt; */Twitter: @FreeSWITCH , @briankwest/*<BR>
                    &gt; <A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
                    &gt; <A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
                    &gt;<BR>
                    &gt; *T:*<A HREF="tel:%2B19184209001">+19184209001</A> | *F:*<A HREF="tel:%2B19184209002">+19184209002</A> | *M:*+1918424WEST (9378)<BR>
                    &gt; *iNUM:*<A HREF="tel:%2B883%205100%201420%209001">+883 5100 1420 9001</A> | *ISN:*410*543 | *Skype:*briankwest<BR>
                    &gt;<BR>
                    &gt;<BR>
                    &gt;<BR>
                    &gt; _________________________________________________________________________<BR>
                    &gt; Professional FreeSWITCH Consulting Services:<BR>
                    &gt; <A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
                    &gt; <A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
                    &gt;<BR>
                    &gt; FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
                    &gt; <A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
                    &gt;<BR>
                    &gt; Official FreeSWITCH Sites<BR>
                    &gt; <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
                    &gt; <A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
                    &gt; <A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
                    &gt;<BR>
                    &gt; FreeSWITCH-users mailing list<BR>
                    &gt; <A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
                    &gt; <A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
                    &gt; UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
                    &gt; <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
                    &gt;<BR>
                    <BR>
                    _________________________________________________________________________<BR>
                    Professional FreeSWITCH Consulting Services:<BR>
                    <A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
                    <A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
                    <BR>
                    FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
                    <A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
                    <BR>
                    Official FreeSWITCH Sites<BR>
                    <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
                    <A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
                    <A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
                    <BR>
                    FreeSWITCH-users mailing list<BR>
                    <A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
                    <A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
                    UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
                    <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
                    <BR>
                </BLOCKQUOTE>
                <BR>
                <BR>
                <BR>
                <BR>
                -- <BR>
                <B><I><FONT SIZE="4">Brian West</FONT></I></B><BR>
                <A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A><BR>
                <BR>
                <IMG SRC="http://bkw.org/whmcslogo.png" ALIGN="bottom" BORDER="0"><BR>
                <BR>
                <BR>
                <B><I>Twitter: @FreeSWITCH , @briankwest</I></B><BR>
                <A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
                <A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
                <BR>
                <B>T:</B><A HREF="tel:%2B19184209001">+19184209001</A> | <B>F:</B><A HREF="tel:%2B19184209002">+19184209002</A> | <B>M:</B>+1918424WEST (9378)<BR>
                <B>iNUM:</B><A HREF="tel:%2B883%205100%201420%209001">+883 5100 1420 9001</A> |&nbsp;<B>ISN:</B>410*543 |&nbsp;<B>Skype:</B>briankwest<BR>
                <BR>
                <BR>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>

Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>

FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
            </BLOCKQUOTE>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>

Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>

FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
        </BLOCKQUOTE>
    </BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE>
        <BR>
        _________________________________________________________________________<BR>
        Professional FreeSWITCH Consulting Services:<BR>
        <A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR>
        <A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A><BR>
        <BR>
        FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
        <A HREF="http://www.cudatel.com">http://www.cudatel.com</A><BR>
        <BR>
        Official FreeSWITCH Sites<BR>
        <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
        <A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A><BR>
        <A HREF="http://www.cluecon.com">http://www.cluecon.com</A><BR>
        <BR>
        FreeSWITCH-users mailing list<BR>
        <A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR>
        <A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>
        UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR>
        <A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A><BR>
        <BR>
    </BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    -- 
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <B><I><FONT SIZE="4">Brian West</FONT></I></B><BR>
    <A HREF="mailto:brian@freeswitch.org">brian@freeswitch.org</A><BR>
    <BR>
    <IMG SRC="http://bkw.org/whmcslogo.png" ALIGN="bottom" BORDER="0"><BR>
    <BR>
    <BR>
    <B><I>Twitter: @FreeSWITCH , @briankwest</I></B><BR>
    <A HREF="http://www.freeswitchbook.com">http://www.freeswitchbook.com</A><BR>
    <A HREF="http://www.freeswitchcookbook.com">http://www.freeswitchcookbook.com</A><BR>
    <BR>
    <B>T:</B>+19184209001 | <B>F:</B>+19184209002 | <B>M:</B>+1918424WEST (9378)<BR>
    <B>iNUM:</B>+883 5100 1420 9001 |&nbsp;<B>ISN:</B>410*543 |&nbsp;<B>Skype:</B>briankwest<BR>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<PRE>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<A HREF="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A>
<A HREF="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</A>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<A HREF="http://www.cudatel.com">http://www.cudatel.com</A>

Official FreeSWITCH Sites
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
<A HREF="http://wiki.freeswitch.org">http://wiki.freeswitch.org</A>
<A HREF="http://www.cluecon.com">http://www.cluecon.com</A>

FreeSWITCH-users mailing list
<A HREF="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A>
<A HREF="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A>
UNSUBSCRIBE:<A HREF="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</A>
<A HREF="http://www.freeswitch.org">http://www.freeswitch.org</A>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>