<div dir="ltr">TLS shouldn&#39;t be required for non secure WS transport.  This sounds like a browser issue to me.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 6, 2014 at 5:37 AM, François Delawarde <span dir="ltr">&lt;<a href="mailto:fdelawarde@wirelessmundi.com" target="_blank">fdelawarde@wirelessmundi.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>


  
  

<div>
Just found out the reason for my troubles! It was not a certificate issue.<br>
<br>
The latest google Chrome (36) installed in debian wheezy/stable does not support TLS 1.2 because it requires libnss &gt;3.15 (wheezy has 3.14). Unfortunately freeswitch requires TLS 1.2 for WSS connections.<br>
<br>
Any way to authorize TLS 1.1 or is it too insecure for web sockets?<br>
<br>
---<br>
<br>
A workaround in debian wheezy would be to install the a recent Firefox that support TLS 1.2. Keep in mind that mod_verto stopped working since Firefox 31 (see FS-6708), but older versions should work fine!<span class="HOEnZb"><font color="#888888"><br>

<br>
François</font></span><div><div class="h5"><br>
<table cellspacing="0" cellpadding="0" width="100%">
<tbody><tr>
<td>
<br>
<br>
</td>
</tr>
</tbody></table>
On Tue, 2014-08-05 at 16:51 +0200, François Delawarde wrote:<br>
<blockquote type="CITE">
    Doing these exact steps don&#39;t seem to work for me, but WS sockets work perfectly so using that for now instead of WSS!<br>
    <br>
    Actually it might not even be a certificate issue, FS tells me:<br>
    <br>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 <a href="http://192.168.10.80:41210" target="_blank">192.168.10.80:41210</a> Client Connect.<br>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 <a href="http://192.168.10.80:41210" target="_blank">192.168.10.80:41210</a> Starting client thread.<br>
    2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 <a href="http://192.168.10.80:41210" target="_blank">192.168.10.80:41210</a> WS SETUP FAILED<br>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 <a href="http://192.168.10.80:41210" target="_blank">192.168.10.80:41210</a> Ending client thread.<br>
    2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 <a href="http://192.168.10.80:41210" target="_blank">192.168.10.80:41210</a> Thread ended<br>
    <br>
    Which doesn&#39;t necessarily point to a TLS issue!<br>
    <br>
    Is importing the CA certificate in the client a necessary step to make it work with Chrome?<br>
    <br>
    <table cellspacing="0" cellpadding="0" width="100%">
<tbody><tr>
<td>
François<br>
<br>
<br>
</td>
</tr>
</tbody></table>
    On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote: <br>
    <blockquote type="CITE">
        I&#39;ve corrected the how-to and put it in tree:<br>
        <br>
        <br>
        <a href="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw" target="_blank">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw</a><br>

        <br>
        <br>
        <br>
        Importing the ca.crt into your system keychain for it to be trusted is left to the end user to figure out.  If you can&#39;t do that step then you&#39;ll kinda be SOL, I know on my Mac I just open ca.crt and it does the import for me... Windows I suspect is similar as for Linux NO CLUE.<br>

        <br>
        <br>
        On Fri, Jul 25, 2014 at 1:53 PM, William King &lt;<a href="mailto:william.king@quentustech.com" target="_blank">william.king@quentustech.com</a>&gt; wrote:<br>
        <blockquote>
            One correction inline, and did you have any luck getting chrome to work<br>
            with the custom CA?<br>
            <br>
            William King<br>
            Senior Engineer<br>
            Quentus Technologies, INC<br>
            1037 NE 65th St Suite 273<br>
            Seattle, WA 98115<br>
            Main:   <a href="tel:%28877%29%20211-9337" target="_blank">(877) 211-9337</a><br>
            Office: <a href="tel:%28206%29%20388-4772" target="_blank">(206) 388-4772</a><br>
            Cell:   <a href="tel:%28253%29%20686-5518" target="_blank">(253) 686-5518</a><br>
            <a href="mailto:william.king@quentustech.com" target="_blank">william.king@quentustech.com</a> <br>
            <br>
            On 07/25/2014 08:12 AM, Brian West wrote:<br>
            &gt; Someone should probably turn this into a nice how-to:<br>
            &gt;<br>
            &gt; Here is how I did it.<br>
            &gt;<br>
            &gt; wget <a href="http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz" target="_blank">http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz</a><br>
            &gt; tar zxfv ssl.ca-0.1.tar.gz<br>
            &gt; cd ssl.ca-0.1/<br>
            &gt; perl -i -pe &#39;s/md5/sha1/g&#39; *.sh<br>
            &gt; perl -i -pe &#39;s/2048/2048/g&#39; *.sh<br>
            <br>
            This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/<br>
            &gt; ./new-root-ca.sh<br>
            &gt; ./new-server-cert.sh <a href="http://self.bkw.org" target="_blank">self.bkw.org</a> &lt;<a href="http://self.bkw.org" target="_blank">http://self.bkw.org</a>&gt;<br>
            &gt; ./sign-server-cert.sh <a href="http://self.bkw.org" target="_blank">self.bkw.org</a> &lt;<a href="http://self.bkw.org" target="_blank">http://self.bkw.org</a>&gt; <br>
            &gt; cat self.bkw.org.crt self.bkw.org.key &gt; /usr/local/freeswitch/certs/wss.pem<br>
            &gt;<br>
            &gt; Setup Apache:<br>
            &gt;<br>
            &gt; default-ssl:<br>
            &gt;<br>
            &gt; SSLCertificateFile    /usr/local/freeswitch/certs/wss.pem<br>
            &gt; SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem<br>
            &gt; SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem<br>
            &gt;<br>
            &gt; Setup Sofia TLS:<br>
            &gt;<br>
            &gt; cat self.bkw.org.crt self.bkw.org.key &gt;<br>
            &gt; /usr/local/freeswitch/certs/agent.pem<br>
            &gt; cat ca.crt &gt; /usr/local/freeswitch/certs/cafile.pem<br>
            &gt;<br>
            &gt; vars.xml:<br>
            &gt;<br>
            &gt; &lt;X-PRE-PROCESScmd=&quot;set&quot;data=&quot;internal_ssl_enable=true&quot;/&gt;<br>
            <br>
            &gt; &lt;X-PRE-PROCESScmd=&quot;set&quot;data=&quot;external_ssl_enable=true&quot;/&gt; <br>
            &gt;<br>
            &gt; Restart FreeSWITCH.<br>
            &gt;<br>
            &gt; Now make sure your system has ca.crt imported so it will trust your new<br>
            &gt; found hotness.<br>
            &gt;<br>
            &gt; TEST:<br>
            &gt;<br>
            <br>
            &gt; openssl s_client -connect <a href="http://self.bkw.org:443" target="_blank">self.bkw.org:443</a> &lt;<a href="http://self.bkw.org:443" target="_blank">http://self.bkw.org:443</a>&gt;<br>
            &gt; openssl s_client -connect <a href="http://self.bkw.org:8082" target="_blank">self.bkw.org:8082</a> &lt;<a href="http://self.bkw.org:8082" target="_blank">http://self.bkw.org:8082</a>&gt; <br>
            &gt;<br>
            &gt;<br>
            &gt; Depending on what you&#39;ve setup you&#39;ll see:<br>
            &gt;<br>
            &gt; subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web<br>
            &gt; Server/CN=<a href="http://self.bkw.org/emailAddress=brian@bkw.org" target="_blank">self.bkw.org/emailAddress=brian@bkw.org</a><br>
            <br>
            &gt; &lt;<a href="http://self.bkw.org/emailAddress=brian@bkw.org" target="_blank">http://self.bkw.org/emailAddress=brian@bkw.org</a>&gt; <br>
            &gt;<br>
            &gt; issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang<br>
            &gt; Bang/OU=Certification Services Division/CN=WBB Root<br>
            <br>
            &gt; CA/emailAddress=<a href="mailto:brian@bkw.org" target="_blank">brian@bkw.org</a> &lt;mailto:<a href="mailto:brian@bkw.org" target="_blank">brian@bkw.org</a>&gt;<br>
            &gt;<br>
            &gt; Or there abouts.<br>
            &gt;<br>
            &gt; --<br>
            &gt;<br>
            &gt; */Brian West/*<br>
            &gt; <a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a> &lt;mailto:<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>&gt;<br>
            &gt;<br>
            &gt;<br>
            &gt; */Twitter: @FreeSWITCH , @briankwest/*<br>
            &gt; <a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
            &gt; <a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a><br>
            &gt;<br>
            &gt; *T:*<a href="tel:%2B19184209001" target="_blank">+19184209001</a> | *F:*<a href="tel:%2B19184209002" target="_blank">+19184209002</a> | *M:*+1918424WEST (9378)<br>
            &gt; *iNUM:*<a href="tel:%2B883%205100%201420%209001" target="_blank">+883 5100 1420 9001</a> | *ISN:*410*543 | *Skype:*briankwest<br>
            &gt;<br>
            &gt;<br>
            &gt;<br>
            &gt; _________________________________________________________________________<br>
            &gt; Professional FreeSWITCH Consulting Services:<br>
            &gt; <a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
            &gt; <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
            &gt;<br>
            &gt; FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
            &gt; <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
            &gt;<br>
            &gt; Official FreeSWITCH Sites<br>
            &gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
            &gt; <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
            &gt; <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
            &gt;<br>
            &gt; FreeSWITCH-users mailing list<br>
            &gt; <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
            &gt; <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
            &gt; UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
            &gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
            &gt;<br>
            <br>
            _________________________________________________________________________<br>
            Professional FreeSWITCH Consulting Services:<br>
            <a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
            <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
            <br>
            FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
            <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
            <br>
            Official FreeSWITCH Sites<br>
            <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
            <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
            <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
            <br>
            FreeSWITCH-users mailing list<br>
            <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
            <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
            UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
            <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
            <br>
        </blockquote>
        <br>
        <br>
        <br>
        <br>
        -- <br>
        <b><i><font size="4">Brian West</font></i></b><br>
        <a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a><br>
        <br>
        <img src="http://bkw.org/whmcslogo.png" align="bottom" border="0"><br>
        <br>
        <br>
        <b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br>
        <a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
        <a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a><br>
        <br>
        <b>T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br>

        <b>iNUM:</b><a href="tel:%2B883%205100%201420%209001" value="+883510014209001" target="_blank">+883 5100 1420 9001</a> | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest<br>
        <br>
        <br>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>

Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>

FreeSWITCH-users mailing list
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
    </blockquote>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>

Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>

FreeSWITCH-users mailing list
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
</div></div></div>

<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">







<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>iNUM:</b>+883 5100 1420 9001 | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>