<div dir="ltr"><a href="http://www.sslshopper.com/ssl-checker.html">http://www.sslshopper.com/ssl-checker.html</a><div><br></div><div>I use this to test, if your OpenSSL install doesn't have the chain certs it can't verify the chain unless you provide it.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 26, 2014 at 12:21 PM, Szeto, Steven <span dir="ltr"><<a href="mailto:steven_szeto@mitel.com" target="_blank">steven_szeto@mitel.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have also had issues with using third party certs with FreeSwitch. If I generated my own certs and used them with a FSClient, I can get the FSClient to register via TLS to my FreeSwitch server.<div>
<br></div>
<div>However, I was unable to install the generated certs into my SIP phones and get them to register with my FreeSwitch server. I think there is a bit of work required here to get FreeSwitch to be a bit more flexible in its TLS registration protocol.</div>
<div><br></div><div>Ideally, we should also be able to install multiple root certificates for various phones and allow these phones to register with the FreeSwitch server. As far as I am aware, multiple root certificate support is not supported. </div>
</div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Tue, Aug 26, 2014 at 9:12 AM, Tim Smith <span dir="ltr"><<a href="mailto:gb10hkzo-fs1@yahoo.co.uk" target="_blank">gb10hkzo-fs1@yahoo.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
The story so far :<br>
<br>
• I've installed new certs<br>
• checked config in vars.xml is pointing to the right place<br>
• restarted freeswitch entirely<br>
• it is still using some sort of internal certificates ?? cafile and agent contain my certs and not those referred to in the openssl output ?? <br>
<br>
What am I missing ??<br>
<br>
Thanks <br>
<br>
Tim<br>
<br>
<br>
<br>
FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git 1fe89f5 2014-08-21 18:57:58Z 64bit)<br>
<br>
<br>
/usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem agent.pem<br>
agent.pem: OK<br>
<br>
/usr/local/freeswitch/conf# cat vars.xml | grep ssl<br>
valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2<br>
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/><br>
<X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/><br>
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/><br>
<X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/><br>
<br>
$ openssl s_client -showcerts -connect my.server:5061<br>
CONNECTED(00000003)<br>
depth=0 /C=US/CN=FreeSWITCH<br>
verify error:num=18:self signed certificate<br>
verify return:1<br>
depth=0 /C=US/CN=FreeSWITCH<br>
verify return:1<br>
---<br>
Certificate chain<br>
0 s:/C=US/CN=FreeSWITCH<br>
i:/C=US/CN=FreeSWITCH<br>
-----BEGIN CERTIFICATE-----<br>
-----END CERTIFICATE-----<br>
---<br>
Server certificate<br>
subject=/C=US/CN=FreeSWITCH<br>
issuer=/C=US/CN=FreeSWITCH<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 615 bytes and written 328 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
Server public key is 1024 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1<br>
Cipher : AES256-SHA<br>
Session-ID:<br>
Session-ID-ctx: <br>
Master-Key:<br>
Key-Arg : None<br>
Start Time:<br>
Timeout : 300 (sec)<br>
Verify return code: 18 (self signed certificate)<br>
---<br>
<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></blockquote></div><br><br clear="all"><div><br></div></div></div>-- <br><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody><tr><td width="216" valign="top" style="width:161.85pt;padding:0in"><p><b><span style="font-size:8pt;font-family:Verdana">Regards,</span></b></p><p><b><span style="font-size:8pt;font-family:Verdana">Steve Szeto</span></b><b><span style="font-size:8pt;font-family:Verdana;color:rgb(95,95,95)"></span></b></p>
<p><span style="color:rgb(75,75,75);font-family:Helvetica,Arial,sans-serif;font-size:12px;line-height:16px"><b>MiContact Center IVR Team</b></span></p><p><b><span style="font-size:8pt;font-family:Verdana;color:rgb(95,95,95)">Software Designer</span></b><span style="font-size:8pt;font-family:Verdana"></span></p>
<p><span style="font-family:Verdana;font-size:8pt">Tel.: <a href="tel:613-592-5660%20Ext.%2071698" value="+16135925660" target="_blank">613-592-5660 Ext. 71698</a></span><br></p><p><span style="font-size:8pt;font-family:Verdana">Email: <a href="mailto:steven_szeto@mitel.com_" target="_blank"><span style="color:black">steven_szeto@mitel.com</span></a></span></p>
</td><td width="14" valign="top" style="width:10.7pt;padding:0in"><p><span style="font-family:'Tms Rmn'"> </span></p></td><td width="119" valign="top" style="width:89.4pt;padding:0in"><p><span style="font-size:8pt;font-family:Verdana"><br>
</span></p><p><span style="font-size:8pt;font-family:Verdana"> </span></p><p><span style="font-size:8pt;font-family:Verdana">350 Legget Drive</span><span style="font-size:8pt;font-family:Verdana"></span></p><p><span style="font-size:8pt;font-family:Verdana">Kanata</span><span style="font-size:8pt;font-family:Verdana">, ON</span><span style="font-size:8pt;font-family:Verdana"></span></p>
<p><span style="font-size:8pt;font-family:Verdana">Canada</span><span style="font-size:8pt;font-family:Verdana"> K2K 2W7<u></u></span></p><p><u><span style="font-size:8pt;font-family:Verdana"><a href="http://www.mitel.com/_" target="_blank"><span style="color:black">www.mitel.com</span></a></span></u></p>
</td></tr></tbody></table></div>
</div>
<br>
<font size="1">This e-mail (including any attachments) is for the sole use of the intended recipient(s) and may contain information that is confidential and/or protected by legal privilege. Any unauthorized review, use, copy, disclosure or distribution of this e-mail is strictly prohibited. If you are not the intended recipient, please notify Mitel immediately and destroy all copies of this e-mail. Mitel does not accept any liability for breach of security, error or virus that may result from the transmission of this message.</font><br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>iNUM:</b>+883 5100 1420 9001 | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>