<div dir="ltr">good to remind this, I sometimes forget that and not everyone would follow or understand what vars.xml does.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 27, 2014 at 5:59 AM, Steven Ayre <span dir="ltr">&lt;<a href="mailto:steveayre@gmail.com" target="_blank">steveayre@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">vars.xml doesn&#39;t tell FS to do anything - all the variables you define there are simply for convenience to be used elsewhere in the configuration.<div>
<br></div><div>If you&#39;re setting the variable but not actually using it in the SIP profile then it&#39;s having no effect.</div>

</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On 26 August 2014 18:27, Tim Smith <span dir="ltr">&lt;<a href="mailto:randomdev4@gmail.com" target="_blank">randomdev4@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr"><div><div><div><div>Hi Brian,<br><br></div>Yup, that doc came up on my Google searches.<br><br></div>And yes, I&#39;ve done all that as per  my original post.<br><br></div>Or are you telling me that despite vars.xml telling it otherwise Freeswitch ignores whatever I put in $base/conf/ssl/  and that I should put the stuff in  $base/certs instead because that&#39;s where Freeswitch is hardcoded to look?<span><font color="#888888"><br>



<br></font></span></div><span><font color="#888888">Tim<br></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On 26 August 2014 18:17, Brian West <span dir="ltr">&lt;<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>&gt;</span> wrote:<br>



<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><a href="https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?at=ed7aa96778597f521f0bb2e830277a0d95b21fd7&amp;raw" target="_blank">https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?at=ed7aa96778597f521f0bb2e830277a0d95b21fd7&amp;raw</a><br>




<div><br></div><div>Its very similar to commercial SSL Certs.</div></div><div class="gmail_extra"><div><div><br><br><div class="gmail_quote">On Tue, Aug 26, 2014 at 12:07 PM, Tim Smith <span dir="ltr">&lt;<a href="mailto:randomdev4@gmail.com" target="_blank">randomdev4@gmail.com</a>&gt;</span> wrote:<br>




<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi Steven,<br><br></div>As you can see, per default config, the only place &quot;tls-cert-der&quot; is mentioned is commented out.  I don&#39;t have it in any individual profiles either....<br>




<br>
/usr/local/freeswitch/conf$  find . -name &#39;*.xml&#39; -print0 | xargs -0 grep &#39;tls-cert-dir&#39;<br>./sip_profiles/internal.xml:    &lt;!--&lt;param name=&quot;tls-cert-dir&quot; value=&quot;&quot;/&gt;--&gt;<br>




./sip_profiles/external.xml:    &lt;!--&lt;param name=&quot;tls-cert-dir&quot; value=&quot;&quot;/&gt;--&gt;<span><font color="#888888"><br>
<br><br></font></span></div><span><font color="#888888">Tim<br></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On 26 August 2014 17:50, Steven Ayre <span dir="ltr">&lt;<a href="mailto:steveayre@gmail.com" target="_blank">steveayre@gmail.com</a>&gt;</span> wrote:<br>





<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Check the tls-cert-dir parameter of the SIP profile. Those are only setting variables, they may or may not be used by the actual profile.</div>





<div class="gmail_extra"><br><br><div class="gmail_quote">On 26 August 2014 14:12, Tim Smith <span dir="ltr">&lt;<a href="mailto:gb10hkzo-fs1@yahoo.co.uk" target="_blank">gb10hkzo-fs1@yahoo.co.uk</a>&gt;</span> wrote:<br>







<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
The story so far :<br>
<br>
• I&#39;ve installed new certs<br>
• checked config in vars.xml is pointing to the right place<br>
• restarted freeswitch entirely<br>
• it is still using some sort of internal certificates ?? cafile and agent contain my certs and not those referred to in the openssl output ?? <br>
<br>
What am I missing ??<br>
<br>
Thanks <br>
<br>
Tim<br>
<br>
<br>
<br>
FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git 1fe89f5 2014-08-21 18:57:58Z 64bit)<br>
<br>
<br>
/usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem agent.pem<br>
agent.pem: OK<br>
<br>
/usr/local/freeswitch/conf# cat vars.xml | grep ssl<br>
     valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2<br>
  &lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;internal_ssl_enable=true&quot;/&gt;<br>
  &lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;internal_ssl_dir=$${base_dir}/conf/ssl&quot;/&gt;<br>
  &lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;external_ssl_enable=true&quot;/&gt;<br>
  &lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;external_ssl_dir=$${base_dir}/conf/ssl&quot;/&gt;<br>
<br>
$ openssl s_client -showcerts -connect my.server:5061<br>
CONNECTED(00000003)<br>
depth=0 /C=US/CN=FreeSWITCH<br>
verify error:num=18:self signed certificate<br>
verify return:1<br>
depth=0 /C=US/CN=FreeSWITCH<br>
verify return:1<br>
---<br>
Certificate chain<br>
 0 s:/C=US/CN=FreeSWITCH<br>
   i:/C=US/CN=FreeSWITCH<br>
-----BEGIN CERTIFICATE-----<br>
-----END CERTIFICATE-----<br>
---<br>
Server certificate<br>
subject=/C=US/CN=FreeSWITCH<br>
issuer=/C=US/CN=FreeSWITCH<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 615 bytes and written 328 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
Server public key is 1024 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : AES256-SHA<br>
    Session-ID:<br>
    Session-ID-ctx: <br>
    Master-Key:<br>
    Key-Arg   : None<br>
    Start Time:<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 18 (self signed certificate)<br>
---<br>
<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div></div></div>-- <br><div dir="ltr">







<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font face="courier new, monospace" size="1"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>




<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b><a href="tel:%2B19184209001" value="+19184209001" target="_blank">+19184209001</a> | <b>F:</b><a href="tel:%2B19184209002" value="+19184209002" target="_blank">+19184209002</a> | <b>M:</b>+1918424WEST (9378)<br>


<b>iNUM:</b>+883 5100 1420 9001 | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">







<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://bkw.org/whmcslogo.png"><br></font></p><p><font face="courier new, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br>
<a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p>
<p><font face="courier new, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>iNUM:</b>+883 5100 1420 9001 | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div>
</div>