<div dir="ltr">I ran <span style="font-size:13px">global_getvar certs_dir and got &quot;</span><span style="color:rgb(245,245,245);font-family:Monaco;font-size:10px;background-color:rgb(0,0,0)">/etc/freeswitch/tls</span><span style="font-size:13px">&quot;.</span><div><span style="font-size:13px">My </span>tls directory contains the following (created by gentls_cert):</div><div><br></div><div><p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">CA/</p><p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">agent.pem</p><p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">cafile.pem</p></div><div class="gmail_extra"><br></div><div class="gmail_extra">Setting <span style="color:rgb(52,189,38);font-family:Monaco;font-size:10px;background-color:rgb(0,0,0)">internal_ssl_enable=true</span> still fails FS with <span style="color:rgb(195,55,32);font-family:Monaco;font-size:10px;background-color:rgb(0,0,0)">Error Creating SIP UA for profile: internal-ipv6 (sip:mod_sofia@[::1]:5060;transport=udp,tcp) ATTEMPT 1 (RETRY IN 5 SEC)</span></div><div class="gmail_extra"><br></div><div class="gmail_extra">Setting it to false and everything works again.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_quote">On Tue, Sep 15, 2015 at 3:28 PM, Ítalo Rossi <span dir="ltr">&lt;<a href="mailto:italo@freeswitch.org" target="_blank">italo@freeswitch.org</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">If you enable internal_ssl_enable then your sip profile will set tls=true (vanilla config) and FreeSWITCH will look for certificates in $${certs_dir}, which is created dynamically. (/usr/local/freeswitch/certs if you compiled or /etc/freeswitch/certs if you installed from packages)<div><br></div><div>global_getvar certs_dir will output the current value for this var, put your certs there in the right format and see if your profile starts.</div></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 8:42 AM, Michael Nielsen <span dir="ltr">&lt;<a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Nothing is running on port 5060 and blocking this. When setting the <br><pre style="font-family:monospace,Courier;padding:1em;border:1px dashed rgb(47,111,171);color:rgb(0,0,0);background-color:rgb(249,249,249);line-height:1.3em;font-size:13px">internal_ssl_enable=true<br></pre><div class="gmail_extra">it doesnt work, when setting this to false everything works.<br></div><div class="gmail_extra">Netstat doesn&#39;t show anything on port 5060... or 5061.<br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 9:36 AM, Michael Nielsen <span dir="ltr">&lt;<a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div>wss-binding is not set - looking in internal.xml and running grep after wss-binding does not find anything.<br></div>Looking at $${internal_ssl_dir} I&#39;m not able to find where this is.<br></div>grep&#39;ing after internal_ssl_dir doesn&#39;t find anything.<br><br></div>I&#39;m running freeswitch as freeswitch user - so I guess the same user should be on the certificates.<br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 14, 2015 at 10:55 PM, Thomas <span dir="ltr">&lt;<a href="mailto:lists@virtues.net" target="_blank">lists@virtues.net</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>The &quot;none&quot; option for the policy is
      part of the old standard config, no idea why it doesn&#39;t work
      (anymore?). Seen that error a lot, but it never prevented the
      profile from setting up the socket.<br>
      <br>
      You sure none of these ports are already in use? (netstat -lpn)
      Does the box have an IPv6 interface? Is 159.122.89.10 configured
      on any interface?<br>
      <br>
      If you did not get this error and the SIP profiles were loading
      properly before your TLS changes, revert and do it step by step.
      You can issue a &quot;reload mod_sofia&quot; to test the new config without
      restarting FS.<div><div><br>
      <br>
      <br>
      On 14.09.2015 17:21, Michael Nielsen wrote:<br>
    </div></div></div><div><div>
    <blockquote type="cite">none, but I&#39;ve also tried with in. <br>
      <br>
      On Monday, September 14, 2015, Ítalo Rossi &lt;<a href="mailto:italo@freeswitch.org" target="_blank"></a><a href="mailto:italo@freeswitch.org" target="_blank">italo@freeswitch.org</a>&gt;
      wrote:<br>
      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
        <div dir="ltr">
          <div>What you have in your tls-verify-policy ?</div>
          <div><br>
          </div>
          Check the valid values here: <a href="https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Configuration+Files#SofiaConfigurationFiles-Settings" target="_blank">https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Configuration+Files#SofiaConfigurationFiles-Settings</a><br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Mon, Sep 14, 2015 at 10:23 AM,
            Michael Nielsen <span dir="ltr">&lt;<a></a><a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div dir="ltr">When doing so I get the following error in
                fs_cli:
                <div><br>
                </div>
                <div>
                  <p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(195,55,32);background-color:rgb(0,0,0)">2015-09-14
                    08:23:24.120749 [ERR] sofia_glue.c:329 Invalid
                    tls-verify-policy value: none</p>
                </div>
                <div>
                  <p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(195,55,32);background-color:rgb(0,0,0)">2015-09-14
                    08:23:24.160528 [ERR] sofia.c:2935 Error Creating
                    SIP UA for profile: internal-ipv6
                    (<a>sip:mod_sofia@</a>[::1]:5060;transport=udp,tcp) ATTEMPT
                    1 (RETRY IN 5 SEC)</p>
                  <p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(195,55,32);background-color:rgb(0,0,0)">2015-09-14
                    08:23:24.180781 [ERR] sofia.c:2935 Error Creating
                    SIP UA for profile: internal
                    (<a>sip:mod_sofia@159.122.89.10:5060;transport=udp,tcp</a>)
                    ATTEMPT 1 (RETRY IN 5 SEC)</p>
                </div>
                <div><br>
                </div>
                <div>And then sofia status only shows port 5080
                  running...</div>
              </div>
              <div>
                <div>
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote">On Mon, Sep 14, 2015 at
                      9:01 AM, Michael Nielsen <span dir="ltr">&lt;<a></a><a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>&gt;</span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                        <div dir="ltr">I&#39;m running this clean
                          installation of FS:
                          <div><a href="https://github.com/voxserv/freeswitch_conf_minimal" target="_blank">https://github.com/voxserv/freeswitch_conf_minimal</a><br>
                          </div>
                          <div><br>
                          </div>
                          <div>Everything seems to work and I would now
                            like to add TLS and SRTP encryption - for
                            use on public WiFi and such.</div>
                          <div><br>
                          </div>
                          <div>I&#39;ve tried the following from this <a href="http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption" target="_blank"></a><a href="http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption" target="_blank">http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption</a>:</div>
                          <div><br>
                          </div>
                          <div>
                            <pre style="font-family:monospace,Courier;padding:1em;border:1px dashed rgb(47,111,171);color:rgb(0,0,0);background-color:rgb(249,249,249);line-height:1.3em;font-size:13px">./gentls_cert setup -cn <a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -alt DNS:<a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -org <a href="http://freeswitch.org" target="_blank">freeswitch.org</a>
./gentls_cert create_server -cn <a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -alt DNS:<a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -org <a href="http://freeswitch.org" target="_blank">freeswitch.org</a>
</pre>
                          </div>
                          <div>And in vars.xml:</div>
                          <div>
                            <pre style="font-family:monospace,Courier;padding:1em;border:1px dashed rgb(47,111,171);color:rgb(0,0,0);background-color:rgb(249,249,249);line-height:1.3em;font-size:13px">&lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;sip_tls_version=sslv23&quot;/&gt;
&lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;internal_ssl_enable=true&quot;/&gt;
</pre>
                          </div>
                          <div>Of course with my own domain when
                            generating certificates.</div>
                          <div><br>
                          </div>
                          <div>Restarting FS and trying to connect to
                            5061 over TLS doesn&#39;t work.</div>
                          <div>Looking in fs_cli with debug 7 doesn&#39;t
                            output anything when the client tries to
                            connect.</div>
                          <div><br>
                          </div>
                          <div>How to debug or does anyone know what&#39;s
                            wrong? My certificates are generated
                            automatically in /usr/conf/ssl.</div>
                        </div>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </div>
              <br>
_________________________________________________________________________<br>
              Professional FreeSWITCH Consulting Services:<br>
              <a>consulting@freeswitch.org</a><br>
              <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
              <br>
              Official FreeSWITCH Sites<br>
              <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
              <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
              <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
              <br>
              FreeSWITCH-users mailing list<br>
              <a>FreeSWITCH-users@lists.freeswitch.org</a><br>
              <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
              UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
              <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
            </blockquote>
          </div>
          <br>
          <br clear="all">
          <div><br>
          </div>
          -- <br>
          <div>
            <div dir="ltr">Ítalo Rossi
              <div><a>italo@freeswitch.org</a></div>
            </div>
          </div>
        </div>
      </blockquote>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services: 
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>

Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>

FreeSWITCH-users mailing list
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">Ítalo Rossi<div><a href="mailto:italo@freeswitch.org" target="_blank">italo@freeswitch.org</a></div></div></div>
</div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div>