<div dir="ltr">I ran <span style="font-size:13px">global_getvar certs_dir and got "</span><span style="color:rgb(245,245,245);font-family:Monaco;font-size:10px;background-color:rgb(0,0,0)">/etc/freeswitch/tls</span><span style="font-size:13px">".</span><div><span style="font-size:13px">My </span>tls directory contains the following (created by gentls_cert):</div><div><br></div><div><p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">CA/</p><p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">agent.pem</p><p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">cafile.pem</p></div><div class="gmail_extra"><br></div><div class="gmail_extra">Setting <span style="color:rgb(52,189,38);font-family:Monaco;font-size:10px;background-color:rgb(0,0,0)">internal_ssl_enable=true</span> still fails FS with <span style="color:rgb(195,55,32);font-family:Monaco;font-size:10px;background-color:rgb(0,0,0)">Error Creating SIP UA for profile: internal-ipv6 (sip:mod_sofia@[::1]:5060;transport=udp,tcp) ATTEMPT 1 (RETRY IN 5 SEC)</span></div><div class="gmail_extra"><br></div><div class="gmail_extra">Setting it to false and everything works again.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_quote">On Tue, Sep 15, 2015 at 3:28 PM, Ítalo Rossi <span dir="ltr"><<a href="mailto:italo@freeswitch.org" target="_blank">italo@freeswitch.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">If you enable internal_ssl_enable then your sip profile will set tls=true (vanilla config) and FreeSWITCH will look for certificates in $${certs_dir}, which is created dynamically. (/usr/local/freeswitch/certs if you compiled or /etc/freeswitch/certs if you installed from packages)<div><br></div><div>global_getvar certs_dir will output the current value for this var, put your certs there in the right format and see if your profile starts.</div></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 8:42 AM, Michael Nielsen <span dir="ltr"><<a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Nothing is running on port 5060 and blocking this. When setting the <br><pre style="font-family:monospace,Courier;padding:1em;border:1px dashed rgb(47,111,171);color:rgb(0,0,0);background-color:rgb(249,249,249);line-height:1.3em;font-size:13px">internal_ssl_enable=true<br></pre><div class="gmail_extra">it doesnt work, when setting this to false everything works.<br></div><div class="gmail_extra">Netstat doesn't show anything on port 5060... or 5061.<br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 9:36 AM, Michael Nielsen <span dir="ltr"><<a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div>wss-binding is not set - looking in internal.xml and running grep after wss-binding does not find anything.<br></div>Looking at $${internal_ssl_dir} I'm not able to find where this is.<br></div>grep'ing after internal_ssl_dir doesn't find anything.<br><br></div>I'm running freeswitch as freeswitch user - so I guess the same user should be on the certificates.<br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 14, 2015 at 10:55 PM, Thomas <span dir="ltr"><<a href="mailto:lists@virtues.net" target="_blank">lists@virtues.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>The "none" option for the policy is
part of the old standard config, no idea why it doesn't work
(anymore?). Seen that error a lot, but it never prevented the
profile from setting up the socket.<br>
<br>
You sure none of these ports are already in use? (netstat -lpn)
Does the box have an IPv6 interface? Is 159.122.89.10 configured
on any interface?<br>
<br>
If you did not get this error and the SIP profiles were loading
properly before your TLS changes, revert and do it step by step.
You can issue a "reload mod_sofia" to test the new config without
restarting FS.<div><div><br>
<br>
<br>
On 14.09.2015 17:21, Michael Nielsen wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">none, but I've also tried with in. <br>
<br>
On Monday, September 14, 2015, Ítalo Rossi <<a href="mailto:italo@freeswitch.org" target="_blank"></a><a href="mailto:italo@freeswitch.org" target="_blank">italo@freeswitch.org</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div>What you have in your tls-verify-policy ?</div>
<div><br>
</div>
Check the valid values here: <a href="https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Configuration+Files#SofiaConfigurationFiles-Settings" target="_blank">https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Configuration+Files#SofiaConfigurationFiles-Settings</a><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 14, 2015 at 10:23 AM,
Michael Nielsen <span dir="ltr"><<a></a><a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">When doing so I get the following error in
fs_cli:
<div><br>
</div>
<div>
<p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(195,55,32);background-color:rgb(0,0,0)">2015-09-14
08:23:24.120749 [ERR] sofia_glue.c:329 Invalid
tls-verify-policy value: none</p>
</div>
<div>
<p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(195,55,32);background-color:rgb(0,0,0)">2015-09-14
08:23:24.160528 [ERR] sofia.c:2935 Error Creating
SIP UA for profile: internal-ipv6
(<a>sip:mod_sofia@</a>[::1]:5060;transport=udp,tcp) ATTEMPT
1 (RETRY IN 5 SEC)</p>
<p style="margin:0px;font-size:10px;font-family:Monaco;color:rgb(195,55,32);background-color:rgb(0,0,0)">2015-09-14
08:23:24.180781 [ERR] sofia.c:2935 Error Creating
SIP UA for profile: internal
(<a>sip:mod_sofia@159.122.89.10:5060;transport=udp,tcp</a>)
ATTEMPT 1 (RETRY IN 5 SEC)</p>
</div>
<div><br>
</div>
<div>And then sofia status only shows port 5080
running...</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 14, 2015 at
9:01 AM, Michael Nielsen <span dir="ltr"><<a></a><a href="mailto:mic.niel84@gmail.com" target="_blank">mic.niel84@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">I'm running this clean
installation of FS:
<div><a href="https://github.com/voxserv/freeswitch_conf_minimal" target="_blank">https://github.com/voxserv/freeswitch_conf_minimal</a><br>
</div>
<div><br>
</div>
<div>Everything seems to work and I would now
like to add TLS and SRTP encryption - for
use on public WiFi and such.</div>
<div><br>
</div>
<div>I've tried the following from this <a href="http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption" target="_blank"></a><a href="http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption" target="_blank">http://wiki.freeswitch.org/wiki/SIP_TLS#TLS.2C_SSL_and_SRTP_Encryption</a>:</div>
<div><br>
</div>
<div>
<pre style="font-family:monospace,Courier;padding:1em;border:1px dashed rgb(47,111,171);color:rgb(0,0,0);background-color:rgb(249,249,249);line-height:1.3em;font-size:13px">./gentls_cert setup -cn <a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -alt DNS:<a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -org <a href="http://freeswitch.org" target="_blank">freeswitch.org</a>
./gentls_cert create_server -cn <a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -alt DNS:<a href="http://pbx.freeswitch.org" target="_blank">pbx.freeswitch.org</a> -org <a href="http://freeswitch.org" target="_blank">freeswitch.org</a>
</pre>
</div>
<div>And in vars.xml:</div>
<div>
<pre style="font-family:monospace,Courier;padding:1em;border:1px dashed rgb(47,111,171);color:rgb(0,0,0);background-color:rgb(249,249,249);line-height:1.3em;font-size:13px"><X-PRE-PROCESS cmd="set" data="sip_tls_version=sslv23"/>
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
</pre>
</div>
<div>Of course with my own domain when
generating certificates.</div>
<div><br>
</div>
<div>Restarting FS and trying to connect to
5061 over TLS doesn't work.</div>
<div>Looking in fs_cli with debug 7 doesn't
output anything when the client tries to
connect.</div>
<div><br>
</div>
<div>How to debug or does anyone know what's
wrong? My certificates are generated
automatically in /usr/conf/ssl.</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a>consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a>FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">Ítalo Rossi
<div><a>italo@freeswitch.org</a></div>
</div>
</div>
</div>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></pre>
</blockquote>
<br>
</div></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">Ítalo Rossi<div><a href="mailto:italo@freeswitch.org" target="_blank">italo@freeswitch.org</a></div></div></div>
</div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div>