<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi All,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Please help me when you get a chance.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’ve follow the instruction link below to configure TLS in my freeswitch server, but it failed with my FSClient 1.2.3.5. I copied cafile.pem from my freeswitch to my windows desktop and gived the right directory under “TLS Certificate Directory” shown as below screenshot (also attached). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS">https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>But I still cannot log in with tls, console log output, and configuration files are below. Kindly take a look and let me know if additional info is needed.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>P.S. I used IP instead of domain name to create the certificate, is it a problem? E.g: I used ./gentls_cert setup -cn pbx.freeswitch.org -alt DNS: 52.35.22.204 -org 52.35.22.204.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><img border=0 width=362 height=326 style='width:3.7708in;height:3.3958in' id="Picture_x0020_2" src="cid:image003.png@01D248AF.51357420"><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Console output:<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0x7fcee8050770): events IN<o:p></o:p></p><p class=MsoNormal>tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0x7fcee8050770): new secondary tport 0x7fcee8252ea0<o:p></o:p></p><p class=MsoNormal>tport_type_tcp.c:203 tport_tcp_init_secondary() tport_tcp_init_secondary(0x7fcee8252ea0): Setting TCP_KEEPIDLE to 30<o:p></o:p></p><p class=MsoNormal>tport_type_tcp.c:209 tport_tcp_init_secondary() tport_tcp_init_secondary(0x7fcee8252ea0): Setting TCP_KEEPINTVL to 30<o:p></o:p></p><p class=MsoNormal>tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x7fcee8252ea0): new connection from tls/50.187.205.251:56612/sips<o:p></o:p></p><p class=MsoNormal><span style='background:yellow;mso-highlight:yellow'>tport_tls.c:955 tls_connect() tls_connect(0x7fcee8252ea0): events NEGOTIATING</span><o:p></o:p></p><p class=MsoNormal><span style='background:yellow;mso-highlight:yellow'>tport_tls.c:1044 tls_connect() tls_connect(0x7fcee8252ea0): TLS setup failed (error:00000001:lib(0):func(0):reason(1))</span><o:p></o:p></p><p class=MsoNormal>tport.c:2090 tport_close() tport_close(0x7fcee8252ea0): tls/50.187.205.251:56612/sips<o:p></o:p></p><p class=MsoNormal>tport.c:2263 tport_set_secondary_timer() tport(0x7fcee8252ea0): set timer at 0 ms because zap<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>freeswitch@ip-172-31-28-201> sofia status<o:p></o:p></p><p class=MsoNormal> Name Type Data State<o:p></o:p></p><p class=MsoNormal>=================================================================================================<o:p></o:p></p><p class=MsoNormal> external-ipv6 profile sip:mod_sofia@[::1]:5080 RUNNING (0)<o:p></o:p></p><p class=MsoNormal> 172.31.28.201 alias internal ALIASED<o:p></o:p></p><p class=MsoNormal> external profile sip:mod_sofia@52.35.22.204:5080 RUNNING (0)<o:p></o:p></p><p class=MsoNormal> external::example.com gateway sip:joeuser@example.com NOREG<o:p></o:p></p><p class=MsoNormal> internal-ipv6 profile sip:mod_sofia@[::1]:5060 RUNNING (0)<o:p></o:p></p><p class=MsoNormal> internal-ipv6 profile sip:mod_sofia@[::1]:5061 RUNNING (0) (TLS)<o:p></o:p></p><p class=MsoNormal> internal profile sip:mod_sofia@52.35.22.204:5060 RUNNING (0)<o:p></o:p></p><p class=MsoNormal> <span style='background:yellow;mso-highlight:yellow'>internal profile sip:mod_sofia@52.35.22.204:5061 RUNNING (0) (TLS)</span><o:p></o:p></p><p class=MsoNormal>=================================================================================================<o:p></o:p></p><p class=MsoNormal>4 profiles 1 alias<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Under vars.xml:<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="sip_tls_version=sslv23"/><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> <!--<o:p></o:p></p><p class=MsoNormal> TLS cipher suite: default ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> The actual ciphers supported will change per platform.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> Will show you what is available in your verion of openssl.<o:p></o:p></p><p class=MsoNormal> --><o:p></o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> <!-- Internal SIP Profile --><o:p></o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/><o:p></o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/><o:p></o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/><o:p></o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/><o:p></o:p></p><p class=MsoNormal> <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=/usr/local/freeswitch/conf/ssl"/><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Under internel.xml: <o:p></o:p></b></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <!-- TLS: disabled by default, set to "true" to enable --><o:p></o:p></p><p class=MsoNormal> <param name="tls" value="true"/><o:p></o:p></p><p class=MsoNormal> <!-- Set to true to not bind on the normal sip-port but only on the TLS port --><o:p></o:p></p><p class=MsoNormal> <param name="tls-only" value="false"/><o:p></o:p></p><p class=MsoNormal> <!-- additional bind parameters for TLS --><o:p></o:p></p><p class=MsoNormal> <param name="tls-bind-params" value="transport=tls"/><o:p></o:p></p><p class=MsoNormal> <!-- Port to listen on for TLS requests. (5061 will be used if unspecified) --><o:p></o:p></p><p class=MsoNormal> <param name="tls-sip-port" value="$${internal_tls_port}"/><o:p></o:p></p><p class=MsoNormal> <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) --><o:p></o:p></p><p class=MsoNormal> <!--<param name="tls-cert-dir" value=""/>--><o:p></o:p></p><p class=MsoNormal> <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files --><o:p></o:p></p><p class=MsoNormal> <param name="tls-passphrase" value=""/><o:p></o:p></p><p class=MsoNormal> <!-- Verify the date on TLS certificates --><o:p></o:p></p><p class=MsoNormal> <param name="tls-verify-date" value="true"/><o:p></o:p></p><p class=MsoNormal> <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate --><o:p></o:p></p><p class=MsoNormal> <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be$<o:p></o:p></p><p class=MsoNormal> <param name="tls-verify-policy" value="in"/><o:p></o:p></p><p class=MsoNormal> <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none --><o:p></o:p></p><p class=MsoNormal> <param name="tls-verify-depth" value="2"/><o:p></o:p></p><p class=MsoNormal> <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe --><o:p></o:p></p><p class=MsoNormal> <param name="tls-verify-in-subjects" value=""/><o:p></o:p></p><p class=MsoNormal> <!-- TLS version default: tlsv1,tlsv1.1,tlsv1.2 --><o:p></o:p></p><p class=MsoNormal> <param name="tls-version" value="$${sip_tls_version}"/><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> <!-- TLS ciphers default: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH --><o:p></o:p></p><p class=MsoNormal> <param name="tls-ciphers" value="$${sip_tls_ciphers}"/><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Clarie<o:p></o:p></p></div></body></html>