<div dir="ltr">While waiting for suggestions, I tried more things. In particular, I tested whether gentls_cert was present in our FS install (which is at /opt/freeswitch/ on ubuntu).<div><br></div><div>It is present, but the CA root cert step writes to {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In particular, the root CA step generates:</div><div><br></div><div>etc/freeswitch/tls/<br></div><div>  cafile.pem</div><div><br></div><div>etc/freeswitch/tls/CA/<br></div><div>  cacert.pem</div><div>  cakey.pem</div><div>  config.tpl</div><div><br></div><div>And the server cert step generates:</div><div>

<div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br class="gmail-Apple-interchange-newline">etc/freeswitch/tls/<br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">  agent.pem</div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">etc/freeswitch/tls/CA/<br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">  cacert.srl<br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">Reviewing agent.pem shows it's fine:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">openssl x509 -noout -inform pem -text -in /opt/freeswitch/etc/freeswitch/tls/agent.pem<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">But it's owned by user root group root, so:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">cd /opt/freeswitch/etc/freeswitch/tls/<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">chmod 640 agent.pem CA/cacert.pem<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">chown root.freeswitch agent.pem CA/cacert.pem<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-decoration-style:initial;text-decoration-color:initial">Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set internal_ssl_enable and external_ssl_enable to true.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED" repeatedly. *Any suggestion?*</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Blazing ahead...then I exposed the public IP of the FS machine under a subdomain of the CA root cert's domain. (I used a wildcard subdomain for -org when generating both certs; maybe giving a wildcard this way is unnecessary or counterproductive.)</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Now, the part that puzzles me: I'm already using a "real CA" cert in order to serve my verto client files over https from my DNS name, so browsers won't show security warnings. But I bet I need to have the same CA root cert installed in FS as I use in the webserver, right? I saw the note that commercial certs should work, but *it's not clear what steps to follow to install one*.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Cheers,</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">David</div>

<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 22, 2018 at 9:50 PM, David P <span dir="ltr"><<a href="mailto:davidswalkabout@gmail.com" target="_blank">davidswalkabout@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">We use conferences to allow a verto user to call and connect with an Asterisk channel. We would like to secure both signalling and media via TLS + SRTP, and I've read <a href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS" target="_blank">https://freeswitch.org/<wbr>confluence/display/FREESWITCH/<wbr>SIP+TLS</a> a few times to understand how to do this. Note that that page has a broken link: <a href="https://wiki.freeswitch.org/wiki/Secure_RTP" target="_blank">https://wiki.freeswitch.org/<wbr>wiki/Secure_RTP</a><br><br>First, is it still true that FS doesn't offer prebuilt installs (for Ubuntu) to support this kind of security?<br><br>Assuming that it must be compiled, I began to follow <a href="https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie" target="_blank">https://freeswitch.org/<wbr>confluence/display/FREESWITCH/<wbr>Debian+8+Jessie</a> with the additional first step of:  apt-get install libssl-dev<div><br></div><div>I soon ran into "Unable to locate package freeswitch-video-deps-most".<br></div><div><br></div><div>What should I try next?</div><div><br></div><div>Cheers,</div><div>David</div></div>
</blockquote></div><br></div></div>