<div dir="auto">Thanks, Mike, I'll try another distro.<div dir="auto"><br></div><div dir="auto">About verto, which I already serve under an AWS free non-exportable cert, does it need the gentls-generated CA root cert somewhere?</div><div dir="auto"><br></div><div dir="auto">And do I need any more steps to secure the streamed media?</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 24 May 2018, 9:05 am Michael Jerris, <<a href="mailto:mike@jerris.com">mike@jerris.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Try something NOT ubuntu.  Ubuntu disables some required stuff in their openssl making it unusable for webrtc at least in some versions.<div><br><div><br><blockquote type="cite"><div>On May 24, 2018, at 1:27 AM, David P <<a href="mailto:davidswalkabout@gmail.com" target="_blank" rel="noreferrer">davidswalkabout@gmail.com</a>> wrote:</div><br class="m_-5315939520810948570Apple-interchange-newline"><div><div dir="ltr">While waiting for suggestions, I tried more things. In particular, I tested whether gentls_cert was present in our FS install (which is at /opt/freeswitch/ on ubuntu).<div><br></div><div>It is present, but the CA root cert step writes to {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In particular, the root CA step generates:</div><div><br></div><div>etc/freeswitch/tls/<br></div><div>  cafile.pem</div><div><br></div><div>etc/freeswitch/tls/CA/<br></div><div>  cacert.pem</div><div>  cakey.pem</div><div>  config.tpl</div><div><br></div><div>And the server cert step generates:</div><div>

<div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br class="m_-5315939520810948570gmail-Apple-interchange-newline">etc/freeswitch/tls/<br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">  agent.pem</div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">etc/freeswitch/tls/CA/<br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">  cacert.srl<br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">Reviewing agent.pem shows it's fine:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">openssl x509 -noout -inform pem -text -in /opt/freeswitch/etc/freeswitch/tls/agent.pem<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">But it's owned by user root group root, so:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">cd /opt/freeswitch/etc/freeswitch/tls/<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">chmod 640 agent.pem CA/cacert.pem<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">chown root.freeswitch agent.pem CA/cacert.pem<br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-decoration-style:initial;text-decoration-color:initial">Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set internal_ssl_enable and external_ssl_enable to true.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED" repeatedly. *Any suggestion?*</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Blazing ahead...then I exposed the public IP of the FS machine under a subdomain of the CA root cert's domain. (I used a wildcard subdomain for -org when generating both certs; maybe giving a wildcard this way is unnecessary or counterproductive.)</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Now, the part that puzzles me: I'm already using a "real CA" cert in order to serve my verto client files over https from my DNS name, so browsers won't show security warnings. But I bet I need to have the same CA root cert installed in FS as I use in the webserver, right? I saw the note that commercial certs should work, but *it's not clear what steps to follow to install one*.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">Cheers,</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial">David</div>

<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 22, 2018 at 9:50 PM, David P <span dir="ltr"><<a href="mailto:davidswalkabout@gmail.com" target="_blank" rel="noreferrer">davidswalkabout@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">We use conferences to allow a verto user to call and connect with an Asterisk channel. We would like to secure both signalling and media via TLS + SRTP, and I've read <a href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS" target="_blank" rel="noreferrer">https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS</a> a few times to understand how to do this. Note that that page has a broken link: <a href="https://wiki.freeswitch.org/wiki/Secure_RTP" target="_blank" rel="noreferrer">https://wiki.freeswitch.org/wiki/Secure_RTP</a><br><br>First, is it still true that FS doesn't offer prebuilt installs (for Ubuntu) to support this kind of security?<br><br>Assuming that it must be compiled, I began to follow <a href="https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie" target="_blank" rel="noreferrer">https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie</a> with the additional first step of:  apt-get install libssl-dev<div><br></div><div>I soon ran into "Unable to locate package freeswitch-video-deps-most".<br></div><div><br></div><div>What should I try next?</div><div><br></div><div>Cheers,</div><div>David</div></div>
</blockquote></div></div></div></div></blockquote></div><br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank" rel="noreferrer">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" rel="noreferrer">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer noreferrer" target="_blank">http://www.freeswitch.org</a></blockquote></div>