<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Try something NOT ubuntu.  Ubuntu disables some required stuff in their openssl making it unusable for webrtc at least in some versions.<div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On May 24, 2018, at 1:27 AM, David P <<a href="mailto:davidswalkabout@gmail.com" class="">davidswalkabout@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">While waiting for suggestions, I tried more things. In particular, I tested whether gentls_cert was present in our FS install (which is at /opt/freeswitch/ on ubuntu).<div class=""><br class=""></div><div class="">It is present, but the CA root cert step writes to {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In particular, the root CA step generates:</div><div class=""><br class=""></div><div class="">etc/freeswitch/tls/<br class=""></div><div class="">  cafile.pem</div><div class=""><br class=""></div><div class="">etc/freeswitch/tls/CA/<br class=""></div><div class="">  cacert.pem</div><div class="">  cakey.pem</div><div class="">  config.tpl</div><div class=""><br class=""></div><div class="">And the server cert step generates:</div><div class="">

<div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class="gmail-Apple-interchange-newline">etc/freeswitch/tls/<br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class="">  agent.pem</div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class="">etc/freeswitch/tls/CA/<br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class="">  cacert.srl<br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Reviewing agent.pem shows it's fine:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">openssl x509 -noout -inform pem -text -in /opt/freeswitch/etc/freeswitch/tls/agent.pem<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">But it's owned by user root group root, so:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">cd /opt/freeswitch/etc/freeswitch/tls/<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">chmod 640 agent.pem CA/cacert.pem<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">chown root.freeswitch agent.pem CA/cacert.pem<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-decoration-style:initial;text-decoration-color:initial" class="">Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set internal_ssl_enable and external_ssl_enable to true.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED" repeatedly. *Any suggestion?*</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Blazing ahead...then I exposed the public IP of the FS machine under a subdomain of the CA root cert's domain. (I used a wildcard subdomain for -org when generating both certs; maybe giving a wildcard this way is unnecessary or counterproductive.)</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Now, the part that puzzles me: I'm already using a "real CA" cert in order to serve my verto client files over https from my DNS name, so browsers won't show security warnings. But I bet I need to have the same CA root cert installed in FS as I use in the webserver, right? I saw the note that commercial certs should work, but *it's not clear what steps to follow to install one*.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Cheers,</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">David</div>

<br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, May 22, 2018 at 9:50 PM, David P <span dir="ltr" class=""><<a href="mailto:davidswalkabout@gmail.com" target="_blank" class="">davidswalkabout@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class="">We use conferences to allow a verto user to call and connect with an Asterisk channel. We would like to secure both signalling and media via TLS + SRTP, and I've read <a href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS" target="_blank" class="">https://freeswitch.org/<wbr class="">confluence/display/FREESWITCH/<wbr class="">SIP+TLS</a> a few times to understand how to do this. Note that that page has a broken link: <a href="https://wiki.freeswitch.org/wiki/Secure_RTP" target="_blank" class="">https://wiki.freeswitch.org/<wbr class="">wiki/Secure_RTP</a><br class=""><br class="">First, is it still true that FS doesn't offer prebuilt installs (for Ubuntu) to support this kind of security?<br class=""><br class="">Assuming that it must be compiled, I began to follow <a href="https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie" target="_blank" class="">https://freeswitch.org/<wbr class="">confluence/display/FREESWITCH/<wbr class="">Debian+8+Jessie</a> with the additional first step of:  apt-get install libssl-dev<div class=""><br class=""></div><div class="">I soon ran into "Unable to locate package freeswitch-video-deps-most".<br class=""></div><div class=""><br class=""></div><div class="">What should I try next?</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">David</div></div>
</blockquote></div></div></div></div></blockquote></div><br class=""></div></body></html>