<p dir="ltr">If the certs are self-signed you're going to have many many problems. I followed that tutorial with a valid cert and worked beautifully. Also i did it with 1.6.<br>
</p>
<br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 7, 2018, 18:40 fabio <<a href="mailto:f.antonini@tiesse.com">f.antonini@tiesse.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  

    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <p>Hi all</p>
    <p><br>
    </p>
    <p>I'm a Freeswitch newbie and I'm trying to setup SIP over TLS in
      my FS version 1.5.15. </p>
    <p>As first step I have configured a SIP Gateway that successfully
      registers to a dedicated SIP Registrar/Proxy (opensips) using SIP
      over UDP. With this configuration I can successfully place
      outbound and inbound calls without any problem. Everything works
      as a charm.<br>
    </p>
    <p>Further I have tried to switch to SIP over TLS and I followed the
      steps described in
      <a class="m_-4730216949600311473moz-txt-link-freetext" href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS" target="_blank">https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS</a>.</p>
    <p>I have installed the agent.pem and cafile.pem generated by
      opensips (my SIP Registrar) and I configured FS to use them. After
      restart the sofia gateway profile can successfully register to the
      SIP Registrar by SIP over TLS.</p>
    <p>Further I can successfully place outbound call (from internal
      channel through the SIP gateway).  It sounds great!<br>
    </p>
    <p>Unfortunately FS fails to handle inbound calls (SIP INVITE from
      an external SIP UA registered to the same SIP Registrar to the SIP
      UA extension of the FS SIP gateway).</p>
    <p>I have tried to trace all the logs I can. Here below some traces
      from the FS console when an inbound INVITE is received:</p>
    <p><br>
    </p>
    <p><tt>tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28):
        events IN</tt><tt><br>
      </tt><tt>tport.c:862 tport_alloc_secondary()
        tport_alloc_secondary(0xb7f28): new secondary tport 0x1398c0</tt><tt><br>
      </tt><tt>tport_type_tcp.c:203 tport_tcp_init_secondary()
        tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPIDLE to 30</tt><tt><br>
      </tt><tt>tport_type_tcp.c:209 tport_tcp_init_secondary()
        tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPINTVL to 30</tt><tt><br>
      </tt><tt>tport_type_tls.c:610 tport_tls_accept()
        tport_tls_accept(0x1398c0): new connection from
        tls/<a href="http://10.3.10.110:38632/sips" target="_blank">10.3.10.110:38632/sips</a></tt><tt><br>
      </tt><tt>tport_tls.c:919 tls_connect() tls_connect(0x1398c0):
        events NEGOTIATING</tt><tt><br>
      </tt><tt>tport_tls.c:1008 tls_connect() tls_connect(0x1398c0): TLS
        setup failed (error:00000001:lib(0):func(0):reason(1))</tt><tt><br>
      </tt><tt>tport.c:2090 tport_close() tport_close(0x1398c0):
        tls/<a href="http://10.3.10.110:38632/sips" target="_blank">10.3.10.110:38632/sips</a></tt><tt><br>
      </tt><tt>tport.c:2263 tport_set_secondary_timer() tport(0x1398c0):
        set timer at 0 ms because zap</tt></p>
    <p><tt><br>
      </tt></p>
    <p>In order to simplify the test I have also tried to connect to the
      5061 TLS port by a simple openssl command from a linux shell of
      the SIP Registrar box:</p>
    <p><br>
    </p>
    <p><font face="Courier New, Courier, monospace">openssl  s_client
        -connect <a href="http://10.11.4.103:5061" target="_blank">10.11.4.103:5061</a> -tls1_2 <br>
        CONNECTED(00000003)<br>
        3074304200:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
        alert handshake failure:s3_pkt.c:1256:SSL alert number 40<br>
        3074304200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
        handshake failure:s3_pkt.c:596:<br>
        ---<br>
        no peer certificate available<br>
        ---<br>
        No client certificate CA names sent<br>
        ---<br>
        SSL handshake has read 7 bytes and written 0 bytes<br>
        ---<br>
        New, (NONE), Cipher is (NONE)<br>
        Secure Renegotiation IS NOT supported<br>
        Compression: NONE<br>
        Expansion: NONE<br>
        SSL-Session:<br>
            Protocol  : TLSv1.2<br>
            Cipher    : 0000<br>
            Session-ID: <br>
            Session-ID-ctx: <br>
            Master-Key: <br>
            Key-Arg   : None<br>
            PSK identity: None<br>
            PSK identity hint: None<br>
            SRP username: None<br>
            Start Time: 1528361426<br>
            Timeout   : 7200 (sec)<br>
            Verify return code: 0 (ok)<br>
        ---<br>
      </font><br>
    </p>
    <p>In the FS console I read the same traces received in the previous
      test with the inbound call.</p>
    <p><br>
    </p>
    <p><tt>tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28):
        events IN</tt><tt><br>
      </tt><tt>tport.c:862 tport_alloc_secondary()
        tport_alloc_secondary(0xb7f28): new secondary tport 0x248210</tt><tt><br>
      </tt><tt>tport_type_tcp.c:203 tport_tcp_init_secondary()
        tport_tcp_init_secondary(0x248210): Setting TCP_KEEPIDLE to 30</tt><tt><br>
      </tt><tt>tport_type_tcp.c:209 tport_tcp_init_secondary()
        tport_tcp_init_secondary(0x248210): Setting TCP_KEEPINTVL to 30</tt><tt><br>
      </tt><tt>tport_type_tls.c:610 tport_tls_accept()
        tport_tls_accept(0x248210): new connection from
        tls/<a href="http://10.11.4.103:33168/sips" target="_blank">10.11.4.103:33168/sips</a></tt><tt><br>
      </tt><tt>tport_tls.c:919 tls_connect() tls_connect(0x248210):
        events NEGOTIATING</tt><tt><br>
      </tt><tt>tport_tls.c:1008 tls_connect() tls_connect(0x248210): TLS
        setup failed (error:00000001:lib(0):func(0):reason(1))</tt><tt><br>
      </tt><tt>tport.c:2090 tport_close() tport_close(0x248210):
        tls/<a href="http://10.11.4.103:33168/sips" target="_blank">10.11.4.103:33168/sips</a></tt><tt><br>
      </tt><tt>tport.c:2263 tport_set_secondary_timer() tport(0x248210):
        set timer at 0 ms because zap</tt><tt><br>
      </tt><br>
    </p>
    <p>I have attached also a wireshark capture of the inbound call. In
      this capture the SIP Registrar has IP 10.3.10.110. The FS device
      is 10.11.4.103. The Client Hello is sent by the SIP Registrar, but
      the FS device replies with an "Alert: Level: fatal, Description: 
      handshake failure (40).</p>
    <p>I guess that there is some misconfiguration related to the TLS
      version or proposed ciphers  or any certifcates but I cannot
      understand what.</p>
    <p><br>
    </p>
    <p>For comparison I have tried to run the same openssl command from
      FS to the external SIP Registrar (outbound).</p>
    <p><br>
    </p>
    <p><font face="Courier New, Courier, monospace">openssl  s_client
        -connect <a href="http://10.3.10.110:5061" target="_blank">10.3.10.110:5061</a> -tls1_2 <br>
        CONNECTED(00000003)<br>
        depth=1 CN = Your_NAME, ST = Your_STATE, C = CO, emailAddress =
        YOUR_EMAIL, O = YOUR_ORG_NAME<br>
        verify error:num=19:self signed certificate in certificate chain<br>
        verify return:0<br>
        ---<br>
        Certificate chain<br>
         0 s:/C=XY/ST=Some State/O=My Large Organization Name/OU=My
        Subunit of Large
<a class="m_-4730216949600311473moz-txt-link-abbreviated" href="mailto:Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com" target="_blank">Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com</a><br>
          
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
         1
s:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
          
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
        ---<br>
        Server certificate<br>
        -----BEGIN CERTIFICATE-----<br>
        MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy<br>
        X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI<br>
        hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTE4<br>
        MDUwODEyMzcyM1oXDTE5MDUwODEyMzcyM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD<br>
        VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g<br>
        TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x<br>
        HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW<br>
        G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA<br>
        MEgCQQDL7uikSc1kVIvw5rhyQzk2dSJcmJ6EJ1LSmtAoafZH8bqfZ25cDQZQGi05<br>
        YcuxGR0vSaW7xPnyhaWCLQlxQFx7AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI<br>
        hvcNAQEFBQADggEBAHv4WzGdYhoEyHZmBQTVjdEKOVBMnNoOqum79uzWtSzSjG4E<br>
        pP/9c331uT7fBZ/Z7XNhIV+PbDZXorLgUhwwT7zxYURNnV52Of2SWRmWtPBrgEX1<br>
        +8S0IMtJFfJta8FAfTTaNqLpRDaiTQs3em1Maxls15cTyRQzMIjIJnY4eRrh5CNM<br>
        YV/+kg/lpKAe0awiMu96cxpnMdz9h33g7RedBnh9wDi6k7pfYtvlC6o4snZO01AN<br>
        8qRiQf54OPvKcVeseJFBPWLhdYns6g+/SXhq1Lek2us93ZpuKgIaBtzkyDm2+SFa<br>
        QXF9f0a+UuEdPvrtvMjAijcDwcaXq0r2f2MA++M=<br>
        -----END CERTIFICATE-----<br>
        subject=/C=XY/ST=Some State/O=My Large Organization Name/OU=My
        Subunit of Large
<a class="m_-4730216949600311473moz-txt-link-abbreviated" href="mailto:Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com" target="_blank">Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com</a><br>
issuer=/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
        ---<br>
        No client certificate CA names sent<br>
        ---<br>
        SSL handshake has read 1979 bytes and written 337 bytes<br>
        ---<br>
        New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384<br>
        Server public key is 512 bit<br>
        Secure Renegotiation IS NOT supported<br>
        Compression: NONE<br>
        Expansion: NONE<br>
        SSL-Session:<br>
            Protocol  : TLSv1.2<br>
            Cipher    : AES256-GCM-SHA384<br>
            Session-ID:
        EA8B17008E58F1D04CD1CEA53103CF477AA9DE0DC80A4FF4F0DD4814031E4C15<br>
            Session-ID-ctx: <br>
            Master-Key:
D28ED5C21D288944D2277AF86FE82A9BF3BEDABAA14DBCD5AE32B190EF0A0CA6AB99719E751E6DD4FECAA9DD1307A3C0<br>
            Key-Arg   : None<br>
            PSK identity: None<br>
            PSK identity hint: None<br>
            SRP username: None<br>
            TLS session ticket lifetime hint: 300 (seconds)<br>
            TLS session ticket:<br>
            0000 - 2f c5 82 ea bf 8b 66 49-bc bc ee 48 1a fb 8e 6c  
        /.....fI...H...l<br>
            0010 - de 42 d9 e0 6e 36 40 78-06 cc 68 c6 74 6d 6e aa  
        .B..n6@x..h.tmn.<br>
            0020 - b6 53 8a ed b2 8d 5a c4-02 e1 88 8b d2 a9 56 5f  
        .S....Z.......V_<br>
            0030 - ee c6 b9 14 55 da 37 df-8f aa af 81 b4 22 4e be  
        ....U.7......"N.<br>
            0040 - 9c c5 87 d6 46 22 47 03-4a 88 dd 1e 9d 05 81 09  
        ....F"G.J.......<br>
            0050 - c3 8b 9f 44 29 90 4d 93-c9 f5 41 e2 4d 72 1b de  
        ...D).M...A.Mr..<br>
            0060 - 8d c2 15 ab 49 ad da 26-0e 72 a9 01 02 3e 89 33  
        ....I..&.r...>.3<br>
            0070 - 6e 6c 2f 20 1c 15 06 7a-8d c5 a6 6e ee 46 d2 76   nl/
        ...z...n.F.v<br>
            0080 - 63 c1 89 1e 9b 3c a1 10-d0 78 31 9e e6 8e 86 ab  
        c....<...x1.....<br>
            0090 - ff bc 3a 4c ab 3d 33 8f-e9 56 c5 f1 45 46 73 41  
        ..:L.=3..V..EFsA<br>
        <br>
            Start Time: 1528361487<br>
            Timeout   : 7200 (sec)<br>
            Verify return code: 19 (self signed certificate in
        certificate chain)<br>
        ---<br>
        closed</font></p>
    <p><font face="Courier New, Courier, monospace"></font><br>
    </p>
    <p>In this case the command seems to have been successfully
      executed. I remark that the outbound TLS transactions seems to be
      working fine also from FS (SIP Registrar, SIP INVITE in outbound
      don't have any problem).</p>
    <p>If required I can provide also the FS configuration files
      (vars.xml, sofia.conf.xml,  etc etc).<br>
    </p>
    <p>Any help will be greatly appreciated.</p>
    <p>Thanks in advance<br>
    </p>
    <p>Best regards</p>
    <p><br>
    </p>
    <p>fabio<br>
    </p>
    <div class="m_-4730216949600311473moz-signature">
      
      
      
      </div>
  </div>

_________________________________________________________________________<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a></blockquote></div>