[Freeswitch-dev] ciphers on verto and profile wss

Michael Jerris mike at jerris.com
Tue Oct 31 15:08:24 UTC 2017 

> On Oct 27, 2017, at 1:55 PM, alexis <alzrck at gmail.com> wrote:
> 
> Hello, im facing a problem with webrtc and i would like to share the situation and see how wrong i am :)
> 
> As you know, google (well, not only google) (mostly of our webrtc users uses chrome) is pushing about to move to ECC signed X509 certificates, ECC keys are smaller that RSA, and it benefits in the calculation of encryption, less data in the cable, etc etc etc. Not the point of this mail actually.
> 
> I have an X509 cert signed with an ECC key (working on nginx, tomcat, etc). Now i want to use this same cert in freeswitch, i dont use mod_verto (but im trying with it too in this problem). usually, enabling wss on SIP internal profile is enough for us, we have a phone developed by us (using sipjs) that is enough for our needs and works perfect.
> 
> Thing is, if i build a wss.pem tls.pem dtls-srtp.pem with this cert (the ecc signed one) websocket does not work. and here's the the detail of that
> 
> . websocket starts? yes (profile, verto), all start, ports are up, ssl is up, you can connect with openssl s_client and it works
> . what's the problem then? that wss on sip profile and/or wss on verto does not accept any ECDHE-ECDSA cipher at all (chrome, firefox receives a server handshake failure right after the client hello)
> . Could be the cert wrong? yes, but if i enable sip-tls on the internal profile, i'm able to connect to port 5061 and ECDHE-ECDSA is accepted (sip tls works perfect with this same certificate)
> 
> Im not a good C programmer (i work with java, javascript and python), but i've been working with mod_verto/mod_verto.c and mod_verto/ws.c trying to load all ciphers in the ssl_init methods and whenever was at my reach without success.
> 
> FS version is 1.6.19 from source, openssl is 1.0.2g, by now i'm testing on ubuntu (production is debian 8.6).

Ubuntu openssl is your issue.  They’ve disabled EC stuff in openssl.

> 
> if you can lead me where to check or change or any clue to get it working will be extremely appreciated.
> 
> thanks in advance, best regards
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-dev mailing list
> FreeSWITCH-dev at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-dev
> http://www.freeswitch.org

More information about the FreeSWITCH-dev mailing list