[Freeswitch-users] TLS/Freeswitch self signed certs

Peter eidevm5 at gmail.com
Tue Aug 13 04:18:48 MSD 2013


Yes, I'll open a jira ticket.

Also, just wanted to correct something I wrote in my last email.

Where I said:

"If these are present, then Android will treat the cert as a standard user
cert."

I meant

"If these are NOT present, then Android will treat the cert as a standard
user cert."


On Tue, Aug 13, 2013 at 12:50 AM, Michael Jerris <mike at jerris.com> wrote:

> This sounds like it should be in the script for everyone.  Can you open a
> bug on jira.freeswitch.org for this issue.
>
> Thanks
> Mike
>
> On Aug 6, 2013, at 2:16 AM, Peter <eidevm5 at gmail.com> wrote:
>
> Finally figured out the issue was related to the gentls_cert script was
> generating an openssl template that didn't have the required x509v3
> extensions set.
>
> I modified the script where it generates config.tpl to add
>
>                         x509_extensions = v3_ca
>
> to the [req] section, then I added the section:
>
>                         [ v3_ca ]
>                         subjectKeyIdentifier=hash
>                         authorityKeyIdentifier=keyid:always,issuer
>                         basicConstraints=CA:TRUE
>
> Now when you issue:
>
> openssl x509 -noout -inform pem -text -in cafile.pem
>
> you'll see the following section:
>
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
>             X509v3 Authority Key Identifier:
>
> keyid:02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>
> If these are present, then Android will treat the cert as a standard user
> cert.
>
> Then it was a simple matter of copying cafile.pem to cafile.crt on the
> sdcard on the Android device and using the "install from device storage"
> option.
>
> When the cert installer dialog comes up, it will now detect cafile.crt as
> a CA cert and not user cert.
>
> Hope this helps other people, as cert management on Android is a right
> pain in the $#%^.
>
> Peter
>
>
>
> On Tue, Aug 6, 2013 at 2:31 PM, Peter <eidevm5 at gmail.com> wrote:
>
>> The reason I put it on a webserver is mostly for convenience to make it
>> easier to install.
>>
>> I tried copying cafile.pem to /sdcard on a Galaxy Note II, but when I try
>> the "Install from device storage" option, it just comes back with:
>>
>> "No certificate file found on SD card"
>>
>>
>>
>> On Mon, Aug 5, 2013 at 5:51 PM, Mehroz Ashraf <mehroz.ashraf85 at gmail.com>wrote:
>>
>>> Why do you want to place the cert on webserver and point android
>>> browser? If you are doing this to download cert into android then that is
>>> probably not the right approach.
>>>
>>> I used cafile.pem (without converting it into .der format) and placed
>>> the file in  SD card or phone memory, and point out linphone to get the CA
>>> from the path. You may search in libraries where it need to tell the path.
>>>
>>>
>>> On Mon, Aug 5, 2013 at 12:15 PM, Peter <eidevm5 at gmail.com> wrote:
>>>
>>>> Has anyone managed to get TLS working between Android Linphone and
>>>> Freeswitch?
>>>>
>>>> I've done the basic TLS setup as per
>>>> https://wiki.freeswitch.org/wiki/Tls
>>>>
>>>> I then convert the CA cert from PEM to DER format with:
>>>>
>>>> openssl x509  -inform PEM -outform der -in cafile.pem -out fs.crt
>>>>
>>>> I place fs.crt on a webserver and point my Android browser to it.
>>>>
>>>> When I click on fs.crt, I get the default Android Certificate installer
>>>> popup, but it always says:
>>>>
>>>> "Package contains: one user certificate"
>>>>
>>>> ie: it thinks it is a user cert rather than a CA cert.
>>>>
>>>> Android appears to be a real pain to add a CA to its trusted credential
>>>> store.
>>>>
>>>> Really interested if anyone has managed to get Android to import the CA
>>>> cert.
>>>>
>>>> Thanks
>>>>
>>>> Peter
>>>>
>>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130813/c6ffa561/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list