[Freeswitch-users] SIP TLS Issues

Karsten Horsmann - privat khorsmann at gmail.com
Sat Aug 17 00:37:16 MSD 2013 

Hi Adam, 

try to change the tls mode in the vars.xml to ssl (see the comments in that file for the correct value). 

Some phones are to stupid for tls. This setting helps. And its documented on the wiki. 

Cheers karsten 
-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.



"Lappe, Adam" <Adam.Lappe at qsc.de> schrieb:

Hi all,

 

Some more things I tried so far:

 

openssl x509 -noout -modulus -in agent.pem | openssl md5

(stdin)= ebdfb317206ba89d07217c06e1f0d6eb

openssl rsa -noout -modulus -in agent.pem | openssl md5

(stdin)= ebdfb317206ba89d07217c06e1f0d6eb

 

At least the certificate and private key in the agent.pem are correct.

 

There is no output on the cli when I try to register a phone.

 

My guess is that the content of agent.pem and/or cafile.pem is wrong.

 

Can someone please confirm this?

 

Best regards,

Adam

 

 

Wed, 14 Aug, 2013 at 16:07 PM, Adam <ala at qsc.de>:

            

Hi all,

            

i am trying to configure FreeSWITCH to speak TLS with all Clients.

I followed the tutorial on http://wiki.freeswitch.com/wiki/SIP_TLS but I am still not sure what key / cert belongs in which file.

            

I have a SSL123 Thawte Wildcard Certificate.

Am I supposed to cat this cert + priv. key into agent.pem and the primary and secondary intermediate into the cafile.pem?

            

I did this and set the right permissions. The internal sofia profile on port 5061 (TLS) is RUNNING.

            

But no client (for example Polycom VVX1500) can register now.

If I set it TCP and Port 5060 (which is RUNNING as well) everything works fine.

            

Wireshark shows me the following

            

Client    ->         FS                    Client Hello

FS        ->         Client                Alert (Level Fatal, Description: Handshake Failure)

            

I also tested openssl s_client –connect (IP):5061 –showcerts but it only says:

CONNECTED(00000003)

139847050823328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 225 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

            

I guess the problem is the agent.pem and/or cafile.pem

            

agent.pem looks like this

-----BEGIN CERTIFICATE-----

(Thawte SSL123 Wildcard Web Certificate)

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

(Unencrypted Private Key)

-----END RSA PRIVATE KEY-----

            

cafile.pem like that:

-----BEGIN CERTIFICATE-----

(Thawte Primary Intermediate)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Thawte Secondary Intermediate

-----END CERTIFICATE-----

            

Any suggestions?

            

Thanks in advance,

Adam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130816/5942b00d/attachment-0001.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list