[Freeswitch-users] TLS/Freeswitch self signed certs

Brian West brian at freeswitch.org
Wed Aug 21 20:16:13 MSD 2013 

Your diff file on your jira is backwards, can you please patch the .in file itself then git diff and attach that.

On Aug 12, 2013, at 7:18 PM, Peter <eidevm5 at gmail.com> wrote:

> Yes, I'll open a jira ticket.
> 
> Also, just wanted to correct something I wrote in my last email.
> 
> Where I said:
> 
> "If these are present, then Android will treat the cert as a standard user cert."
> 
> I meant
> 
> "If these are NOT present, then Android will treat the cert as a standard user cert."
> 
> 
> On Tue, Aug 13, 2013 at 12:50 AM, Michael Jerris <mike at jerris.com> wrote:
> This sounds like it should be in the script for everyone.  Can you open a bug on jira.freeswitch.org for this issue.
> 
> Thanks
> Mike
> 
> On Aug 6, 2013, at 2:16 AM, Peter <eidevm5 at gmail.com> wrote:
> 
>> Finally figured out the issue was related to the gentls_cert script was generating an openssl template that didn't have the required x509v3 extensions set.
>> 
>> I modified the script where it generates config.tpl to add
>> 
>>                         x509_extensions = v3_ca
>> 
>> to the [req] section, then I added the section:
>> 
>>                         [ v3_ca ]
>>                         subjectKeyIdentifier=hash
>>                         authorityKeyIdentifier=keyid:always,issuer
>>                         basicConstraints=CA:TRUE
>> 
>> Now when you issue:
>> 
>> openssl x509 -noout -inform pem -text -in cafile.pem
>> 
>> you'll see the following section:
>> 
>>         X509v3 extensions:
>>             X509v3 Subject Key Identifier:
>>                 02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
>>             X509v3 Authority Key Identifier:
>>                 keyid:02:0A:A8:D0:5C:23:7C:8B:C4:EF:79:11:C7:0C:A8:86:71:15:59:D5
>> 
>>             X509v3 Basic Constraints:
>>                 CA:TRUE
>> 
>> If these are present, then Android will treat the cert as a standard user cert.
>> 
>> Then it was a simple matter of copying cafile.pem to cafile.crt on the sdcard on the Android device and using the "install from device storage" option.
>> 
>> When the cert installer dialog comes up, it will now detect cafile.crt as a CA cert and not user cert.
>> 
>> Hope this helps other people, as cert management on Android is a right pain in the $#%^.
>> 
>> Peter
>> 
>> 
>> 
>> On Tue, Aug 6, 2013 at 2:31 PM, Peter <eidevm5 at gmail.com> wrote:
>> The reason I put it on a webserver is mostly for convenience to make it easier to install.
>> 
>> I tried copying cafile.pem to /sdcard on a Galaxy Note II, but when I try the "Install from device storage" option, it just comes back with:
>> 
>> "No certificate file found on SD card"
>> 
>> 
>> 
>> On Mon, Aug 5, 2013 at 5:51 PM, Mehroz Ashraf <mehroz.ashraf85 at gmail.com> wrote:
>> Why do you want to place the cert on webserver and point android browser? If you are doing this to download cert into android then that is probably not the right approach.
>> 
>> I used cafile.pem (without converting it into .der format) and placed the file in  SD card or phone memory, and point out linphone to get the CA from the path. You may search in libraries where it need to tell the path. 
>> 
>> 
>> On Mon, Aug 5, 2013 at 12:15 PM, Peter <eidevm5 at gmail.com> wrote:
>> Has anyone managed to get TLS working between Android Linphone and Freeswitch?
>> 
>> I've done the basic TLS setup as per https://wiki.freeswitch.org/wiki/Tls
>> 
>> I then convert the CA cert from PEM to DER format with:
>> 
>> openssl x509  -inform PEM -outform der -in cafile.pem -out fs.crt
>> 
>> I place fs.crt on a webserver and point my Android browser to it.
>> 
>> When I click on fs.crt, I get the default Android Certificate installer popup, but it always says:
>> 
>> "Package contains: one user certificate"
>> 
>> ie: it thinks it is a user cert rather than a CA cert.
>> 
>> Android appears to be a real pain to add a CA to its trusted credential store.
>> 
>> Really interested if anyone has managed to get Android to import the CA cert.
>> 
>> Thanks
>> 
>> Peter
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130821/d0a4c762/attachment.bin

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list