[Freeswitch-users] enabling tls cause sip_profile error

[Assaf Dahary]

Robert,

Thanks for your tip.
I've replaced the gentls_cert.in file, rebuild, generated agent.pem and
others and then was able to reload mod_sofia with tls with no errors.

Now I have to put in conf/ssl the startssl cert files for clients to connect
over tls without installing my customized cert.
The startssl files are already in place for apache mod_ssl.

Can you please provide helpful tip on that?

Thanks

assaf

-----Original Message-----
From: Assaf Dahary [mailto:adahary at gmail.com] 
Sent: Sunday, November 10, 2013 9:27 AM
To: 'FreeSWITCH Users Help'
Subject: RE: [Freeswitch-users] enabling tls cause sip_profile error

Robers,

I'm using CentOS 5.3 with OpenSSL 0.9.8e-fips-rhel5. 
As you pointed out, after rebuilding from the latest 1.2.stable I couldn't
use the gentls tool because of the lack of "openssl ecparam" command.
I've tried to update the openssl but then realize that it will break most of
applications that run on it - so I did not update.

I've checked on another machine with older FS version and did see another
gentls_cert.in file without the ecparam command.

Are u suggesting to replace it in freeswitch/scripts/gentls_cert.in and
rebuild?

Thanks for your help

Assaf


-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Robert
Hadley
Sent: Friday, November 08, 2013 6:57 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] enabling tls cause sip_profile error

Hi Assaf,

I don't know offhand what files are required or what types of certs are
supported.  One suggestion would be to follow FS instructions to create
self-signed cert files and see if the profile works in SSL mode first (it
does for me), then figure out what is necessary to use your cert.  You
probably need all of the *.pem files.

What version of OS are you using?

In the 1.2.14 stable branch, there was a change made to the
freeswitch/scripts/gentls_cert.in file that uses "openssl ecparam" command
that is not available in OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 for CentOS
5.7.  I have to use an earlier revision of the script.


Regards,
Robert


-----Original Message-----
From: Assaf Dahary [mailto:adahary at gmail.com]
Sent: Thursday, November 07, 2013 12:34 PM
To: 'FreeSWITCH Users Help'
Subject: Re: [Freeswitch-users] enabling tls cause sip_profile error

Robert,

I'm using certs from StartSSL - not self generated by fs tools.
The certs from startssl works file with apache/https so I assume they should
work fine conf/ssl.

I'm not yet testing my sip client with fs tls.

I'm still not able to reload FS with tls config and have the tls port up and
open for sip/tls requests from my client.

Should I must have all files list that you specified in order to bring up
the tls port?

Assaf


-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Robert
Hadley
Sent: Thursday, November 07, 2013 9:38 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] enabling tls cause sip_profile error

Hi assaf,

Did you follow the instructions to create your server's CA cert:
http://wiki.freeswitch.org/wiki/SIP_TLS#Step_1_-_Generate_the_CA_.28Root.29_
Certificate
Note that you have insert your server's FQDN in the script command,
replacing the " pbx.freeswitch.org".

Verify there is an "ssl" folder in the freeswitch install conf folder.
in freeswitch/conf/ssl/
                                    +--> agent.pem  CA  cafile.pem
                                                                    +-->
config.tpl  cakey.pem  cacert.srl  cacert.pem

Regards,
Robert

-----Original Message-----
From: adahary [mailto:adahary at gmail.com]
Sent: Thursday, November 07, 2013 6:12 AM
To: freeswitch-users at lists.freeswitch.org
Subject: [Freeswitch-users] enabling tls cause sip_profile error

I have enabled tls/ssl in vars.xml and restarted freeswitch.
when reloading mod_sofia all profiles got into errors.

I have read that openssl-devel should be install before compiling FS.

I did that before building FS without adding anything special for the ssl on
the ./configure command (like  --enable-zrtp).

I'm about to repeat the build procedure but before that I would like to ask
if there is something elese to be done beside installing openssl-devel
(done) and # ./configure.

regards

assaf





--
View this message in context:
http://freeswitch-users.2379917.n2.nabble.com/enabling-tls-cause-sip-profile
-error-tp7595981.html
Sent from the freeswitch-users mailing list archive at Nabble.com.



_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com




Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3629/6814 - Release Date: 11/06/13




_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com




Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3629/6814 - Release Date: 11/06/13