[Freeswitch-users] TLS with Cisco SPA112

Nick Vines jnvines at gmail.com
Sun Sep 29 05:46:59 MSD 2013 

Turns out there isn't a way to load any cert onto the spa112, and its logging it not helpful at all. I'm still at a loss of how to get it to work.

I got https provisioning working with the devices, so perhaps I can reuse some of those files. I haven't been able to figure out what agent.pem/cafile.pem combination to use though.

For getting the spa112 to work with https provisioning, I did the following:
1. (on server, private key) openssl genrsa -out <file.key> 1024
2. (on server, generate cert request) openssl req -new -key <file.key> -out <file.csr>
3. sent the `file.csr` to cisco and they sent back a `file.crt` with the signed certificate.
4. cisco also sent back a combinedca.crt with many certificates in that file.

In my apache virtual host I put
#Server Cert
SSLCertificateFile .../file.crt

#Server Private Key:
SSLCertificateKeyFile .../file.key

#Client authentication Certificate Authority (CA)
SSLVerifyClient require
SSLCACertificatePath .../path/
SSLCACertificateFile .../path/combinedca.crt


I have tried the following, but neither worked. 

1)
cat `file.crt` `file.key` > agent.pem
cp `file.crt` cafile.pem

2)
cat `file.crt` `file.key` > agent.pem
cp `combinedca.crt` cafile.pem


Any suggestions on how I might use those files to make a TLS profile for the cisco devices? 

Thanks,
Nick 

On Sep 23, 2013, at 12:40 PM, Brian West <brian at freeswitch.org> wrote:

> Did you load your CA cert into the SPA?  If not then that could be a problem too.. crank up its logging and see what its getting mad about.
> 
> 
> On Sep 23, 2013, at 10:28 AM, Nick Vines <jnvines at gmail.com> wrote:
> 
>> Thanks Brian. 
>> 
>> I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server. 
>> 
>> Changes made to gentls_cert:
>> setup_ca():
>>       openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
>> 
>> generate_cert():
>>       openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
>> 
> 
> 
> 
> --
> Brian West
> brian at freeswitch.org
> FreeSWITCH Solutions, LLC
> PO BOX PO BOX 2531
> Brookfield, WI 53008-2531
> Twitter: @FreeSWITCH_Wire , @briankwest
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
> 
> T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
> iNUM: +883 5100 1420 9001
> ISN: 410*543
> Skype:briankwest
> PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list