[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?
François Delawarde
fdelawarde at wirelessmundi.com
Wed Aug 6 14:37:25 MSD 2014
Just found out the reason for my troubles! It was not a certificate
issue.
The latest google Chrome (36) installed in debian wheezy/stable does not
support TLS 1.2 because it requires libnss >3.15 (wheezy has 3.14).
Unfortunately freeswitch requires TLS 1.2 for WSS connections.
Any way to authorize TLS 1.1 or is it too insecure for web sockets?
---
A workaround in debian wheezy would be to install the a recent Firefox
that support TLS 1.2. Keep in mind that mod_verto stopped working since
Firefox 31 (see FS-6708), but older versions should work fine!
François
On Tue, 2014-08-05 at 16:51 +0200, François Delawarde wrote:
> Doing these exact steps don't seem to work for me, but WS sockets work
> perfectly so using that for now instead of WSS!
>
> Actually it might not even be a certificate issue, FS tells me:
>
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210
> Client Connect.
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210
> Starting client thread.
> 2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292
> 192.168.10.80:41210 WS SETUP FAILED
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210
> Ending client thread.
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210
> Thread ended
>
> Which doesn't necessarily point to a TLS issue!
>
> Is importing the CA certificate in the client a necessary step to make
> it work with Chrome?
>
> François
>
>
> On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote:
>
> > I've corrected the how-to and put it in tree:
> >
> >
> > https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
> >
> >
> >
> > Importing the ca.crt into your system keychain for it to be trusted
> > is left to the end user to figure out. If you can't do that step
> > then you'll kinda be SOL, I know on my Mac I just open ca.crt and it
> > does the import for me... Windows I suspect is similar as for Linux
> > NO CLUE.
> >
> >
> > On Fri, Jul 25, 2014 at 1:53 PM, William King
> > <william.king at quentustech.com> wrote:
> >
> > One correction inline, and did you have any luck getting
> > chrome to work
> > with the custom CA?
> >
> > William King
> > Senior Engineer
> > Quentus Technologies, INC
> > 1037 NE 65th St Suite 273
> > Seattle, WA 98115
> > Main: (877) 211-9337
> > Office: (206) 388-4772
> > Cell: (253) 686-5518
> > william.king at quentustech.com
> >
> > On 07/25/2014 08:12 AM, Brian West wrote:
> > > Someone should probably turn this into a nice how-to:
> > >
> > > Here is how I did it.
> > >
> > > wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
> > > tar zxfv ssl.ca-0.1.tar.gz
> > > cd ssl.ca-0.1/
> > > perl -i -pe 's/md5/sha1/g' *.sh
> > > perl -i -pe 's/2048/2048/g' *.sh
> >
> > This is a noop. I assume it was suppose to be /2048/4096/
> > or /1024/2048/
> > > ./new-root-ca.sh
> > > ./new-server-cert.sh self.bkw.org <http://self.bkw.org>
> > > ./sign-server-cert.sh self.bkw.org <http://self.bkw.org>
> > > cat self.bkw.org.crt self.bkw.org.key
> > > /usr/local/freeswitch/certs/wss.pem
> > >
> > > Setup Apache:
> > >
> > > default-ssl:
> > >
> > > SSLCertificateFile /usr/local/freeswitch/certs/wss.pem
> > > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
> > >
> > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
> > >
> > > Setup Sofia TLS:
> > >
> > > cat self.bkw.org.crt self.bkw.org.key >
> > > /usr/local/freeswitch/certs/agent.pem
> > > cat ca.crt > /usr/local/freeswitch/certs/cafile.pem
> > >
> > > vars.xml:
> > >
> > > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
> >
> > > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
> > >
> > > Restart FreeSWITCH.
> > >
> > > Now make sure your system has ca.crt imported so it will
> > trust your new
> > > found hotness.
> > >
> > > TEST:
> > >
> >
> > > openssl s_client -connect self.bkw.org:443
> > <http://self.bkw.org:443>
> > > openssl s_client -connect self.bkw.org:8082
> > <http://self.bkw.org:8082>
> > >
> > >
> > > Depending on what you've setup you'll see:
> > >
> > > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka
> > Truck/OU=Secure Web
> > > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
> >
> > > <http://self.bkw.org/emailAddress=brian@bkw.org>
> > >
> > > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
> > > Bang/OU=Certification Services Division/CN=WBB Root
> >
> > > CA/emailAddress=brian at bkw.org <mailto:brian at bkw.org>
> > >
> > > Or there abouts.
> > >
> > > --
> > >
> > > */Brian West/*
> > > brian at freeswitch.org <mailto:brian at freeswitch.org>
> > >
> > >
> > > */Twitter: @FreeSWITCH , @briankwest/*
> > > http://www.freeswitchbook.com
> > > http://www.freeswitchcookbook.com
> > >
> > > *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST
> > (9378)
> > > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 |
> > *Skype:*briankwest
> > >
> > >
> > >
> > >
> > _________________________________________________________________________
> > > Professional FreeSWITCH Consulting Services:
> > > consulting at freeswitch.org
> > > http://www.freeswitchsolutions.com
> > >
> > > FreeSWITCH-powered IP PBX: The CudaTel Communication
> > Server
> > >
> > >
> > > Official FreeSWITCH Sites
> > > http://www.freeswitch.org
> > > http://wiki.freeswitch.org
> > > http://www.cluecon.com
> > >
> > > FreeSWITCH-users mailing list
> > > FreeSWITCH-users at lists.freeswitch.org
> > >
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > >
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > > http://www.freeswitch.org
> > >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> >
> >
> >
> >
> >
> > --
> > Brian West
> > brian at freeswitch.org
> >
> >
> >
> >
> > Twitter: @FreeSWITCH , @briankwest
> > http://www.freeswitchbook.com
> > http://www.freeswitchcookbook.com
> >
> > T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
> > iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
> >
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140806/0d551139/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list