[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?
Brian West
brian at freeswitch.org
Wed Aug 6 16:12:34 MSD 2014
TLS shouldn't be required for non secure WS transport. This sounds like a
browser issue to me.
On Wed, Aug 6, 2014 at 5:37 AM, François Delawarde <
fdelawarde at wirelessmundi.com> wrote:
> Just found out the reason for my troubles! It was not a certificate
> issue.
>
> The latest google Chrome (36) installed in debian wheezy/stable does not
> support TLS 1.2 because it requires libnss >3.15 (wheezy has 3.14).
> Unfortunately freeswitch requires TLS 1.2 for WSS connections.
>
> Any way to authorize TLS 1.1 or is it too insecure for web sockets?
>
> ---
>
> A workaround in debian wheezy would be to install the a recent Firefox
> that support TLS 1.2. Keep in mind that mod_verto stopped working since
> Firefox 31 (see FS-6708), but older versions should work fine!
>
> François
>
>
>
> On Tue, 2014-08-05 at 16:51 +0200, François Delawarde wrote:
>
> Doing these exact steps don't seem to work for me, but WS sockets work
> perfectly so using that for now instead of WSS!
>
> Actually it might not even be a certificate issue, FS tells me:
>
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210
> Client Connect.
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210
> Starting client thread.
> 2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 192.168.10.80:41210
> WS SETUP FAILED
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210
> Ending client thread.
> 2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210
> Thread ended
>
> Which doesn't necessarily point to a TLS issue!
>
> Is importing the CA certificate in the client a necessary step to make it
> work with Chrome?
>
> François
>
>
> On Fri, 2014-07-25 at 13:59 -0500, Brian West wrote:
>
> I've corrected the how-to and put it in tree:
>
>
>
> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
>
>
>
> Importing the ca.crt into your system keychain for it to be trusted is
> left to the end user to figure out. If you can't do that step then you'll
> kinda be SOL, I know on my Mac I just open ca.crt and it does the import
> for me... Windows I suspect is similar as for Linux NO CLUE.
>
>
> On Fri, Jul 25, 2014 at 1:53 PM, William King <
> william.king at quentustech.com> wrote:
>
> One correction inline, and did you have any luck getting chrome to work
> with the custom CA?
>
> William King
> Senior Engineer
> Quentus Technologies, INC
> 1037 NE 65th St Suite 273
> Seattle, WA 98115
> Main: (877) 211-9337
> Office: (206) 388-4772
> Cell: (253) 686-5518
> william.king at quentustech.com
>
> On 07/25/2014 08:12 AM, Brian West wrote:
> > Someone should probably turn this into a nice how-to:
> >
> > Here is how I did it.
> >
> > wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
> > tar zxfv ssl.ca-0.1.tar.gz
> > cd ssl.ca-0.1/
> > perl -i -pe 's/md5/sha1/g' *.sh
> > perl -i -pe 's/2048/2048/g' *.sh
>
> This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/
> > ./new-root-ca.sh
> > ./new-server-cert.sh self.bkw.org <http://self.bkw.org>
> > ./sign-server-cert.sh self.bkw.org <http://self.bkw.org>
> > cat self.bkw.org.crt self.bkw.org.key >
> /usr/local/freeswitch/certs/wss.pem
> >
> > Setup Apache:
> >
> > default-ssl:
> >
> > SSLCertificateFile /usr/local/freeswitch/certs/wss.pem
> > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
> > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
> >
> > Setup Sofia TLS:
> >
> > cat self.bkw.org.crt self.bkw.org.key >
> > /usr/local/freeswitch/certs/agent.pem
> > cat ca.crt > /usr/local/freeswitch/certs/cafile.pem
> >
> > vars.xml:
> >
> > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
>
> > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
> >
> > Restart FreeSWITCH.
> >
> > Now make sure your system has ca.crt imported so it will trust your new
> > found hotness.
> >
> > TEST:
> >
>
> > openssl s_client -connect self.bkw.org:443 <http://self.bkw.org:443>
> > openssl s_client -connect self.bkw.org:8082 <http://self.bkw.org:8082>
> >
> >
> > Depending on what you've setup you'll see:
> >
> > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web
> > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
>
> > <http://self.bkw.org/emailAddress=brian@bkw.org>
> >
> > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
> > Bang/OU=Certification Services Division/CN=WBB Root
>
> > CA/emailAddress=brian at bkw.org <mailto:brian at bkw.org>
> >
> > Or there abouts.
> >
> > --
> >
> > */Brian West/*
> > brian at freeswitch.org <mailto:brian at freeswitch.org>
> >
> >
> > */Twitter: @FreeSWITCH , @briankwest/*
> > http://www.freeswitchbook.com
> > http://www.freeswitchcookbook.com
> >
> > *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
> >
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
> --
> *Brian West*
> brian at freeswitch.org
>
>
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
--
*Brian West*
brian at freeswitch.org
*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com
*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140806/9e41ca09/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list