[Freeswitch-users] Need help setting up Freeswitch with commercial SSL certificate

Tue Aug 26 22:04:40 MSD 2014

For reference the JIRA is here https://jira.freeswitch.org/browse/DOCS-13

On Tue, Aug 26, 2014 at 1:03 PM, Brian West <brian at freeswitch.org> wrote:

> If you've installed from packages you may end up with things not where you
> think, we are working on this.
>
> <param name="tls-cert-dir" value="/usr/local/freeswitch/certs"/>
>
> Is what I set in my internal.xml, The pending issue is base_dir sometimes
> doesn't point where you might expect.
>
>
> On Tue, Aug 26, 2014 at 12:41 PM, Tim Smith <randomdev4 at gmail.com> wrote:
>
>> Chain verifcation wasn't my problem !  My problem was that the FreeSwitch
>> default self-signed certs were showing up in openssl because Freeswitch
>> seems to ignore you telling it to look in internal_ssl_dir and
>> external_ssl_dir !
>>
>>
>> On 26 August 2014 18:31, Brian West <brian at freeswitch.org> wrote:
>>
>>> http://www.sslshopper.com/ssl-checker.html
>>>
>>> I use this to test, if your OpenSSL install doesn't have the chain certs
>>> it can't verify the chain unless you provide it.
>>>
>>>
>>> On Tue, Aug 26, 2014 at 12:21 PM, Szeto, Steven <steven_szeto at mitel.com>
>>> wrote:
>>>
>>>> I have also had issues with using third party certs with FreeSwitch. If
>>>> I generated my own certs and used them with a FSClient, I can get the
>>>> FSClient to register via TLS to my FreeSwitch server.
>>>>
>>>> However, I was unable to install the generated certs into my SIP phones
>>>> and get them to register with my FreeSwitch server. I think there is a bit
>>>> of work required here to get FreeSwitch to be a bit more flexible in its
>>>> TLS registration protocol.
>>>>
>>>> Ideally, we should also be able to install multiple root certificates
>>>> for various phones and allow these phones to register with the FreeSwitch
>>>> server. As far as I am aware, multiple root certificate support is not
>>>> supported.
>>>>
>>>>
>>>> On Tue, Aug 26, 2014 at 9:12 AM, Tim Smith <gb10hkzo-fs1 at yahoo.co.uk>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> The story so far :
>>>>>
>>>>> • I've installed new certs
>>>>> • checked config in vars.xml is pointing to the right place
>>>>> • restarted freeswitch entirely
>>>>> • it is still using some sort of internal certificates ?? cafile and
>>>>> agent contain my certs and not those referred to in the openssl output ??
>>>>>
>>>>> What am I missing ??
>>>>>
>>>>> Thanks
>>>>>
>>>>> Tim
>>>>>
>>>>>
>>>>>
>>>>> FreeSWITCH Version 1.4.8+git~20140821T185758Z~1fe89f530f~64bit (git
>>>>> 1fe89f5 2014-08-21 18:57:58Z 64bit)
>>>>>
>>>>>
>>>>> /usr/local/freeswitch/conf/ssl# openssl verify -CAfile cafile.pem
>>>>> agent.pem
>>>>> agent.pem: OK
>>>>>
>>>>> /usr/local/freeswitch/conf# cat vars.xml | grep ssl
>>>>>      valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
>>>>>   <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
>>>>>   <X-PRE-PROCESS cmd="set"
>>>>> data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>>   <X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
>>>>>   <X-PRE-PROCESS cmd="set"
>>>>> data="external_ssl_dir=$${base_dir}/conf/ssl"/>
>>>>>
>>>>> $ openssl s_client -showcerts -connect my.server:5061
>>>>> CONNECTED(00000003)
>>>>> depth=0 /C=US/CN=FreeSWITCH
>>>>> verify error:num=18:self signed certificate
>>>>> verify return:1
>>>>> depth=0 /C=US/CN=FreeSWITCH
>>>>> verify return:1
>>>>> ---
>>>>> Certificate chain
>>>>>  0 s:/C=US/CN=FreeSWITCH
>>>>>    i:/C=US/CN=FreeSWITCH
>>>>> -----BEGIN CERTIFICATE-----
>>>>> -----END CERTIFICATE-----
>>>>> ---
>>>>> Server certificate
>>>>> subject=/C=US/CN=FreeSWITCH
>>>>> issuer=/C=US/CN=FreeSWITCH
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> ---
>>>>> SSL handshake has read 615 bytes and written 328 bytes
>>>>> ---
>>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>>> Server public key is 1024 bit
>>>>> Secure Renegotiation IS supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>>     Protocol  : TLSv1
>>>>>     Cipher    : AES256-SHA
>>>>>     Session-ID:
>>>>>     Session-ID-ctx:
>>>>>     Master-Key:
>>>>>     Key-Arg   : None
>>>>>     Start Time:
>>>>>     Timeout   : 300 (sec)
>>>>>     Verify return code: 18 (self signed certificate)
>>>>> ---
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Regards,*
>>>>
>>>> *Steve Szeto*
>>>>
>>>> *MiContact Center IVR Team*
>>>>
>>>> *Software Designer*
>>>>
>>>> Tel.: 613-592-5660 Ext. 71698
>>>>
>>>> Email: steven_szeto at mitel.com <steven_szeto at mitel.com_>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 350 Legget Drive
>>>>
>>>> Kanata, ON
>>>>
>>>> Canada K2K 2W7
>>>>
>>>> *www.mitel.com <http://www.mitel.com/_>*
>>>>
>>>> This e-mail (including any attachments) is for the sole use of the
>>>> intended recipient(s) and may contain information that is confidential
>>>> and/or protected by legal privilege. Any unauthorized review, use, copy,
>>>> disclosure or distribution of this e-mail is strictly prohibited. If you
>>>> are not the intended recipient, please notify Mitel immediately and destroy
>>>> all copies of this e-mail.  Mitel does not accept any liability for breach
>>>> of security, error or virus that may result from the transmission of this
>>>> message.
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> 
>>>> 
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> 
>>> 
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> 
>> 
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>

-- 

*Brian West*
brian at freeswitch.org

*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com

*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140826/191d9dec/attachment.html 