[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?

Nandy Dagondon nandy1925 at gmail.com
Thu Jul 2 06:47:17 MSD 2015


Hi Luis,

I'm aware of that.  I've digged into SSL/TLS certificates (just self-signed
for my intranet setup) and WebRTC - one by one.  Now, all ports are
listening for mod_verto 8081, 8082 and 7443. However, FS log shows this
error messages like:

2014-08-05 16:44:11.831823 [INFO] mod_verto.c:3209 192.168.10.80:41210 Client
Connect.
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1379 192.168.10.80:41210 Starting
client thread.
2014-08-05 16:44:11.831823 [DEBUG] mod_verto.c:1292 192.168.10.80:41210 WS
SETUP FAILED
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1405 192.168.10.80:41210 Ending
client thread.
2014-08-05 16:44:11.831823 [INFO] mod_verto.c:1412 192.168.10.80:41210 Thread
ended

Upon testing with openssl s_client,  port 443 returned Verify code: 19
(self signed certificate in certificate chain). But in port 7443, it's
code: 21 (unable to verify the first certificate).  I encountered this same
error code in port 443 before. Solution: added self-signed CA certificate
in my web server configuration.

I think I can zero in the solution - how to add the CA certificate to
certs/wss.pem?

Or ... the secure-chain parameter in verto.conf.xml, should point to the CA
certificate file?
      <param name="secure-combined" value=
"/usr/local/freeswitch/certs/wss.pem"/>
      <param name="secure-chain" value="/usr/local/freeswitch/certs/wss.pem"
/>

Any input?

Tks,
/Nandy
On Wed, Jul 1, 2015 at 10:13 PM, Luis Daniel Lucio Quiroz <
luis.daniel.lucio at gmail.com> wrote:

> More than a script, it would be better if you post minimum cert
> requirements to let the FS work
>
> Luis Daniel Lucio Quiroz
> CISSP, CISM, CISA
> Linux, VoIP and much more fun
> www.okay.com.mx
>
> Need LCR? Check out LCR for FusionPBX with FreeSWITCH
> Need Billing? Check out Billing for FusionPBX with FreeSWITCH
>
> 2015-06-30 23:52 GMT-04:00 Nandy Dagondon <nandy1925 at gmail.com>:
>
>> Hi Brian,
>>
>> I used your script to generate the certificates to test mod_verto in an
>> intranet setup. Questions on your script:
>>
>> 1) Is 4096 bits required? Or 2048 bits will work, too?
>> 2) Examining certs/wss.pem, there should be a  <chain> certificate at the
>> end. But the script, inputs only 2 - *.crt and *.key. What should be the
>> 3rd?
>>
>> Tks,
>> /Nandy
>>
>>
>> On Sat, Jul 26, 2014 at 2:59 AM, Brian West <brian at freeswitch.org> wrote:
>>
>>> I've corrected the how-to and put it in tree:
>>>
>>>
>>> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
>>>
>>> Importing the ca.crt into your system keychain for it to be trusted is
>>> left to the end user to figure out.  If you can't do that step then you'll
>>> kinda be SOL, I know on my Mac I just open ca.crt and it does the import
>>> for me... Windows I suspect is similar as for Linux NO CLUE.
>>>
>>>
>>> On Fri, Jul 25, 2014 at 1:53 PM, William King <
>>> william.king at quentustech.com> wrote:
>>>
>>>> One correction inline, and did you have any luck getting chrome to work
>>>> with the custom CA?
>>>>
>>>> William King
>>>> Senior Engineer
>>>> Quentus Technologies, INC
>>>> 1037 NE 65th St Suite 273
>>>> Seattle, WA 98115
>>>> Main:   (877) 211-9337
>>>> Office: (206) 388-4772
>>>> Cell:   (253) 686-5518
>>>> william.king at quentustech.com
>>>>
>>>> On 07/25/2014 08:12 AM, Brian West wrote:
>>>> > Someone should probably turn this into a nice how-to:
>>>> >
>>>> > Here is how I did it.
>>>> >
>>>> > wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
>>>> > tar zxfv ssl.ca-0.1.tar.gz
>>>> > cd ssl.ca-0.1/
>>>> > perl -i -pe 's/md5/sha1/g' *.sh
>>>> > perl -i -pe 's/2048/2048/g' *.sh
>>>> This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/
>>>> > ./new-root-ca.sh
>>>> > ./new-server-cert.sh self.bkw.org <http://self.bkw.org>
>>>> > ./sign-server-cert.sh self.bkw.org <http://self.bkw.org>
>>>> > cat self.bkw.org.crt self.bkw.org.key >
>>>> /usr/local/freeswitch/certs/wss.pem
>>>> >
>>>> > Setup Apache:
>>>> >
>>>> > default-ssl:
>>>> >
>>>> > SSLCertificateFile    /usr/local/freeswitch/certs/wss.pem
>>>> > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
>>>> > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
>>>> >
>>>> > Setup Sofia TLS:
>>>> >
>>>> > cat self.bkw.org.crt self.bkw.org.key >
>>>> > /usr/local/freeswitch/certs/agent.pem
>>>> > cat ca.crt > /usr/local/freeswitch/certs/cafile.pem
>>>> >
>>>> > vars.xml:
>>>> >
>>>> > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
>>>> > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
>>>> >
>>>> > Restart FreeSWITCH.
>>>> >
>>>> > Now make sure your system has ca.crt imported so it will trust your
>>>> new
>>>> > found hotness.
>>>> >
>>>> > TEST:
>>>> >
>>>> > openssl s_client -connect self.bkw.org:443 <http://self.bkw.org:443>
>>>> > openssl s_client -connect self.bkw.org:8082 <http://self.bkw.org:8082
>>>> >
>>>> >
>>>> >
>>>> > Depending on what you've setup you'll see:
>>>> >
>>>> > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web
>>>> > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
>>>> > <http://self.bkw.org/emailAddress=brian@bkw.org>
>>>> >
>>>> > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
>>>> > Bang/OU=Certification Services Division/CN=WBB Root
>>>> > CA/emailAddress=brian at bkw.org <mailto:brian at bkw.org>
>>>> >
>>>> > Or there abouts.
>>>> >
>>>> > --
>>>> >
>>>> > */Brian West/*
>>>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>>>> >
>>>> >
>>>> > */Twitter: @FreeSWITCH , @briankwest/*
>>>> > http://www.freeswitchbook.com
>>>> > http://www.freeswitchcookbook.com
>>>> >
>>>> > *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>> > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>> >
>>>> >
>>>> >
>>>> >
>>>> _________________________________________________________________________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org
>>>> > http://www.freeswitchsolutions.com
>>>> >
>>>> > FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>> > http://www.cudatel.com
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org
>>>> > http://wiki.freeswitch.org
>>>> > http://www.cluecon.com
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> > http://www.freeswitch.org
>>>> >
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>> http://www.cudatel.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>> http://www.cudatel.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150702/dd41cf46/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list