Setting up freeswitch TLS with a valid certificate authority was NOT as easy as it appeared from the beginning, I tried many different things to make it work, and finally I got it.
Here is the error we are dealing with:
tport_tls.c:1008 tls_connect() tls_connect(0x7f256800c9a0): TLS setup failed (error:00000005:lib(0):func(0):DH lib) |
It took me a lot of digging, but I soon realized this had something to do with an untrusted certificate. I am going to show you how to use a trusted cert so you may use a program like linphone right out of the box to do TLS over sip in Freeswitch.
First Generate your csr and key:
My domain is ghostcall.io so I am going to use that. I am also assuming you have a tls version of freeswitch installed (I also did –enable-zrtp)
openssl req -new -key call.ghostcall.io.key -out call.ghostcall.io.csr openssl genrsa -out call.ghostcall.io.csr 2048 |
After you have answered all the questions you now have a csr file. I used http://www.garrisonhost.com for my cert, I picked DomainSSL I enterted the contents of my csr file into that site. After awhile they emailed me my crt. I copied and pasted that crt file onto my freeswitch server in my working directory. Here is where I ran into trouble. I also needed to include global sign’s (garrison host resells them) So I took to google and I found it.
https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates
I copied and pasted that data right into the crt file I generated to the bottom. I then needed to create the pem file.
openssl pkcs12 -export -in call.ghostcall.io.crt -inkey call.ghostcall.io.key -out call.ghostcall.io.p12 openssl pkcs12 -in call.ghostcall.io.p12 -nodes -out call.ghostcall.io.pem |
That was it, I now had my intermediate cert placed into my globalsign cert.
I then just needed to copy the new pem file overtop the freeswitch default files:
cp call.ghostcall.io.pem /usr/local/freeswitch/conf/ssl/agent.pem cp call.ghostcall.io.pem /usr/local/freeswitch/conf/ssl/tls.pem cp call.ghostcall.io.pem /usr/local/freeswitch/certs/tls.pem |
Then restart freeswitch
fs_cli freeswitch@internal> shutdown freeswitch -nc -hp |
Then I checked it using openssl
Johns-MacBook-Pro-165:~ john$ openssl s_client -showcerts -connect call.ghostcall.io:5061 CONNECTED(00000003) depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=call.ghostcall.io i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgISESFCbKusxwCioeFmdROTAYfwMA0GCSqGSIb3DQEBCwUA MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g RzIwHhcNMTUwMzA4MTk0ODE4WhcNMTYwMzA4MTk0ODE4WjA/MSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGjAYBgNVBAMMEWNhbGwuZ2hvc3RjYWxs LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA38FW+dzqDTR6ZKhH JhGbYeYu+nPbOFnbhRFgVnodLlTrAnIK2FqDOTnIrLV30neZR9FrSBX6LyJsPOtg 3S9RexIPSYtltegDzWHDM6gdxAddsbkbEFRKffWJe3Yll06ob81msRu+0atoWp5y ldbN0E8twSVyOp8h5k1Ud+gAEQfK+z+xUFv6/7bEd2O86TqcpY2cSUGuHJpW3Ymk mDlA3fZP4dQ0pvZTdBxpEavZ6eShYyuXf2N3BAI6lksBLs9VO6Rmga7Uv0g5+e6j pvZQ0sj+5TlPZDVdIG0PQe6eZpv2+cxtjFJo3yqykR4GWiUn9+Txfq24BdWHKnO0 K/w3lQIDAQABo4IBwzCCAb8wDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYG Z4EMAQIBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t L3JlcG9zaXRvcnkvMBwGA1UdEQQVMBOCEWNhbGwuZ2hvc3RjYWxsLmlvMAkGA1Ud EwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEMGA1UdHwQ8MDow OKA2oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3Nkb21haW52YWxz aGEyZzIuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDBHBggrBgEFBQcwAoY7aHR0cDov L3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nkb21haW52YWxzaGEyZzJy MS5jcnQwOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9n c2RvbWFpbnZhbHNoYTJnMjAdBgNVHQ4EFgQUQG7IS3PrAeeXMrGetSdeBLuY0YUw HwYDVR0jBBgwFoAU6k581IAt5RWBhiaMgm3AmKTPlw8wDQYJKoZIhvcNAQELBQAD ggEBABnUzOiRF76mCvE0+9FyajNk1u10wcy7U58otJ81ibPOtwnaJuSkIl7UDave T7jltwrLZWu/eq3ObR4BkLVBpR1q/8z509gIgHqNIip9S/mei1jB1bUK6C2Ti3D6 5zDr1dMpV/h5aE12JkCE/X2l+x7dUyK9j9hPU4uV17bjM1xbLf2fJqod8Eqk5JwS awZSsoFqfQ76WeFuALiS2xNU0wlrbgo8X0kslQob/zYI8EVC7rhrBFYkOQLBUZO3 +7Ei1ETqoYNvorsgztX/AzGufjfBMdQUg0BUp4EXq7C+Z2UxjGzt/y1hA4Kl/pMI 0+2B9o2XE8vaicaXzQd9D7X5jOs= -----END CERTIFICATE----- 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -----BEGIN CERTIFICATE----- MIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw MDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0 aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC jn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG ExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX qa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It INH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4 tmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A mKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG Imh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE MTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290 cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL BQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex 4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE GwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj H6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj tywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6 EjxS1QSCVS1npd+3lXzuP8MIugS+wEY= -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/CN=call.ghostcall.io issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 --- No client certificate CA names sent --- SSL handshake has read 2567 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9C6549620AE9AD553FC94C9037DE7A0B7803FDEEC48C7CF42424DA85BC4DA894 Session-ID-ctx: Master-Key: 48C5FB15D308BEFEDA79BC335E8C6F0B665628C56B3F8C12D2DA3BF9AA361C013F2769166F98E79F60D253B2089ABA1B Key-Arg : None Start Time: 1425850510 Timeout : 300 (sec) Verify return code: 0 (ok) --- |
I was then able to connect linphone and also Bria!
Obligatory video of it working…
Thanks!
–John