Freeswitch TLS Sip

Setting up freeswitch TLS with a valid certificate authority was NOT as easy as it appeared from the beginning, I tried many different things to make it work, and finally I got it.

Here is the error we are dealing with:

tport_tls.c:1008 tls_connect() tls_connect(0x7f256800c9a0): TLS setup failed (error:00000005:lib(0):func(0):DH lib)

It took me a lot of digging, but I soon realized this had something to do with an untrusted certificate. I am going to show you how to use a trusted cert so you may use a program like linphone right out of the box to do TLS over sip in Freeswitch.

First Generate your csr and key:
My domain is ghostcall.io so I am going to use that. I am also assuming you have a tls version of freeswitch installed (I also did –enable-zrtp)

openssl req -new -key call.ghostcall.io.key -out call.ghostcall.io.csr 
openssl genrsa -out call.ghostcall.io.csr 2048

After you have answered all the questions you now have a csr file. I used http://www.garrisonhost.com for my cert, I picked DomainSSL I enterted the contents of my csr file into that site. After awhile they emailed me my crt. I copied and pasted that crt file onto my freeswitch server in my working directory. Here is where I ran into trouble. I also needed to include global sign’s (garrison host resells them) So I took to google and I found it.

https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates

I copied and pasted that data right into the crt file I generated to the bottom. I then needed to create the pem file.

openssl pkcs12 -export -in call.ghostcall.io.crt -inkey call.ghostcall.io.key -out call.ghostcall.io.p12
openssl pkcs12 -in call.ghostcall.io.p12 -nodes -out call.ghostcall.io.pem

That was it, I now had my intermediate cert placed into my globalsign cert.

I then just needed to copy the new pem file overtop the freeswitch default files:

cp call.ghostcall.io.pem /usr/local/freeswitch/conf/ssl/agent.pem 
cp call.ghostcall.io.pem /usr/local/freeswitch/conf/ssl/tls.pem 
cp call.ghostcall.io.pem /usr/local/freeswitch/certs/tls.pem

Then restart freeswitch

fs_cli
freeswitch@internal> shutdown
freeswitch -nc -hp

Then I checked it using openssl

Johns-MacBook-Pro-165:~ john$ openssl s_client -showcerts -connect call.ghostcall.io:5061
CONNECTED(00000003)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=call.ghostcall.io
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIE8DCCA9igAwIBAgISESFCbKusxwCioeFmdROTAYfwMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTUwMzA4MTk0ODE4WhcNMTYwMzA4MTk0ODE4WjA/MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGjAYBgNVBAMMEWNhbGwuZ2hvc3RjYWxs
LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA38FW+dzqDTR6ZKhH
JhGbYeYu+nPbOFnbhRFgVnodLlTrAnIK2FqDOTnIrLV30neZR9FrSBX6LyJsPOtg
3S9RexIPSYtltegDzWHDM6gdxAddsbkbEFRKffWJe3Yll06ob81msRu+0atoWp5y
ldbN0E8twSVyOp8h5k1Ud+gAEQfK+z+xUFv6/7bEd2O86TqcpY2cSUGuHJpW3Ymk
mDlA3fZP4dQ0pvZTdBxpEavZ6eShYyuXf2N3BAI6lksBLs9VO6Rmga7Uv0g5+e6j
pvZQ0sj+5TlPZDVdIG0PQe6eZpv2+cxtjFJo3yqykR4GWiUn9+Txfq24BdWHKnO0
K/w3lQIDAQABo4IBwzCCAb8wDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYG
Z4EMAQIBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t
L3JlcG9zaXRvcnkvMBwGA1UdEQQVMBOCEWNhbGwuZ2hvc3RjYWxsLmlvMAkGA1Ud
EwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEMGA1UdHwQ8MDow
OKA2oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3Nkb21haW52YWxz
aGEyZzIuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDBHBggrBgEFBQcwAoY7aHR0cDov
L3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nkb21haW52YWxzaGEyZzJy
MS5jcnQwOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9n
c2RvbWFpbnZhbHNoYTJnMjAdBgNVHQ4EFgQUQG7IS3PrAeeXMrGetSdeBLuY0YUw
HwYDVR0jBBgwFoAU6k581IAt5RWBhiaMgm3AmKTPlw8wDQYJKoZIhvcNAQELBQAD
ggEBABnUzOiRF76mCvE0+9FyajNk1u10wcy7U58otJ81ibPOtwnaJuSkIl7UDave
T7jltwrLZWu/eq3ObR4BkLVBpR1q/8z509gIgHqNIip9S/mei1jB1bUK6C2Ti3D6
5zDr1dMpV/h5aE12JkCE/X2l+x7dUyK9j9hPU4uV17bjM1xbLf2fJqod8Eqk5JwS
awZSsoFqfQ76WeFuALiS2xNU0wlrbgo8X0kslQob/zYI8EVC7rhrBFYkOQLBUZO3
+7Ei1ETqoYNvorsgztX/AzGufjfBMdQUg0BUp4EXq7C+Z2UxjGzt/y1hA4Kl/pMI
0+2B9o2XE8vaicaXzQd9D7X5jOs=
-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0
aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC
jn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG
ExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX
qa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It
INH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4
tmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A
mKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v
d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG
Imh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE
MTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290
cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL
BQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex
4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE
GwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj
H6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj
tywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6
EjxS1QSCVS1npd+3lXzuP8MIugS+wEY=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=call.ghostcall.io
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 2567 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 9C6549620AE9AD553FC94C9037DE7A0B7803FDEEC48C7CF42424DA85BC4DA894
    Session-ID-ctx: 
    Master-Key: 48C5FB15D308BEFEDA79BC335E8C6F0B665628C56B3F8C12D2DA3BF9AA361C013F2769166F98E79F60D253B2089ABA1B
    Key-Arg   : None
    Start Time: 1425850510
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I was then able to connect linphone and also Bria!

Obligatory video of it working…

Thanks!

–John

3 thoughts on “Freeswitch TLS Sip

  1. Vince

    You’re just a gem.

    I fought during hours to undertstand wh Linphone wa not working when Jitsi was.

    I think, though it is an issue with the certificate validation in Linphone.
    It should get the validation directly from the CA

    Reply
  2. Bipin

    very helpful but im stuck in one part, i have the commercial certificate file and the key file along with the intermediate and root certificate from the vendor i got bought the cert from so can u tell me which part goes in which file in freeswitch?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *