Freeswitch TLS Sip

Setting up freeswitch TLS with a valid certificate authority was NOT as easy as it appeared from the beginning, I tried many different things to make it work, and finally I got it.

Here is the error we are dealing with:

tport_tls.c:1008 tls_connect() tls_connect(0x7f256800c9a0): TLS setup failed (error:00000005:lib(0):func(0):DH lib)

It took me a lot of digging, but I soon realized this had something to do with an untrusted certificate. I am going to show you how to use a trusted cert so you may use a program like linphone right out of the box to do TLS over sip in Freeswitch.

First Generate your csr and key:
My domain is ghostcall.io so I am going to use that. I am also assuming you have a tls version of freeswitch installed (I also did –enable-zrtp)

openssl req -new -key call.ghostcall.io.key -out call.ghostcall.io.csr 
openssl genrsa -out call.ghostcall.io.csr 2048

After you have answered all the questions you now have a csr file. I used http://www.garrisonhost.com for my cert, I picked DomainSSL I enterted the contents of my csr file into that site. After awhile they emailed me my crt. I copied and pasted that crt file onto my freeswitch server in my working directory. Here is where I ran into trouble. I also needed to include global sign’s (garrison host resells them) So I took to google and I found it.

https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates

I copied and pasted that data right into the crt file I generated to the bottom. I then needed to create the pem file.

openssl pkcs12 -export -in call.ghostcall.io.crt -inkey call.ghostcall.io.key -out call.ghostcall.io.p12
openssl pkcs12 -in call.ghostcall.io.p12 -nodes -out call.ghostcall.io.pem

That was it, I now had my intermediate cert placed into my globalsign cert.

I then just needed to copy the new pem file overtop the freeswitch default files:

cp call.ghostcall.io.pem /usr/local/freeswitch/conf/ssl/agent.pem 
cp call.ghostcall.io.pem /usr/local/freeswitch/conf/ssl/tls.pem 
cp call.ghostcall.io.pem /usr/local/freeswitch/certs/tls.pem

Then restart freeswitch

fs_cli
freeswitch@internal> shutdown
freeswitch -nc -hp

Then I checked it using openssl

Johns-MacBook-Pro-165:~ john$ openssl s_client -showcerts -connect call.ghostcall.io:5061
CONNECTED(00000003)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=call.ghostcall.io
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIE8DCCA9igAwIBAgISESFCbKusxwCioeFmdROTAYfwMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTUwMzA4MTk0ODE4WhcNMTYwMzA4MTk0ODE4WjA/MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGjAYBgNVBAMMEWNhbGwuZ2hvc3RjYWxs
LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA38FW+dzqDTR6ZKhH
JhGbYeYu+nPbOFnbhRFgVnodLlTrAnIK2FqDOTnIrLV30neZR9FrSBX6LyJsPOtg
3S9RexIPSYtltegDzWHDM6gdxAddsbkbEFRKffWJe3Yll06ob81msRu+0atoWp5y
ldbN0E8twSVyOp8h5k1Ud+gAEQfK+z+xUFv6/7bEd2O86TqcpY2cSUGuHJpW3Ymk
mDlA3fZP4dQ0pvZTdBxpEavZ6eShYyuXf2N3BAI6lksBLs9VO6Rmga7Uv0g5+e6j
pvZQ0sj+5TlPZDVdIG0PQe6eZpv2+cxtjFJo3yqykR4GWiUn9+Txfq24BdWHKnO0
K/w3lQIDAQABo4IBwzCCAb8wDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYG
Z4EMAQIBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t
L3JlcG9zaXRvcnkvMBwGA1UdEQQVMBOCEWNhbGwuZ2hvc3RjYWxsLmlvMAkGA1Ud
EwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEMGA1UdHwQ8MDow
OKA2oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3Nkb21haW52YWxz
aGEyZzIuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDBHBggrBgEFBQcwAoY7aHR0cDov
L3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nkb21haW52YWxzaGEyZzJy
MS5jcnQwOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9n
c2RvbWFpbnZhbHNoYTJnMjAdBgNVHQ4EFgQUQG7IS3PrAeeXMrGetSdeBLuY0YUw
HwYDVR0jBBgwFoAU6k581IAt5RWBhiaMgm3AmKTPlw8wDQYJKoZIhvcNAQELBQAD
ggEBABnUzOiRF76mCvE0+9FyajNk1u10wcy7U58otJ81ibPOtwnaJuSkIl7UDave
T7jltwrLZWu/eq3ObR4BkLVBpR1q/8z509gIgHqNIip9S/mei1jB1bUK6C2Ti3D6
5zDr1dMpV/h5aE12JkCE/X2l+x7dUyK9j9hPU4uV17bjM1xbLf2fJqod8Eqk5JwS
awZSsoFqfQ76WeFuALiS2xNU0wlrbgo8X0kslQob/zYI8EVC7rhrBFYkOQLBUZO3
+7Ei1ETqoYNvorsgztX/AzGufjfBMdQUg0BUp4EXq7C+Z2UxjGzt/y1hA4Kl/pMI
0+2B9o2XE8vaicaXzQd9D7X5jOs=
-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0
aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC
jn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG
ExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX
qa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It
INH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4
tmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A
mKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v
d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG
Imh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE
MTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290
cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL
BQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex
4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE
GwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj
H6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj
tywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6
EjxS1QSCVS1npd+3lXzuP8MIugS+wEY=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=call.ghostcall.io
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 2567 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 9C6549620AE9AD553FC94C9037DE7A0B7803FDEEC48C7CF42424DA85BC4DA894
    Session-ID-ctx: 
    Master-Key: 48C5FB15D308BEFEDA79BC335E8C6F0B665628C56B3F8C12D2DA3BF9AA361C013F2769166F98E79F60D253B2089ABA1B
    Key-Arg   : None
    Start Time: 1425850510
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I was then able to connect linphone and also Bria!

Obligatory video of it working…

Thanks!

–John

One thought on “Freeswitch TLS Sip

  1. Vince

    You’re just a gem.

    I fought during hours to undertstand wh Linphone wa not working when Jitsi was.

    I think, though it is an issue with the certificate validation in Linphone.
    It should get the validation directly from the CA

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *