![]() ![]() ![]() If you go into the FreeSWITCH CLI and type: sofia status ![]() This may in fact be what you want, and considering that several phones do not support TLS, but do support SSL you may configure accordingly. That is to say there isn't a way through signed certificates to validate whomever/whatever is calling is whom they claim to be. This will give you the ability to encrypt the data, however there is no mechanism by which to validate the certificate. If you've opted for this configuration option in your sip_profile: If it still fails to work properly, you might consider sslv23 as a fallback. If your phone won't register, or fails to work properly you might consider checking the Interoperability list, and/or your phones documentation and firmware revision. ![]() Also, ensure that the time is configured properly on your endpoint as you will get cryptic "bad certificate" error messages if the time is too far off, and it will fail to handshake properly. Generate the proper certificate, and make sure it's loaded into the phone. TLS runs on TCP, rather than UDP so make sure any firewalls are configured to work with the TCP protocol. There are a number of gotchas and snafu's possible with TLS. If you've opted for this configuration in your sip_profile: Point each profile to the individual directory which contains its specific agent.pem file. Then place an agent.pem and cafile.pem into each of the directories. In this case, simply create a new directory under /usr/local/freeswitch/conf/ssl/ for each DNS record. However, each may be represented to third parties using a different DNS record. If you have multiple Sofia SIP profiles, you may find yourself wanting to enable TLS support for each of the profiles. If you have doubts about whether a certificate will work, you should only purchase the certificate from a company offering 30-day refund policy. For example, Thawte SSL123 certificates (their cheapest option) are known to work in at least one installation. Most commercial web server certificates should work for FreeSWITCH. This is required for Eyebeam (and I think Pangolin too).ĪTTENTION: TLS is disabled by default, set internal_ssl_enable and/or external_ssl_enable to "true" to enable. Note: The name given for -cn and -alt must be the same as the DNS name of your freeswitch installation and used as the registrar name on the phone (at least on Polycoms). In order for the new certificate to take effect only way for FS to use it to restart FS. To set up new CA and create new certificate under Windows go here. Note : This simply seems to copy CA/cacert.pem into cafile.pem, both of which are hence simply the root certificates. It should contain the domain name in the common and alternate name. This file contains the certificate and the private key. There is a script at //freeswitch/conf/ssl/agent.pem. To use TLS you need at least two certificates: the root certificate (CA) and a certificate for every server. If you've compiled FreeSWITCH without this package installed, there will be no support for encryption and you will need to re-compile it after you install the OpenSSL-Dev package.įor debian do aptitude install libssl (on lenny install libcurl4-openssl-dev) and then compile. If you do not have the OpenSSL-Dev package installed the problem is the sip_profile that contains the encryption configuration directives specified below in Step 2 will fail to start. You will need the following in order to compile FreeSWITCH with TLS encryption support: More complex configurations are possible, however they will not be covered in this documentation. The convention is to run the SIPS on port 5061. FreeSWITCH supports the encryption of SIP signaling traffic via SSL and/or TLS. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |