Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-10588

Trying to get TLS to work



    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not A Bug
    • Affects Version/s: 1.6.19
    • Fix Version/s: None
    • Component/s: Configuration
    • Labels:
    • Environment:
      FreeSwitch to a SBC
    • CPU Architecture:
    • Kernel:
    • uname:
      Linux EBRSER03 3.10.0-514.26.1.el7.x86_64 #1 SMP Thu Jun 29 16:05:25 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
    • Distribution:
    • Distribution Version:
      CentOS 7
    • Compiler:
    • FreeSWITCH GIT Revision:
      Not sure how to get this
    • GIT Master Revision hash::
      Not sure how to get this


      I have been able to get a SIP UDP and TCP call to work, but not TLS. I keep getting the error "2017-08-14 12:44:41.100391 [ERR] mod_sofia.c:4542 You are trying to use a different transport type for this gateway (overriding the register-transport), this is unsupported!".

      Any thoughts?

      Thank you ahead of time.

      My dailplan looks like:
      <extension name="CBRNBS703_TLS_7202007909">
      <condition field="destination_number" expression="7202007909">
      <!-- LVLT -->
      <!-- LVLT Use RTCP -->
      <!-- <action application="set" data="rtcp_audio_interval_msec=5000"/> -->
      <action application="set" data="dtmf_type=rfc2833"/>
      <action application="bridge" data="sofia/gateway/cbrnbs703-tls/7202007909@;transport=tls"/>

      My gateway looks like:
      <!-- LVLT -->
      <!-- LVLT CBRNBS703 TLS SIP Profile -->

      <gateway name="cbrnbs703-tls">

      <!-/// account username required ///->
      <param name="username" value="username"/>

      <!-/// auth realm: optional same as gateway name, if blank ///->
      <!-<param name="realm" value="asterlink.com"/>->

      <!-/// username to use in from: optional same as username, if blank ///->
      <!-<param name="from-user" value="cluecon"/>->

      <!-/// domain to use in from: optional same as realm, if blank ///->
      <!-<param name="from-domain" value="asterlink.com"/>->

      <!-/// account password required ///->
      <param name="password" value="password"/>

      <!-/// extension for inbound calls: optional same as username, if blank ///->
      <!-<param name="extension" value="cluecon"/>->

      <!-/// proxy host: optional same as realm, if blank ///->
      <!-<param name="proxy" value="asterlink.com"/>->

      <!-/// send register to this proxy: optional same as proxy, if blank ///->
      <!-<param name="register-proxy" value="mysbc.com"/>->

      <!-/// expire in seconds: optional 3600, if blank ///->
      <!-<param name="expire-seconds" value="60"/>->

      <!-/// do not register ///->
      <param name="register" value="false"/>

      <!-- which transport to use for register -->
      <!-- <param name="register-transport" value="tcp"/> -->
      <param name="register-transport" value="tcp"/> <-- TLS not accepted.

      <!--How many seconds before a retry when a failure or timeout occurs -->
      <!-<param name="retry-seconds" value="30"/>->

      <!--Use the callerid of an inbound call in the from field on outbound calls via this gateway -->
      <!-<param name="caller-id-in-from" value="false"/>->

      <!-extra sip params to send in the contact->
      <!-<param name="contact-params" value="tport=tcp"/>->

      <!-send an options ping every x seconds, failure will unregister and/or mark it down->
      <!-<param name="ping" value="25"/>->
      <!-<param name="ping" value="5"/>->



      <profile name="external">
      <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
      <!-- This profile is only for outbound registrations to providers -->
      <X-PRE-PROCESS cmd="include" data="external/*.xml"/>

      <alias name="outbound"/>
      <alias name="nat"/>

      <domain name="all" alias="false" parse="true"/>

      <param name="debug" value="0"/>
      <!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
      <!-- <param name="shutdown-on-fail" value="true"/> -->
      <param name="sip-trace" value="no"/>
      <param name="sip-capture" value="no"/>
      <param name="rfc2833-pt" value="101"/>
      <!-- RFC 5626 : Send reg-id and sip.instance -->
      <!--<param name="enable-rfc-5626" value="true"/> -->
      <param name="sip-port" value="$${external_sip_port}"/>
      <param name="dialplan" value="XML"/>
      <param name="context" value="public"/>
      <param name="dtmf-duration" value="2000"/>

      <param name="dtmf-type" value="none"/>

      <param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
      <param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
      <param name="hold-music" value="$${hold_music}"/>
      <param name="rtp-timer-name" value="soft"/>
      <!-<param name="enable-100rel" value="true"/>->
      <!-<param name="disable-srv503" value="true"/>->
      <!-- This could be set to "passive" -->
      <param name="local-network-acl" value="localnet.auto"/>
      <param name="manage-presence" value="false"/>

      <!-- used to share presence info across sofia profiles
      manage-presence needs to be set to passive on this profile
      if you want it to behave as if it were the internal profile
      for presence.
      <!-- Name of the db to use for this profile -->
      <!-<param name="dbname" value="share_presence"/>->
      <!-<param name="presence-hosts" value="$${domain}"/>->
      <!-<param name="force-register-domain" value="$${domain}"/>->
      <!--all inbound reg will stored in the db using this domain -->
      <!-<param name="force-register-db-domain" value="$${domain}"/>->
      <!-- ************************************************* -->

      <!-<param name="aggressive-nat-detection" value="true"/>->
      <param name="inbound-codec-negotiation" value="generous"/>
      <param name="nonce-ttl" value="60"/>
      <param name="auth-calls" value="false"/>
      <param name="inbound-late-negotiation" value="true"/>
      <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
      <param name="rtp-ip" value=""/>
      <param name="sip-ip" value=""/>
      <param name="ext-rtp-ip" value="auto-nat"/>
      <param name="ext-sip-ip" value="auto-nat"/>
      <param name="rtp-timeout-sec" value="300"/>
      <param name="rtp-hold-timeout-sec" value="1800"/>
      <!-<param name="enable-3pcc" value="true"/>->

      <!-- TLS: disabled by default, set to "true" to enable -->
      <!-- param name="tls" value="$${external_ssl_enable}"/ -->
      <param name="tls" value="enable"/>
      <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
      <param name="tls-only" value="false"/>
      <!-- additional bind parameters for TLS -->
      <param name="tls-bind-params" value="transport=tls"/>
      <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
      <param name="tls-sip-port" value="$${external_tls_port}"/>
      <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
      <!-<param name="tls-cert-dir" value=""/>->
      <param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
      <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
      <param name="tls-passphrase" value=""/>
      <!-- Verify the date on TLS certificates -->
      <param name="tls-verify-date" value="true"/>
      <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
      <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
      <param name="tls-verify-policy" value="none"/>
      <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
      <param name="tls-verify-depth" value="2"/>
      <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
      <param name="tls-verify-in-subjects" value=""/>
      <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
      <param name="tls-version" value="$${sip_tls_version}"/>

      <!-- Disable Register -->
      <param name="disable-register" value="true"/>




            • Assignee:
              brian@freeswitch.org Brian West
              mlmiller4391 Michael Miller
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: