TLS with Cisco SPA112

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS with Cisco SPA112

Nick Vines
Has anyone successfully setup the spa112 or spa122 to use TLS? I tried setting my spa112 up following the generic TLS guide, but I am getting the following repeated error when I use `sofia loglevel all 9`:

tport.c:2730 tport_wakeup_pri() tport_wakeup_pri(0x7fb6d40054c0): events IN
tport.c:869 tport_alloc_secondary() tport_alloc_secondary(0x7fb6d40054c0): new secondary tport 0x7fb6d40e9b00
tport_type_tls.c:603 tport_tls_accept() tport_tls_accept(0x7fb6d40e9b00): new connection from tls/my_ip_address:my_port/sips
tport_tls.c:869 tls_connect() tls_connect(0x7fb6d40e9b00): events NEGOTIATING
tport_tls.c:958 tls_connect() tls_connect(0x7fb6d40e9b00): TLS setup failed (error:00000001:lib(0):func(0):reason(1))
tport.c:2084 tport_close() tport_close(0x7fb6d40e9b00): tls/my_ip_address:my_port/sips


I double checked that TLS would work using fsclient to connect to my server, and that connected instantly. 

Thanks,
Nick 



_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Cisco SPA112

Brian West
Its going to be a cipher suite issue, I think the changing of gen_tlscert to do EC certs was a BAD IDEA.  Some devices can't deal with it properly.

/b

On Sep 22, 2013, at 2:38 PM, Nick Vines <[hidden email]> wrote:

> Has anyone successfully setup the spa112 or spa122 to use TLS? I tried setting my spa112 up following the generic TLS guide, but I am getting the following repeated error when I use `sofia loglevel all 9`:
>
> tport.c:2730 tport_wakeup_pri() tport_wakeup_pri(0x7fb6d40054c0): events IN
> tport.c:869 tport_alloc_secondary() tport_alloc_secondary(0x7fb6d40054c0): new secondary tport 0x7fb6d40e9b00
> tport_type_tls.c:603 tport_tls_accept() tport_tls_accept(0x7fb6d40e9b00): new connection from tls/my_ip_address:my_port/sips
> tport_tls.c:869 tls_connect() tls_connect(0x7fb6d40e9b00): events NEGOTIATING
> tport_tls.c:958 tls_connect() tls_connect(0x7fb6d40e9b00): TLS setup failed (error:00000001:lib(0):func(0):reason(1))
> tport.c:2084 tport_close() tport_close(0x7fb6d40e9b00): tls/my_ip_address:my_port/sips
>
>
> I double checked that TLS would work using fsclient to connect to my server, and that connected instantly.
>
> Thanks,
> Nick
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> [hidden email]
> http://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
> http://www.cudatel.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> [hidden email]
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

signature.asc (858 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Cisco SPA112

Nick Vines
Thanks Brian. 

I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server. 

Changes made to gentls_cert:
setup_ca():
       openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1

generate_cert():
  openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1


On Sun, Sep 22, 2013 at 5:14 PM, Brian West <[hidden email]> wrote:
Its going to be a cipher suite issue, I think the changing of gen_tlscert to do EC certs was a BAD IDEA.  Some devices can't deal with it properly.

/b

On Sep 22, 2013, at 2:38 PM, Nick Vines <[hidden email]> wrote:

> Has anyone successfully setup the spa112 or spa122 to use TLS? I tried setting my spa112 up following the generic TLS guide, but I am getting the following repeated error when I use `sofia loglevel all 9`:
>
> tport.c:2730 tport_wakeup_pri() tport_wakeup_pri(0x7fb6d40054c0): events IN
> tport.c:869 tport_alloc_secondary() tport_alloc_secondary(0x7fb6d40054c0): new secondary tport 0x7fb6d40e9b00
> tport_type_tls.c:603 tport_tls_accept() tport_tls_accept(0x7fb6d40e9b00): new connection from tls/my_ip_address:my_port/sips
> tport_tls.c:869 tls_connect() tls_connect(0x7fb6d40e9b00): events NEGOTIATING
> tport_tls.c:958 tls_connect() tls_connect(0x7fb6d40e9b00): TLS setup failed (error:00000001:lib(0):func(0):reason(1))
> tport.c:2084 tport_close() tport_close(0x7fb6d40e9b00): tls/my_ip_address:my_port/sips
>
>
> I double checked that TLS would work using fsclient to connect to my server, and that connected instantly.
>
> Thanks,
> Nick
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> [hidden email]
> http://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
> http://www.cudatel.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> [hidden email]
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org


_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Cisco SPA112

Brian West
Did you load your CA cert into the SPA?  If not then that could be a problem too.. crank up its logging and see what its getting mad about.


On Sep 23, 2013, at 10:28 AM, Nick Vines <[hidden email]> wrote:

> Thanks Brian.
>
> I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server.
>
> Changes made to gentls_cert:
> setup_ca():
>        openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
>
> generate_cert():
>        openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
>


--
Brian West
[hidden email]
FreeSWITCH Solutions, LLC
PO BOX PO BOX 2531
Brookfield, WI 53008-2531
Twitter: @FreeSWITCH_Wire , @briankwest
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com

T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
iNUM: +883 5100 1420 9001
ISN: 410*543
Skype:briankwest
PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)












_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

signature.asc (858 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Cisco SPA112

Nick Vines
Turns out there isn't a way to load any cert onto the spa112, and its logging it not helpful at all. I'm still at a loss of how to get it to work.

I got https provisioning working with the devices, so perhaps I can reuse some of those files. I haven't been able to figure out what agent.pem/cafile.pem combination to use though.

For getting the spa112 to work with https provisioning, I did the following:
1. (on server, private key) openssl genrsa -out <file.key> 1024
2. (on server, generate cert request) openssl req -new -key <file.key> -out <file.csr>
3. sent the `file.csr` to cisco and they sent back a `file.crt` with the signed certificate.
4. cisco also sent back a combinedca.crt with many certificates in that file.

In my apache virtual host I put
#Server Cert
SSLCertificateFile .../file.crt

#Server Private Key:
SSLCertificateKeyFile .../file.key

#Client authentication Certificate Authority (CA)
SSLVerifyClient require
SSLCACertificatePath .../path/
SSLCACertificateFile .../path/combinedca.crt


I have tried the following, but neither worked.

1)
cat `file.crt` `file.key` > agent.pem
cp `file.crt` cafile.pem

2)
cat `file.crt` `file.key` > agent.pem
cp `combinedca.crt` cafile.pem


Any suggestions on how I might use those files to make a TLS profile for the cisco devices?

Thanks,
Nick

On Sep 23, 2013, at 12:40 PM, Brian West <[hidden email]> wrote:

> Did you load your CA cert into the SPA?  If not then that could be a problem too.. crank up its logging and see what its getting mad about.
>
>
> On Sep 23, 2013, at 10:28 AM, Nick Vines <[hidden email]> wrote:
>
>> Thanks Brian.
>>
>> I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server.
>>
>> Changes made to gentls_cert:
>> setup_ca():
>>       openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
>>
>> generate_cert():
>>       openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
>>
>
>
>
> --
> Brian West
> [hidden email]
> FreeSWITCH Solutions, LLC
> PO BOX PO BOX 2531
> Brookfield, WI 53008-2531
> Twitter: @FreeSWITCH_Wire , @briankwest
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
> iNUM: +883 5100 1420 9001
> ISN: 410*543
> Skype:briankwest
> PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)
>
>
>
>
>
>
>
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> [hidden email]
> http://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
> http://www.cudatel.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> [hidden email]
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org


_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Cisco SPA112

Nick Vines
Success! I guess I hadn't reloaded one of the profiles recently, but my spa112 registers now. 

The setup that works is #2 from the previous email:

Follow directions at the following link: https://supportforums.cisco.com/docs/DOC-9852. Then...
cat `file.crt` `file.key` > agent.pem
cp `combinedca.crt` cafile.pem

And in the sip profile you need to use sslv23 not tlsv1. 
<param name="tls-version" value=sslv23"/>

I updated the interop list on the wiki with that info too.

Nick 

On Sep 28, 2013, at 6:46 PM, Nick Vines <[hidden email]> wrote:

Turns out there isn't a way to load any cert onto the spa112, and its logging it not helpful at all. I'm still at a loss of how to get it to work.

I got https provisioning working with the devices, so perhaps I can reuse some of those files. I haven't been able to figure out what agent.pem/cafile.pem combination to use though.

For getting the spa112 to work with https provisioning, I did the following:
1. (on server, private key) openssl genrsa -out <file.key> 1024
2. (on server, generate cert request) openssl req -new -key <file.key> -out <file.csr>
3. sent the `file.csr` to cisco and they sent back a `file.crt` with the signed certificate.
4. cisco also sent back a combinedca.crt with many certificates in that file.

In my apache virtual host I put
#Server Cert
SSLCertificateFile .../file.crt

#Server Private Key:
SSLCertificateKeyFile .../file.key

#Client authentication Certificate Authority (CA)
SSLVerifyClient require
SSLCACertificatePath .../path/
SSLCACertificateFile .../path/combinedca.crt


I have tried the following, but neither worked.

1)
cat `file.crt` `file.key` > agent.pem
cp `file.crt` cafile.pem

2)
cat `file.crt` `file.key` > agent.pem
cp `combinedca.crt` cafile.pem


Any suggestions on how I might use those files to make a TLS profile for the cisco devices?

Thanks,
Nick

On Sep 23, 2013, at 12:40 PM, Brian West <[hidden email]> wrote:

Did you load your CA cert into the SPA?  If not then that could be a problem too.. crank up its logging and see what its getting mad about.


On Sep 23, 2013, at 10:28 AM, Nick Vines <[hidden email]> wrote:

Thanks Brian.

I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server.

Changes made to gentls_cert:
setup_ca():
     openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1

generate_cert():
     openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1




--
Brian West
[hidden email]
FreeSWITCH Solutions, LLC
PO BOX PO BOX 2531
Brookfield, WI 53008-2531
Twitter: @FreeSWITCH_Wire , @briankwest
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com

T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
iNUM: +883 5100 1420 9001
ISN: 410*543
Skype:briankwest
PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)











_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Cisco SPA112

Brian West
Could you kindly document this on the TLS/SRTP wiki page as tested?
--
Brian West
[hidden email]
FreeSWITCH Solutions, LLC
PO BOX PO BOX 2531
Brookfield, WI 53008-2531
Twitter: @FreeSWITCH_Wire , @briankwest
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com

T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
iNUM: +883 5100 1420 9001
ISN: 410*543
Skype:briankwest
PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)











On Sep 28, 2013, at 9:51 PM, Nick Vines <[hidden email]> wrote:

> Success! I guess I hadn't reloaded one of the profiles recently, but my spa112 registers now.
>
> The setup that works is #2 from the previous email:
>
> Follow directions at the following link: https://supportforums.cisco.com/docs/DOC-9852. Then...
> cat `file.crt` `file.key` > agent.pem
> cp `combinedca.crt` cafile.pem
>
> And in the sip profile you need to use sslv23 not tlsv1.
> <param name="tls-version" value=sslv23"/>
>
> I updated the interop list on the wiki with that info too.
>
> Nick

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
[hidden email]
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
[hidden email]
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

signature.asc (858 bytes) Download Attachment