Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SPA112 using TLS with Freeswitch

Hello,

I've been trying to connect a few spa112s running 1.3.2 to my freeswitch server (up-to-date and TLS works with other devices). Has anyone succesfully gotten the spa 112/122 to connect using TLS?

I tried the following which is from the Asterisk/SPA3xx5xx Phone guide (https://supportforums.cisco.com/docs/DOC-15381), but I am getting the same errors.


openssl genrsa 1024 > host.key

openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert

cat host.cert host.key > asterisk.pem

#For Freeswitch in the ssl directory of the sip_profile

mv host.cert cafile.pem #server cert (begin certificate)

mv asterisk.pem agent.pem #both, file is server cert followed by private key (begin/end certificate and begin/end private key)

The syslog I am seeing from the spa is the following with varying Backoff times:

[0]SIP/TCP NewLocalPort:23062

[0:0]SIP/TCP:Connecting(15)...

[0:0]SIP/TCP:Connect=0

[0:0]SIP/TLS:Connecting(15)...

[0:0]SIP/TLS:Connect=-1

S[0:0]SIP/TLS:Connect Failed

[0]SIP/TCP Backoff 4000 ms

There is another post on here for TLS and SPA5xx phones, https://supportforums.cisco.com/message/3458777, but I am not sure how to use the combinedca that I have for provisioning, lots of certificates in a file, with the cafile/agent that freeswitch uses.

Thanks for the help.

  • ATAs Gateways and Accessories
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Gold

SPA112 using TLS with Freeswitch

I next tried using the private key I generated for the HTTPS Provisioning and the Certificate I got back from Cisco after I sent my CSR. But I'm still getting the same errors.

Then there is no problem with untrusted certificate - if properly configured.

If I understand correctly, the following would be a casual certificate, and not a CA certificate, right? I tried it and got the same errors.

> openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

This is certificate request only. It must be signed by a CA to become certificate.

Is it possible to put my own key on the SPA112? 

No.

4 REPLIES
VIP Gold

Re: SPA112 using TLS with Freeswitch

You are trying to use self-signed certificate ? It depend on implementation, but some implementation rejects CA certificates used as standard certificate. I don't know if SPA1x2 is affected by it.

You may consider to create your own CA then issue casual certificate to aboid problems.

All at all, the CA issuing the certificate needs to be trusted by SPA1x2. So you need either certificate issued by a internal preinstaled CA (such certificate can be requested from Cisco), or you need download CA certificate info SPA112 (if you are using own CA to issue certificates).

Please note that SPA112 is not SPA IP Phone, but ATA, so this thread is not appropriate here. Use top left corner menu to move it to appropriate place, please. ( )

New Member

SPA112 using TLS with Freeswitch

I originally tried using a self signed cert, but that didn't work. I next tried using the private key I generated for the HTTPS Provisioning and the Certificate I got back from Cisco after I sent my CSR. But I'm still getting the same errors. I do have https provisioning setup and running fine with the key, cert, and combinedca files (https://supportforums.cisco.com/docs/DOC-9852).

If I understand correctly, the following would be a casual certificate, and not a CA certificate, right? I tried it and got the same errors.

> openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Is it possible to put my own key on the SPA112? I haven't found anything in the provisioning guide or admin guide to suggest that is possible.

Thanks!

VIP Gold

SPA112 using TLS with Freeswitch

I next tried using the private key I generated for the HTTPS Provisioning and the Certificate I got back from Cisco after I sent my CSR. But I'm still getting the same errors.

Then there is no problem with untrusted certificate - if properly configured.

If I understand correctly, the following would be a casual certificate, and not a CA certificate, right? I tried it and got the same errors.

> openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

This is certificate request only. It must be signed by a CA to become certificate.

Is it possible to put my own key on the SPA112? 

No.

New Member

SPA112 using TLS with Freeswitch

Thanks Dan. I spent a bit more time experimenting and trying different combinations and finally got it to work. For anybody that runs into the same question,

  • Enable TLS in your freeswitch sip profile.
  • Make sure it is sslv23, not tlsv1. Rest of the settings can be left as is.
  • Get the certificates as described in https://supportforums.cisco.com/docs/DOC-9852. You will need all three - key, cert, and combinedca.
  • In the ssl directory of your freeswitch sip profile, put
    • cat file.crt file.key > agent.pem
    • cp combinedca.crt cafile.pem
  • Restart freeswitch and you should be good to go!

This is running on freeswitch 1.2.13.

1118
Views
0
Helpful
4
Replies