TLS issue : after rescan port 5061 did not open

[kwangmien]

Hi,

I am using Fusion PBX 4.5.10.

I am trying to enable TLS in Fusion PBX. Below are what i did.

a. I followed the steps in https://docs.fusionpbx.com/en/latest/additional_information/sip_tls.html
b. I have enabled the internal_ssl_enable and external_ssl_enable and Flush cache in SIP Status.
c. When i rescan the internal and external profile, 5061 and 5081 did not appear in SIP Status.
d. I restarted the freeswitch process, but 5061 did not open.

Can anyone advise how i can resolve this issue ?

Thanks.



Regards,
Kwang Mien

 

[Adrian Fretwell]

See what is written to the FreeSWITCH log file (/var/log/freeswitch/freeswitch.log), it may give you a clue. Problems like this are often caused by certificate errors (configuration or permissions).

 

[kwangmien]

This is the logs from /var/log/freeswitch/freeswitch.log after i did a re-scan. I noticed the 1st line : tls[false].
I have enabled internal_ssl_enabled and external_ssl_enabled. Is there other settings need to configure to enable TLS ?


2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls [false]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-only [false]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-bind-params [transport=tls]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-sip-port [5061]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-cert-dir [/etc/freeswitch/tls]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-passphrase []
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-verify-date [true]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-verify-depth [2]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-verify-in-subjects []
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-version [tlsv1]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 nonce-ttl [60]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 auth-calls [true]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 auth-subscriptions [true]

 

[Adrian Fretwell]

Your log extract does not show any errors, I am not sure what is going on...

How are your certificates set up?

I forget the detail now, but I use a simple shell script to makes sure the certificates are correctly install in the FreeSWITCH tls directory (usually /etc/freeswitch/tls). Not all the lines in my script are required, but I have included it all for completeness:

#!/bin/bash

cd /where-my-new-certificates-live

# setup freeswitch tls

# make sure the freeswitch directory exists
#mkdir -p /etc/freeswitch/tls

# make sure the freeswitch certificate directory is empty
rm /etc/freeswitch/tls/*

# combine the certs into all.pem
cat mydomain.uk-fullchain.pem > /etc/freeswitch/tls/all.pem
cat mydomain.uk-privkey.pem >> /etc/freeswitch/tls/all.pem

# copy the certificates
cp mydomain.uk-cert.pem /etc/freeswitch/tls/cert.pem
cp mydomain.uk-chain.pem /etc/freeswitch/tls/chain.pem
cp mydomain.uk-fullchain.pem /etc/freeswitch/tls/fullchain.pem
cp mydomain.uk-privkey.pem /etc/freeswitch/tls/privkey.pem

# add symbolic links
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem

# set the permissions
chown -R www-data:www-data /etc/freeswitch/tls

#fs_cli -x "reload mod_sofia"

# done.

 

[kwangmien]

Thanks for sharing.

i tried on another Fusion PBX version 4.4.6. After re-scan, it auto-generated tls.pem in /etc/freeswitch/tls. There is no TLS issue for version 4.4.6

However in Fusion PBX version 4.5.10, only dtls-srtp.pem is in the /etc/freeswitch/tls after the re-scan.

for /etc/freeswitch/vars.xml , it shows the external_ssl_enable and internal_ssl_enable is true.

<!-- SIP Profile: External -->
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=true" />
<X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${conf_dir}/tls" />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5080" />
<X-PRE-PROCESS cmd="set" data="external_tls_port=5081" />

<!-- SIP Profile: Internal -->
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true" />
<X-PRE-PROCESS cmd="set" data="internal_sip_port=5060" />
<X-PRE-PROCESS cmd="set" data="internal_tls_port=5061" />
<X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${conf_dir}/tls" />


I am not sure why in the freeswitch.log, it showed that tls is false

2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls [false]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-only [false]
....

 

[jeetz]

Thanks for sharing.

i tried on another Fusion PBX version 4.4.6. After re-scan, it auto-generated tls.pem in /etc/freeswitch/tls. There is no TLS issue for version 4.4.6

However in Fusion PBX version 4.5.10, only dtls-srtp.pem is in the /etc/freeswitch/tls after the re-scan.

for /etc/freeswitch/vars.xml , it shows the external_ssl_enable and internal_ssl_enable is true.

<!-- SIP Profile: External -->
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=true" />
<X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${conf_dir}/tls" />
<X-PRE-PROCESS cmd="set" data="external_sip_port=5080" />
<X-PRE-PROCESS cmd="set" data="external_tls_port=5081" />

<!-- SIP Profile: Internal -->
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true" />
<X-PRE-PROCESS cmd="set" data="internal_sip_port=5060" />
<X-PRE-PROCESS cmd="set" data="internal_tls_port=5061" />
<X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${conf_dir}/tls" />


I am not sure why in the freeswitch.log, it showed that tls is false

2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls [false]
2020-09-28 08:16:37.054149 [DEBUG] sofia.c:4450 tls-only [false]
....

hi kwangmien,

I have exactly the same problem, did you find out the error?

Jeet.

 

[jeetz]

bump

 

[paulc]

This has been an ongoing issue with me for a while now. I use voip.ms. Trying to use encryption and the log states:

sofia.c:3901 ERROR: unsupported transport

I found a somewhere I think solves my issue, but have yet to figure out how I apply it to FreeSWITCH start.

Add --bind="sips:*:*" so that we can use tports_sips which provides tls protocol.

from https://github.com/freeswitch/sofia-sip/issues/40

 

[km4ibc]

I have the same sofia.c:3901 ERROR: unsupported transport error only on the external profile. TLS works fine for extensions on the internal profile. What makes this even more puzzling to me, I'm running three servers. All three were setup using an ansible playbook so they should be identical. They are configured as failover servers with real time database replication. All the settings appear to be in sync however TLS works on the external profile on the primary server but fails with the above error on the other two servers. I'm definitely curious what you guys discover.

 

[jeetz]

@km4ibc really off topic, may I shud pm you. What database replication are you using? Bucardo?

Pm you too.

Jeet

 

[fusionpbxnoaudio]

In the profile you need to enable "tls" and also set the value to true, only then you will get the tls value to be true. You may need to restart the profile - rescan alone didn't work in my case.

 

[jeetz]

In the profile you need to enable "tls" and also set the value to true, only then you will get the tls value to be true. You may need to restart the profile - rescan alone didn't work in my case.

@fusionpbxnoaudio can you show (display) by pic? thank you. I have done it, but still not able to find TLS.

 

[fusionpbxnoaudio]

You post a picture of your profile and I will check it up

 

[jeetz]

You post a picture of your profile and I will check it up

 

[fusionpbxnoaudio]

As mentioned earlier In the profile you need to enable "tls" and also set the value to true - you haven't done that
, you need to add a field called tls and set it to true in the profiles - I assume you are trying to change the variables - which is not the place.

Go to Advanced -> Sip Profiles click on internal and scroll to bottom you will see TLS option at the bottom same with external