freeswitch 支持TLS

首先需要安装libssl-dev

然后 在freeswitch服务器上，生成CA证书，freeswitch提供了gentls_cert 帮我们生成证书：

./gentls_cert setup -cn pbx.freeswitch.org -alt DNS：pbx.freeswitch.org -org freeswitch.org

这将freeswitch 根目录下面的certs/CA 目录中创建 CA 证书和密钥，并在 certs 文件夹中创建证书。

下一步就是生成服务器证书：

./gentls_cert create_server -cn pbx.freeswitch.org -alt DNS:pbx.freeswitch.org -org freeswitch.org

在 certs目录下面创建服务器证书。此文件包含证书和私钥。它应包含通用名称和备用名称中的域名。如果需要为其他服务器生成证书，请使用 gentls_cert 的 -out 标志来指定输出证书/密钥文件名

第三步就是配置 Sofia 

conf/vars.xml 

  <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
  <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>

  <!-- Internal SIP Profile -->
  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
  <X-PRE-PROCESS cmd="set" data="internal_auth_messages=true"/>
  <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
  <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
  <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
  <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/certs"/>

conf/sip_profiles/internal.xml

  <!-- TLS: disabled by default, set to "true" to enable -->
    <param name="tls" value="$${internal_ssl_enable}"/>
    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
    <param name="tls-only" value="false"/>
    <!-- additional bind parameters for TLS -->
    <param name="tls-bind-params" value="transport=tls"/>
    <!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
    <param name="tls-sip-port" value="$${internal_tls_port}"/>
    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
    <param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
    <param name="tls-passphrase" value=""/>
    <!-- Verify the date on TLS certificates -->
    <param name="tls-verify-date" value="true"/>
    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject vali
dation. Multiple policies can be split with a '|' pipe -->
    <param name="tls-verify-policy" value="all"/>
    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
    <param name="tls-verify-depth" value="2"/>
    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
    <param name="tls-verify-in-subjects" value=""/>
    <!-- TLS version default: tlsv1,tlsv1.1,tlsv1.2 -->
    <param name="tls-version" value="$${sip_tls_version}"/>

    <!-- TLS ciphers default: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH  -->
    <param name="tls-ciphers" value="$${sip_tls_ciphers}"/>

最后一步就是客户端的配置了：

生成客户端证书：

 ./gentls_cert create_client -cn client -out client

然后把证书配置到客户端 一定要记得配置到客户端 要不然服务端检查 会不通过的