[Freeswitch-users] Achieving TLS + SRTP for inbound calls

Thu May 24 16:23:28 UTC 2018

Thanks, Mike, I'll try another distro.

About verto, which I already serve under an AWS free non-exportable cert,
does it need the gentls-generated CA root cert somewhere?

And do I need any more steps to secure the streamed media?

On Thu, 24 May 2018, 9:05 am Michael Jerris, <mike at jerris.com> wrote:

> Try something NOT ubuntu.  Ubuntu disables some required stuff in their
> openssl making it unusable for webrtc at least in some versions.
>
>
> On May 24, 2018, at 1:27 AM, David P <davidswalkabout at gmail.com> wrote:
>
> While waiting for suggestions, I tried more things. In particular, I
> tested whether gentls_cert was present in our FS install (which is at
> /opt/freeswitch/ on ubuntu).
>
> It is present, but the CA root cert step writes to
> {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In
> particular, the root CA step generates:
>
> etc/freeswitch/tls/
>   cafile.pem
>
> etc/freeswitch/tls/CA/
>   cacert.pem
>   cakey.pem
>   config.tpl
>
> And the server cert step generates:
>
> etc/freeswitch/tls/
>   agent.pem
>
> etc/freeswitch/tls/CA/
>   cacert.srl
>
> Reviewing agent.pem shows it's fine:
> openssl x509 -noout -inform pem -text -in
> /opt/freeswitch/etc/freeswitch/tls/agent.pem
>
> But it's owned by user root group root, so:
> cd /opt/freeswitch/etc/freeswitch/tls/
> chmod 640 agent.pem CA/cacert.pem
> chown root.freeswitch agent.pem CA/cacert.pem
>
> Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set
> internal_ssl_enable and external_ssl_enable to true.
>
> Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED"
> repeatedly. *Any suggestion?*
>
> Blazing ahead...then I exposed the public IP of the FS machine under a
> subdomain of the CA root cert's domain. (I used a wildcard subdomain for
> -org when generating both certs; maybe giving a wildcard this way is
> unnecessary or counterproductive.)
>
> Now, the part that puzzles me: I'm already using a "real CA" cert in order
> to serve my verto client files over https from my DNS name, so browsers
> won't show security warnings. But I bet I need to have the same CA root
> cert installed in FS as I use in the webserver, right? I saw the note that
> commercial certs should work, but *it's not clear what steps to follow to
> install one*.
>
> Cheers,
> David
>
>
> On Tue, May 22, 2018 at 9:50 PM, David P <davidswalkabout at gmail.com>
> wrote:
>
>> We use conferences to allow a verto user to call and connect with an
>> Asterisk channel. We would like to secure both signalling and media via TLS
>> + SRTP, and I've read
>> https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS a few times
>> to understand how to do this. Note that that page has a broken link:
>> https://wiki.freeswitch.org/wiki/Secure_RTP
>>
>> First, is it still true that FS doesn't offer prebuilt installs (for
>> Ubuntu) to support this kind of security?
>>
>> Assuming that it must be compiled, I began to follow
>> https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie
>> with the additional first step of:  apt-get install libssl-dev
>>
>> I soon ran into "Unable to locate package freeswitch-video-deps-most".
>>
>> What should I try next?
>>
>> Cheers,
>> David
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180524/292ca217/attachment-0001.html>