[Freeswitch-users] Achieving TLS + SRTP for inbound calls

Michael Jerris mike at jerris.com
Thu May 24 16:32:32 UTC 2018 

we will gen whats needed for dtls srtp automatically, you need to provide the cert for wss (same as what you need for tls, as wss is just tls secured ws)  It does require the cert and chain.  More info:

https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates <https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates>

Mike


> On May 24, 2018, at 12:23 PM, David P <davidswalkabout at gmail.com> wrote:
> 
> Thanks, Mike, I'll try another distro.
> 
> About verto, which I already serve under an AWS free non-exportable cert, does it need the gentls-generated CA root cert somewhere?
> 
> And do I need any more steps to secure the streamed media?
> 
> On Thu, 24 May 2018, 9:05 am Michael Jerris, <mike at jerris.com <mailto:mike at jerris.com>> wrote:
> Try something NOT ubuntu.  Ubuntu disables some required stuff in their openssl making it unusable for webrtc at least in some versions.
> 
> 
>> On May 24, 2018, at 1:27 AM, David P <davidswalkabout at gmail.com <mailto:davidswalkabout at gmail.com>> wrote:
>> 
>> While waiting for suggestions, I tried more things. In particular, I tested whether gentls_cert was present in our FS install (which is at /opt/freeswitch/ on ubuntu).
>> 
>> It is present, but the CA root cert step writes to {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In particular, the root CA step generates:
>> 
>> etc/freeswitch/tls/
>>   cafile.pem
>> 
>> etc/freeswitch/tls/CA/
>>   cacert.pem
>>   cakey.pem
>>   config.tpl
>> 
>> And the server cert step generates:
>> 
>> etc/freeswitch/tls/
>>   agent.pem
>> 
>> etc/freeswitch/tls/CA/
>>   cacert.srl
>> 
>> Reviewing agent.pem shows it's fine:
>> openssl x509 -noout -inform pem -text -in /opt/freeswitch/etc/freeswitch/tls/agent.pem
>> 
>> But it's owned by user root group root, so:
>> cd /opt/freeswitch/etc/freeswitch/tls/
>> chmod 640 agent.pem CA/cacert.pem
>> chown root.freeswitch agent.pem CA/cacert.pem
>> 
>> Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set internal_ssl_enable and external_ssl_enable to true.
>> 
>> Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED" repeatedly. *Any suggestion?*
>> 
>> Blazing ahead...then I exposed the public IP of the FS machine under a subdomain of the CA root cert's domain. (I used a wildcard subdomain for -org when generating both certs; maybe giving a wildcard this way is unnecessary or counterproductive.)
>> 
>> Now, the part that puzzles me: I'm already using a "real CA" cert in order to serve my verto client files over https from my DNS name, so browsers won't show security warnings. But I bet I need to have the same CA root cert installed in FS as I use in the webserver, right? I saw the note that commercial certs should work, but *it's not clear what steps to follow to install one*.
>> 
>> Cheers,
>> David
>> 
>> 
>> On Tue, May 22, 2018 at 9:50 PM, David P <davidswalkabout at gmail.com <mailto:davidswalkabout at gmail.com>> wrote:
>> We use conferences to allow a verto user to call and connect with an Asterisk channel. We would like to secure both signalling and media via TLS + SRTP, and I've read https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS <https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS> a few times to understand how to do this. Note that that page has a broken link: https://wiki.freeswitch.org/wiki/Secure_RTP <https://wiki.freeswitch.org/wiki/Secure_RTP>
>> 
>> First, is it still true that FS doesn't offer prebuilt installs (for Ubuntu) to support this kind of security?
>> 
>> Assuming that it must be compiled, I began to follow https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie <https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie> with the additional first step of:  apt-get install libssl-dev
>> 
>> I soon ran into "Unable to locate package freeswitch-video-deps-most".
>> 
>> What should I try next?
>> 
>> Cheers,
>> David
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180524/dac14f5b/attachment.html>

More information about the FreeSWITCH-users mailing list