[Freeswitch-users] Achieving TLS + SRTP for inbound calls
David P
davidswalkabout at gmail.com
Sun May 27 08:39:09 UTC 2018
I've tried working through the page you provided, but I've encountered some
loose ends. First, in order to use a CA cert, I installed certbot alongside
Apache on Ubuntu16.04. This is an AWS EC2, so I don't have many options on
which distro I can use. You recommended against Ubuntu; would you elaborate
why?
This Apache is on the same machine as FS. I no longer serve verto files
from Apache (they're now in S3/CloudFront), but I suspect Apache may still
be needed to serve the cert for wss. But FS can probably do that itself.
Anyway, https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com shows
the cert is reachable and valid. On disk, they're at:
/etc/letsencrypt/live/my.domain.com/fullchain.pem
/etc/letsencrypt/live/my.domain.com/privkey.pem
Do these need to be renamed for FS to find them?
https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates
says I should edit sip_profiles/internal.xml
so that
<param name="tls-cert-dir" value="(path to certs)"/>
<param name="wss-binding" value=":7443"/>
Should (path to certs) be replaced with /etc/letsencrypt/live/
my.domain.com/ ?
Even though I haven't finished the config above, this test suggests
something is working:
sudo /opt/freeswitch/bin/fs_cli -x 'sofia status profile internal' | grep
WSS-BIND-URL
WSS-BIND-URL sips:mod_sofia@(private EC2 IP):7443;transport=wss
Later steps say to create a wss.pem
under /usr/local/freeswitch/certs/wss.pem but there is no certs/ after FS
install; am I supposed to mkdir it?
Later steps also say to create conf/autoload_configs/verto.conf.xml but
there is no conf/ Should I mkdir it?
David
On Thu, May 24, 2018 at 9:32 AM, Michael Jerris <mike at jerris.com> wrote:
> we will gen whats needed for dtls srtp automatically, you need to provide
> the cert for wss (same as what you need for tls, as wss is just tls secured
> ws) It does require the cert and chain. More info:
>
> https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-
> InstallCertificates
>
> Mike
>
>
> On May 24, 2018, at 12:23 PM, David P <davidswalkabout at gmail.com> wrote:
>
> Thanks, Mike, I'll try another distro.
>
> About verto, which I already serve under an AWS free non-exportable cert,
> does it need the gentls-generated CA root cert somewhere?
>
> And do I need any more steps to secure the streamed media?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180527/04006f5d/attachment.html>
More information about the FreeSWITCH-users
mailing list