[Freeswitch-users] Achieving TLS + SRTP for inbound calls
gmaruzz at gmail.com
Sun May 27 16:25:08 UTC 2018
Use debian 8 jessie 64 bit minimal server install
On Sun, May 27, 2018, 10:57 David P <davidswalkabout at gmail.com> wrote:
> I've tried working through the page you provided, but I've encountered
> some loose ends. First, in order to use a CA cert, I installed certbot
> alongside Apache on Ubuntu16.04. This is an AWS EC2, so I don't have many
> options on which distro I can use. You recommended against Ubuntu; would
> you elaborate why?
> This Apache is on the same machine as FS. I no longer serve verto files
> from Apache (they're now in S3/CloudFront), but I suspect Apache may still
> be needed to serve the cert for wss. But FS can probably do that itself.
> Anyway, https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com
> shows the cert is reachable and valid. On disk, they're at:
> Do these need to be renamed for FS to find them?
> says I should edit sip_profiles/internal.xml
> so that
> <param name="tls-cert-dir" value="(path to certs)"/>
> <param name="wss-binding" value=":7443"/>
> Should (path to certs) be replaced with /etc/letsencrypt/live/
> my.domain.com/ ?
> Even though I haven't finished the config above, this test suggests
> something is working:
> sudo /opt/freeswitch/bin/fs_cli -x 'sofia status profile internal' | grep
> WSS-BIND-URL sips:mod_sofia@(private EC2 IP):7443;transport=wss
> Later steps say to create a wss.pem
> under /usr/local/freeswitch/certs/wss.pem but there is no certs/ after FS
> install; am I supposed to mkdir it?
> Later steps also say to create conf/autoload_configs/verto.conf.xml but
> there is no conf/ Should I mkdir it?
> On Thu, May 24, 2018 at 9:32 AM, Michael Jerris <mike at jerris.com> wrote:
>> we will gen whats needed for dtls srtp automatically, you need to provide
>> the cert for wss (same as what you need for tls, as wss is just tls secured
>> ws) It does require the cert and chain. More info:
>> On May 24, 2018, at 12:23 PM, David P <davidswalkabout at gmail.com> wrote:
>> Thanks, Mike, I'll try another distro.
>> About verto, which I already serve under an AWS free non-exportable cert,
>> does it need the gentls-generated CA root cert somewhere?
>> And do I need any more steps to secure the streamed media?
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> Official FreeSWITCH Sites
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the FreeSWITCH-users