[Freeswitch-users] Achieving TLS + SRTP for inbound calls

David P davidswalkabout at gmail.com
Wed May 30 23:33:22 UTC 2018


Hi Joel and Branden,

I have three goals:
1) To have an FS install that secures all WebRTC and SIP traffic to it
2) An install that doesn't require WebRTC users to manually fetch the
certificate
3) An install that uses only production-ready software

For goal 1, Mike and Giovanni have said a Debian Jessie minimal is the best
or only choice.

For goal 2, I'm avoiding gentls_cert and its self-signed certs. As a first
attempt, I'm trying to get a free CA cert from LetsEncrypt via certbot.
Unfortunately, doing this on debian jessie requires that I use backports
that are described as "as-is", so I'm sacrificing goal 3 for the time being.

In order to inform FS where it can find the private key, cert, and chain, I
was planning to introduce soft links to the files that certbot put
under /etc/letsencrypt/live/my.domain.com/

I'm ready to do that, except that sip_profiles/internal.xml isn't where it
normally would be, because I followed
https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie#highlighter_549778
and created /etc/freeswitch/ without knowing why I should do that. So
 /usr/local/freeswitch/  does not exist, unfortunately. Also, echo
${prefix} is blank. So, I did a find from slash for internal.xml and found
four matches:

/usr/share/freeswitch/conf/insideout/sip_profiles/internal.xml
/usr/share/freeswitch/conf/sbc/sbc_profiles/internal.xml
/usr/share/freeswitch/conf/vanilla/sip_profiles/internal.xml
/usr/share/freeswitch/conf/vanilla/skinny_profiles/internal.xml

Which of these should I edit?

Also, is it necessary to concatenate my private key, cert, and chain into a
"wss.pem" as suggested at
https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#highlighter_647427

Cheers,
David

On Tue, May 29, 2018 at 12:34 PM, Joel Serrano <joel at textplus.com> wrote:

> Hi David,
>
> So it all depends.. Those docs are just introductions to get a setup "up
> and running". For example, in the docs you generate self-signed
> certificates that (although perfectly valid) can give you issues with
> browsers because their CA is not trusted, etc. Regarding expiration, it all
> depends, as this is something you choose.
>
> Going down to your specific problems:
>
> 1- ..${prefix}.. is just a variable, that will be replaced with a value,
> normally /usr/local/freeswitch, but can be anything (depending on where you
> installed FS).
> 2- When it comes to the "path" that you specify in the config for the
> certificates, it can also be anything, the important part is that you make
> sure that the user you run FS with has access to reading those files. If
> you don't like using ${prefix} you can directly set /path/to/your/certs,
> just remember double checking the permissions.
> 3- When you renew your certificate, you will have to make FS aware of
> that, I'd have to check but I'm pretty sure that after updating the files a
> sofia profile rescan should be enough.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180530/1a6fdd55/attachment-0001.html>


More information about the FreeSWITCH-users mailing list