<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">we will gen whats needed for dtls srtp automatically, you need to provide the cert for wss (same as what you need for tls, as wss is just tls secured ws) It does require the cert and chain. More info:<div class=""><br class=""></div><div class=""><a href="https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates" class="">https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates</a></div><div class=""><br class=""></div><div class="">Mike</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On May 24, 2018, at 12:23 PM, David P <<a href="mailto:davidswalkabout@gmail.com" class="">davidswalkabout@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" class="">Thanks, Mike, I'll try another distro.<div dir="auto" class=""><br class=""></div><div dir="auto" class="">About verto, which I already serve under an AWS free non-exportable cert, does it need the gentls-generated CA root cert somewhere?</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">And do I need any more steps to secure the streamed media?</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="">On Thu, 24 May 2018, 9:05 am Michael Jerris, <<a href="mailto:mike@jerris.com" class="">mike@jerris.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class="">Try something NOT ubuntu. Ubuntu disables some required stuff in their openssl making it unusable for webrtc at least in some versions.<div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On May 24, 2018, at 1:27 AM, David P <<a href="mailto:davidswalkabout@gmail.com" target="_blank" rel="noreferrer" class="">davidswalkabout@gmail.com</a>> wrote:</div><br class="m_-5315939520810948570Apple-interchange-newline"><div class=""><div dir="ltr" class="">While waiting for suggestions, I tried more things. In particular, I tested whether gentls_cert was present in our FS install (which is at /opt/freeswitch/ on ubuntu).<div class=""><br class=""></div><div class="">It is present, but the CA root cert step writes to {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In particular, the root CA step generates:</div><div class=""><br class=""></div><div class="">etc/freeswitch/tls/<br class=""></div><div class=""> cafile.pem</div><div class=""><br class=""></div><div class="">etc/freeswitch/tls/CA/<br class=""></div><div class=""> cacert.pem</div><div class=""> cakey.pem</div><div class=""> config.tpl</div><div class=""><br class=""></div><div class="">And the server cert step generates:</div><div class="">
<div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class="m_-5315939520810948570gmail-Apple-interchange-newline">etc/freeswitch/tls/<br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""> agent.pem</div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class="">etc/freeswitch/tls/CA/<br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""> cacert.srl<br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="color:rgb(216,209,194);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Reviewing agent.pem shows it's fine:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">openssl x509 -noout -inform pem -text -in /opt/freeswitch/etc/freeswitch/tls/agent.pem<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">But it's owned by user root group root, so:</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">cd /opt/freeswitch/etc/freeswitch/tls/<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">chmod 640 agent.pem CA/cacert.pem<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">chown root.freeswitch agent.pem CA/cacert.pem<br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-decoration-style:initial;text-decoration-color:initial" class="">Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set internal_ssl_enable and external_ssl_enable to true.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED" repeatedly. *Any suggestion?*</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Blazing ahead...then I exposed the public IP of the FS machine under a subdomain of the CA root cert's domain. (I used a wildcard subdomain for -org when generating both certs; maybe giving a wildcard this way is unnecessary or counterproductive.)</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Now, the part that puzzles me: I'm already using a "real CA" cert in order to serve my verto client files over https from my DNS name, so browsers won't show security warnings. But I bet I need to have the same CA root cert installed in FS as I use in the webserver, right? I saw the note that commercial certs should work, but *it's not clear what steps to follow to install one*.</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class=""><br class=""></div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">Cheers,</div><div style="text-align:start;text-indent:0px;text-decoration-style:initial;text-decoration-color:initial" class="">David</div>
<br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, May 22, 2018 at 9:50 PM, David P <span dir="ltr" class=""><<a href="mailto:davidswalkabout@gmail.com" target="_blank" rel="noreferrer" class="">davidswalkabout@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class="">We use conferences to allow a verto user to call and connect with an Asterisk channel. We would like to secure both signalling and media via TLS + SRTP, and I've read <a href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS" target="_blank" rel="noreferrer" class="">https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS</a> a few times to understand how to do this. Note that that page has a broken link: <a href="https://wiki.freeswitch.org/wiki/Secure_RTP" target="_blank" rel="noreferrer" class="">https://wiki.freeswitch.org/wiki/Secure_RTP</a><br class=""><br class="">First, is it still true that FS doesn't offer prebuilt installs (for Ubuntu) to support this kind of security?<br class=""><br class="">Assuming that it must be compiled, I began to follow <a href="https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie" target="_blank" rel="noreferrer" class="">https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie</a> with the additional first step of: apt-get install libssl-dev<div class=""><br class=""></div><div class="">I soon ran into "Unable to locate package freeswitch-video-deps-most".<br class=""></div><div class=""><br class=""></div><div class="">What should I try next?</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">David</div></div>
</blockquote></div></div></div></div></blockquote></div></div></div><br class=""></blockquote></div></div></blockquote></div></div></body></html>