[Freeswitch-users] Achieving TLS + SRTP for inbound calls

Thu May 24 15:29:23 UTC 2018

Try something NOT ubuntu.  Ubuntu disables some required stuff in their openssl making it unusable for webrtc at least in some versions.

> On May 24, 2018, at 1:27 AM, David P <davidswalkabout at gmail.com> wrote:
> 
> While waiting for suggestions, I tried more things. In particular, I tested whether gentls_cert was present in our FS install (which is at /opt/freeswitch/ on ubuntu).
> 
> It is present, but the CA root cert step writes to {prefix}/etc/freeswitch/tls/CA/ instead of {prefix}/conf/ssl/CA/. In particular, the root CA step generates:
> 
> etc/freeswitch/tls/
>   cafile.pem
> 
> etc/freeswitch/tls/CA/
>   cacert.pem
>   cakey.pem
>   config.tpl
> 
> And the server cert step generates:
> 
> etc/freeswitch/tls/
>   agent.pem
> 
> etc/freeswitch/tls/CA/
>   cacert.srl
> 
> Reviewing agent.pem shows it's fine:
> openssl x509 -noout -inform pem -text -in /opt/freeswitch/etc/freeswitch/tls/agent.pem
> 
> But it's owned by user root group root, so:
> cd /opt/freeswitch/etc/freeswitch/tls/
> chmod 640 agent.pem CA/cacert.pem
> chown root.freeswitch agent.pem CA/cacert.pem
> 
> Then I edited /opt/freeswitch/etc/freeswitch/vars.xml to set internal_ssl_enable and external_ssl_enable to true.
> 
> Then I restarted FS. I checked the CLI and it shows "WS SETUP FAILED" repeatedly. *Any suggestion?*
> 
> Blazing ahead...then I exposed the public IP of the FS machine under a subdomain of the CA root cert's domain. (I used a wildcard subdomain for -org when generating both certs; maybe giving a wildcard this way is unnecessary or counterproductive.)
> 
> Now, the part that puzzles me: I'm already using a "real CA" cert in order to serve my verto client files over https from my DNS name, so browsers won't show security warnings. But I bet I need to have the same CA root cert installed in FS as I use in the webserver, right? I saw the note that commercial certs should work, but *it's not clear what steps to follow to install one*.
> 
> Cheers,
> David
> 
> 
> On Tue, May 22, 2018 at 9:50 PM, David P <davidswalkabout at gmail.com <mailto:davidswalkabout at gmail.com>> wrote:
> We use conferences to allow a verto user to call and connect with an Asterisk channel. We would like to secure both signalling and media via TLS + SRTP, and I've read https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS <https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS> a few times to understand how to do this. Note that that page has a broken link: https://wiki.freeswitch.org/wiki/Secure_RTP <https://wiki.freeswitch.org/wiki/Secure_RTP>
> 
> First, is it still true that FS doesn't offer prebuilt installs (for Ubuntu) to support this kind of security?
> 
> Assuming that it must be compiled, I began to follow https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie <https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie> with the additional first step of:  apt-get install libssl-dev
> 
> I soon ran into "Unable to locate package freeswitch-video-deps-most".
> 
> What should I try next?
> 
> Cheers,
> David

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180524/6849d1de/attachment.html>