[Freeswitch-users] Achieving TLS + SRTP for inbound calls

David P davidswalkabout at gmail.com
Sun May 27 08:39:09 UTC 2018

I've tried working through the page you provided, but I've encountered some
loose ends. First, in order to use a CA cert, I installed certbot alongside
Apache on Ubuntu16.04. This is an AWS EC2, so I don't have many options on
which distro I can use. You recommended against Ubuntu; would you elaborate

This Apache is on the same machine as FS. I no longer serve verto files
from Apache (they're now in S3/CloudFront), but I suspect Apache may still
be needed to serve the cert for wss. But FS can probably do that itself.
Anyway, https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com shows
the cert is reachable and valid. On disk, they're at:

Do these need to be renamed for FS to find them?

says I should edit sip_profiles/internal.xml
so that
<param name="tls-cert-dir" value="(path to certs)"/>
<param name="wss-binding" value=":7443"/>

Should  (path to certs) be replaced with  /etc/letsencrypt/live/
my.domain.com/ ?

Even though I haven't finished the config above, this test suggests
something is working:

sudo /opt/freeswitch/bin/fs_cli -x 'sofia status profile internal' | grep
WSS-BIND-URL            sips:mod_sofia@(private EC2 IP):7443;transport=wss

Later steps say to create a wss.pem
under  /usr/local/freeswitch/certs/wss.pem but there is no certs/ after FS
install; am I supposed to mkdir it?

Later steps also say to create  conf/autoload_configs/verto.conf.xml but
there is no conf/ Should I mkdir it?


On Thu, May 24, 2018 at 9:32 AM, Michael Jerris <mike at jerris.com> wrote:

> we will gen whats needed for dtls srtp automatically, you need to provide
> the cert for wss (same as what you need for tls, as wss is just tls secured
> ws)  It does require the cert and chain.  More info:
> https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-
> InstallCertificates
> Mike
> On May 24, 2018, at 12:23 PM, David P <davidswalkabout at gmail.com> wrote:
> Thanks, Mike, I'll try another distro.
> About verto, which I already serve under an AWS free non-exportable cert,
> does it need the gentls-generated CA root cert somewhere?
> And do I need any more steps to secure the streamed media?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180527/04006f5d/attachment.html>

More information about the FreeSWITCH-users mailing list