[Freeswitch-users] Achieving TLS + SRTP for inbound calls
Giovanni Maruzzelli
gmaruzz at gmail.com
Sun May 27 16:25:08 UTC 2018
Use debian 8 jessie 64 bit minimal server install
On Sun, May 27, 2018, 10:57 David P <davidswalkabout at gmail.com> wrote:
> I've tried working through the page you provided, but I've encountered
> some loose ends. First, in order to use a CA cert, I installed certbot
> alongside Apache on Ubuntu16.04. This is an AWS EC2, so I don't have many
> options on which distro I can use. You recommended against Ubuntu; would
> you elaborate why?
>
> This Apache is on the same machine as FS. I no longer serve verto files
> from Apache (they're now in S3/CloudFront), but I suspect Apache may still
> be needed to serve the cert for wss. But FS can probably do that itself.
> Anyway, https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com
> shows the cert is reachable and valid. On disk, they're at:
> /etc/letsencrypt/live/my.domain.com/fullchain.pem
> /etc/letsencrypt/live/my.domain.com/privkey.pem
>
> Do these need to be renamed for FS to find them?
>
>
> https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates
> says I should edit sip_profiles/internal.xml
> so that
> <param name="tls-cert-dir" value="(path to certs)"/>
> <param name="wss-binding" value=":7443"/>
>
> Should (path to certs) be replaced with /etc/letsencrypt/live/
> my.domain.com/ ?
>
> Even though I haven't finished the config above, this test suggests
> something is working:
>
> sudo /opt/freeswitch/bin/fs_cli -x 'sofia status profile internal' | grep
> WSS-BIND-URL
> WSS-BIND-URL sips:mod_sofia@(private EC2 IP):7443;transport=wss
>
> Later steps say to create a wss.pem
> under /usr/local/freeswitch/certs/wss.pem but there is no certs/ after FS
> install; am I supposed to mkdir it?
>
> Later steps also say to create conf/autoload_configs/verto.conf.xml but
> there is no conf/ Should I mkdir it?
>
> David
>
> On Thu, May 24, 2018 at 9:32 AM, Michael Jerris <mike at jerris.com> wrote:
>
>> we will gen whats needed for dtls srtp automatically, you need to provide
>> the cert for wss (same as what you need for tls, as wss is just tls secured
>> ws) It does require the cert and chain. More info:
>>
>>
>> https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates
>>
>> Mike
>>
>>
>> On May 24, 2018, at 12:23 PM, David P <davidswalkabout at gmail.com> wrote:
>>
>> Thanks, Mike, I'll try another distro.
>>
>> About verto, which I already serve under an AWS free non-exportable cert,
>> does it need the gentls-generated CA root cert somewhere?
>>
>> And do I need any more steps to secure the streamed media?
>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180527/f0368c62/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list