WebRTC (secure web socket wss settings)

edit /usr/local/freeswitch/conf/sip_profiles/internal.xml

# Set these params and save the file:

<param name="tls-cert-dir" value="/usr/local/freeswitch/certs" />

<param name="wss-binding" value=":7443" />

If behind N.A.T. make sure to set the ext-sip-ip and ext-rtp-ip in vars.xml to the public IP address of your FreeSWITCH.

If talking to clients both inside and outside the N.A.T. you must set the local-network-acl rfc1918.auto, and prefix the ext-sip-ip and ext-rtp-ip to autonat:X.X.X.X

Install Certificates

Layout of /usr/local/freeswitch/certs/wss.pem:

/usr/local/freeswitch/certs/wss.pem

Cert, Key and Chain(s) are all contained in a single file in this order:

-----BEGIN CERTIFICATE-----
< cert >

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

< key >

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

< chain >

-----END CERTIFICATE-----

Letsencryptによる認証ファイルから作成する場合

$ sudo cat cert.pem privkey.pem fullchain.pem > wss.pem

OpenSSLによるポート7443のTLS認証確認

$ openssl s_client -host www.example.com -port 7443

コマンドオプションについてはヘルプ参照のこと。

$ openssl s_client -help

Let’sEncryptの認証ファイルから作成した wss.pem は、SIPのTLS認証にも必要となりますがファイル名が異なります。wss.pem から内容をコピーして agent.pem, tls.pem, dtls-srtp.pem を作成します。

#!/bin/bash

# make sure we have the correct permissions
chown root:ssl-cert my.certificate-privkey.pem
chown root:root my.certificate-cert.pem
chown root:root my.certificate-chain.pem
chown root:root my.certificate-fullchain.pem
chmod 640 my.certificate-privkey.pem
chmod 644 my.certificate-cert.pem
chmod 644 my.certificate-chain.pem
chmod 644 my.certificate-fullchain.pem

# copy file for webserver
cp my.certificate-fullchain.pem /etc/ssl/certs/my.certificate-fullchain.pem
cp my.certificate-privkey.pem /etc/ssl/private/my.certificate-privkey.pem

systemctl restart nginx


#setup freeswitch tls

#make sure the freeswitch directory exists
mkdir -p /etc/freeswitch/tls

#make sure the freeswitch certificate directory is empty
rm /etc/freeswitch/tls/*

#combine the certs into all.pem
cat my.certificate-fullchain.pem > /etc/freeswitch/tls/all.pem
cat my.certificate-privkey.pem >> /etc/freeswitch/tls/all.pem

#copy the certificates - not required, but useful to know what is in all.pem
cp my.certificate-cert.pem /etc/freeswitch/tls/cert.pem
cp my.certificate-chain.pem /etc/freeswitch/tls/chain.pem
cp my.certificate-fullchain.pem /etc/freeswitch/tls/fullchain.pem
cp my.certificate-privkey.pem /etc/freeswitch/tls/privkey.pem

#add symbolic links
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem

#set the permissions
chown -R www-data:www-data /etc/freeswitch/tls

fs_cli -x "reload mod_sofia"