WebRTC provides Real-Time Communications directly from better web browsers and devices without requiring plug-ins such as Adobe Flash nor Silverlight. WebRTC always operates in secure mode.FreeSWITCH provides a WebRTC portal to its public conference bridge to demonstrate the possibilities for handling telephony via a web page; join us for our weekly conference calls.
The process for configuring FreeSWITCH with WSS certificates is the same whether for use with classic WebRTC or the FreeSWITCH Verto endpoint.
The configuration for Secure Web Sockets is slightly different than for TLS over SIP. This guide covers WSS certificate setup.
Debian 7 (Wheezy)
Install Debian 7 (Wheezy) minimal.
If behind N.A.T. make sure to set the ext-sip-ip and ext-rtp-ip in vars.xml to the public IP address of your FreeSWITCH.
If talking to clients both inside and outside the N.A.T. you must set the local-network-acl rfc1918.auto, and prefix the ext-sip-ip and ext-rtp-ip to autonat:X.X.X.X
Layout of /usr/local/freeswitch/certs/wss.pem:
Once started execute:
If you get output then your wss on FreeSWITCH is setup correctly.
Setting up Apache:
(Configure your certificates/chain/keys per standard https docs; this is beyond the scope of this document so not covered here.)
Now verify your certs using http://www.sslshopper.com/ssl-checker.html
Verify the hostname and hostname:7443 so you can verify that your certificate chain is intact.
Notes captured from the freeswitch-users mailing list:
A quick how to from bkw (Brian K. West):
The latest version of Freeswitch should automatically generate self-signed certificates. However, self-signed certs often don't work very well, since you will need to induce the prompt to allow an untrusted certificate. You should use a trusted certificate, just as you would your website. If you take your WebRTC url, such as wss://foo.bar.com:7443 and change it to https://foo.bar.com:7443 you can visit it in the browser and give it a permanent exception. On OS X and windows you may import the ca.crt into your trust store.
If you see the following:
There could be a certificate problem and the wss directive will cause the whole profile to fail.
Now Proceed to configure sipjs/sipml5.
If you want you can use Opus codec for high audio quality. If you do, be careful with testing with software SIP clients, because SIP clients which implement it according to the RFC's are currently rare (possibly non-existent). You'd better call between two WebRTC peers. If you for example want to use Jitsi, my current experience is that you can call with Jitsi with the Opus codec to Freeswitch (probably because Freeswitch accepts the not 100% correct SDP sent by Jitsi), but when Freeswitch originates a call it won't work.
Use this to see if ws and wss work: