TLS, as SSL, depends on certificates issued by a Certification Authority that guarantee the identity of the certificate bearer. You can buy a TLS certificate from the same CAs that sell Web HTTPS certificates. You can then use that same certificate with WebSockets, WebRTC and mod_verto too (and for the HTTPS website with the same name as your SIP registrar, for example, https://pbx.freeswitch.org).
Also, you can use free and valid certificates from https://letsencrypt.org/, (see the automatic script in FreeSWITCH Confluence about verto_communicator demo installation on Debian 8).
The tool you use to generate the various certificates involved is (aptly named) gentls_cert
:
/usr/local/freeswitch/bin/gentls_cert command -cn pbx.freeswitch.org -alt DNS:pbx.freeswitch.org -org freeswitch.org
(Instead of pbx.freeswitch.org and freeswitch.org, use the FQDN your clients will use as SIP registrar and SIP domain).You will use the same utility with the same arguments, but a different command: First of all, setup
will create your CA. Then create_server
will generate FreeSWITCH's agent certificate, and create_client
will generate the (optional) client certificate. You will find them all in /usr/local/freeswitch/conf/ssl/
(maybe you'll need to copy into clients the cafile.pem
too, so that they have the entire chain up to the CA).
Then, edit /usr/local/freeswitch/conf/vars.xml
and modify the following line so that it reads true:
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
Restart FreeSWITCH and it's set. Then, configure the clients to use TLS and to connect to FreeSWITCH's port 5061. That's it. Your signaling is encrypted. (Beware: clients behind NATs or firewalls can have problems in receiving incoming calls. In that case, use VPNs instead of TLS).
3.142.240.210