Asterisk and webrtc(sipML5) secure wss connection

Greetings,Asterisk community. I’ve managed to connect to asterisk over tcp and ws(the port for it is 8080 - this is relevant - I promise :smiley: ) made a call between 2 hardcored sip phones whose transport type was tcp but I need to make it over tsl. I followed the guide to secure a connection Secure Calling Tutorial but i dont think it’s working as intended. I can’t get a response from server on the 5061 port over wss(this is the adress I use in sipML5 options - wss://my.server.i.p:5061/wss ). If i try to register a sip phone there - I get a “ERR_CONN_REFUSED” in the chrome console. However, If I try to to register the sipml5 phone with this address : wss://my.server.i.p:8080/wss - I get: ERR_SSL_PROTOCOL_ERR . I’m able to provide any code if someone is willing to help. Thanks a grand.

The secure calling tutorial is for SIP over TLS, not for WSS. You have to configure TLS support for HTTP in the http.conf file and then use that port for connecting to Asterisk. By default it is port 8089.

1 Like

Thanks for the reply.
This is what I have in the http.conf file :
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile =/etc/asterisk/keys1/asterisk.pem
tlsprivatekey=/etc/asterisk/keys1/ca.key

(I’m not quite sure the last one should be the ca.key, any Ideas over that as well ?)
If I try to open a wss connection to the serverip:8089/wss I get connection refused… I’ve been facepalming over that for more than a day…

Have you looked at the console log at startup to see if it has any complaints about the configuration? As well the address would still be wss://serverip:8089/ws

1 Like

No, sir. I always launch with a high verbosity level and no complaints were ever given. It seems like no matter what port I specify in the http.conf except 8080 it always returns connection refused as if it were never opened. P.S i’m running asterisk 13.13 on centos 6.6

What if you set “tlsbindaddr” to “0.0.0.0”?

1 Like

Connection refused again. Do I need to configure the firewall ? I have no idea. The only port i can access is 8080.

I don’t know what your deployment is like and how your firewall is configured. If it is blocking everything but port 8080, then yes, you would need to allow 8089 through.

1 Like

I opened up the 8089 port and this is what my response was when trying to connect to it :

This site can’t provide a secure connection

192.168.1.140 sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

Oh, I probably should say that the certificates are self signed and done step by step as the aforementioned guide suggests. Is the ca.key file the one I should set as tlsprivatekey ?

You should use asterisk.pem for both.

1 Like

God bless you, you glorious bastard. I’d walk a mile through shattered glass just to kiss your ass for saving me from the eternal frustration. Thank you mate. Have a great day. All the best wishes from Bulgaria.

1 Like