Skip to content

Latest commit

 

History

History
36 lines (31 loc) · 2.47 KB

Configuration_Security.md

File metadata and controls

36 lines (31 loc) · 2.47 KB
Raw

The configuration file allows setting the SSL certificate files to be used for TLS and WSS signaling protocols. The certificates are also used for DTLS-SRTP. The Doubango framework must be built with OpenSSL enabled as explained here.

ssl-private-key = /tmp/ssl.pem
ssl-public-key = /tmp/ssl.pem
ssl-ca = /tmp/ssl.pem
ssl-mutual-auth = no

Configuration 3: Setting SSL certificates

  • ssl-private-key - the full path to the PEM file.
  • ssl-public-key - the full path to the PEM file.
  • ssl-ca - the full path to the PEM file.
  • ssl-mutual-auth - whether the incoming connection requests must fail if the remote peer certificates are missing or do not match the local ones. This only applies to TLS or WSS and is useless for DTLS-SRTP as certificates are always required.

The configuration file also allows setting the SRTP type.

srtp-mode = optional
srtp-type = sdes;dtls

Configuration 4: SRTP settings

srtp-mode – defines the SRTP mode to use for negotiation. Supported values are none, optional and mandatory. Only optional and mandatory modes will work if the SIP client is a WebRTC browser as SRTP is required. Based on the mode, the SDP on the outgoing INVITEs will be formed like this:

  • none:
    • profile will be equal to RTP/AVP
    • no crypto lines or certificate fingerprints will be added
  • optional:
    • profile will be equal to RTP/AVP
    • two crypto lines will be added if srtp-type includes sdes, plus certificate fingerprints if srtp-type also includes ‘dts’.
  • mandatory:
    • profile will be equal to RTP/SAVP if srtp-type is equal to SDES or UDP/TLS/RTP/SAVP if srtp-type is equal to dtls
    • two crypto lines will be added if srtp-type is equal to sdes or certificate fingerprints if srtp-type is equal to dtls

srtp-type - defines the list of all supported SRTP types. Defining multiple values only make sense if the srtp-mode value is equal to optional which means we want to negotiate the best one. Supported values are sdes and dtls.

DTLS-SRTP requires valid SSL certificates and Doubango source code must be compiled with OpenSSL version 1.0.1 or later.