freeswitch使用自签证书,配置WSS

Freeswitch使用自签证书

1. 使用SSL-TOOLS生成自签证书

(1) 下载ssl.ca-0.1.tar.gz

[root@localhost ~]# wget http://files.freeswitch.org/downloads/ssl.ca-0.1.tar.gz

(2) 解压ssl.ca-0.1.tar.gz

tar zxfv ssl.ca-0.1.tar.gz

(3) 执行以下命令

[root@localhost software]# cd ssl.ca-0.1/
[root@localhost ssl.ca-0.1]# perl -i -pe 's/md5/sha1/g' *.sh
[root@localhost ssl.ca-0.1]# perl -i -pe 's/2048/2048/g' *.sh

(4) 生成根证书

[root@localhost ssl.ca-0.1]# ./new-root-ca.sh
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
.....................++++++
...............................................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:  根证书密码
Verifying - Enter pass phrase for ca.key:

Self-sign the root CA...
Enter pass phrase for ca.key:  根证书密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:CN  国籍
State or Province Name (full name) [Perak]:JIANGSU 省份
Locality Name (eg, city) [Sitiawan]:NANJING  市
Organization Name (eg, company) [My Directory Sdn Bhd]:HY 公司名称
Organizational Unit Name (eg, section) [Certification Services Division]:HY 组织名称
Common Name (eg, MD Root CA) []:HY 常用名
Email Address []:[email protected]  邮箱地址
[root@localhost ssl.ca-0.1]#

执行完毕后,会在当前目录生成ca.key和ca.crt两个文件

(5) 为我们的服务器生成一个证书

[root@localhost ssl.ca-0.1]# ./new-server-cert.sh  server 
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JIANGSU
Locality Name (eg, city) [Sitiawan]:NANJING
Organization Name (eg, company) [My Directory Sdn Bhd]:HY
Organizational Unit Name (eg, section) [Secure Web Server]:HY
Common Name (eg, www.domain.com) []:localhost 此处可更换为域名
Email Address []:[email protected]

You may now run ./sign-server-cert.sh to get it signed

执行完毕后,生成了server.csr和server.key这两个文件

(6) 签署证书使证书生效

[root@localhost ssl.ca-0.1]# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'JIANGSU'
localityName          :PRINTABLE:'NANJING'
organizationName      :PRINTABLE:'HY'
organizationalUnitName:PRINTABLE:'HY'
commonName            :PRINTABLE:'localhost'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Nov  9 06:26:54 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

执行完毕后,生成了server.crt文件

以上操作执行完毕后,你会在当前目录看到如下三个文件

    [root@254 ssl.ca-0.1]# ll
 	总用量 96
	-rw-r--r-- 1 root root   932 6月  25 09:44 ca.crt
	drwxr-xr-x 2 root root    20 6月  25 09:45 ca.db.certs
	-rw-r--r-- 1 root root    97 6月  25 09:45 ca.db.index
	-rw-r--r-- 1 root root    21 6月  25 09:45 ca.db.index.attr
	-rw-r--r-- 1 root root     3 6月  25 09:45 ca.db.serial
	-rw-r--r-- 1 root root   963 6月  25 09:43 ca.key
	-rw-r--r-- 1  500  500 17992 4月  24 2000 COPYING
	-rwxr-xr-x 1  500  500  1460 6月  25 09:43 new-root-ca.sh
	-rwxr-xr-x 1  500  500  1539 6月  25 09:43 new-server-cert.sh
	-rwxr-xr-x 1  500  500  1049 6月  25 09:43 new-user-cert.sh
	-rwxr-xr-x 1  500  500   984 6月  25 09:43 p12.sh
	-rw-r--r-- 1  500  500  1024 4月  23 2000 random-bits
	-rw-r--r-- 1  500  500 11503 4月  24 2000 README
	-rw-r--r-- 1 root root  3092 6月  25 09:45 server.crt   ---------->
	-rw-r--r-- 1 root root   737 6月  25 09:45 server.csr   ----------> 后续操作主要使用到这三个文件
	-rw-r--r-- 1 root root   891 6月  25 09:44 server.key  ---------->
	-rwxr-xr-x 1  500  500  2080 6月  25 09:43 sign-server-cert.sh
	-rwxr-xr-x 1  500  500  1916 6月  25 09:43 sign-user-cert.sh
	-rw-r--r-- 1  500  500    50 4月  24 2000 VERSION

2. 替换freeswitch的证书(wss.pem)

开始替换证书 [请注意备份freeswitch的证书] 以下是笔者wss.pem所在目录,请根据自身fs所装目录确定证书位置,也可以使用find命令查找

	[root@izwz9ixh3287isfn0r8cm6z ~]# find / -name wss.pem
	/usr/local/freeswitch/certs/wss.pem  ----->wss.pem所在位置

	[root@localhost ssl.ca-0.1]# cd /usr/local/server/software/ssl.ca-0.1
	[root@localhost ssl.ca-0.1]# cat server.crt server.key > /usr/local/freeswitch/certs/wss.pem
	[root@localhost ssl.ca-0.1]# cat /usr/local/freeswitch/certs/wss.pem
	Certificate:
	    Data:
	        Version: 3 (0x2)
	        Serial Number: 1 (0x1)
	    Signature Algorithm: sha1WithRSAEncryption
	        Issuer: C=CN, ST=JIANGSU, L=NANJING, O=HY, OU=HY, CN=HY/emailAddress=HY@163,\x08\x1B[D\x1B[3~
	        Validity
	            Not Before: Nov  9 06:26:54 2018 GMT
	            Not After : Nov  9 06:26:54 2019 GMT
	        Subject: C=CN, ST=JIANGSU, L=NANJING, O=HY, OU=HY, CN=localhost/[email protected]
	        Subject Public Key Info:
	            Public Key Algorithm: rsaEncryption
	                Public-Key: (1024 bit)
	                Modulus:
	                    00:ca:87:6e:7a:b5:0b:40:b4:a5:5f:4c:03:7a:f9:
	                    f9:2e:d9:a8:bd:e2:d8:2d:45:dd:a1:58:d8:d4:98:
	                    31:e1:aa:bd:43:8d:77:cc:c8:f9:62:56:62:ac:0c:
	                    1c:4a:58:b3:46:58:5c:b6:27:a4:17:02:7a:0a:77:
	                    06:ba:a5:e9:fb:60:eb:16:45:45:e4:8c:13:ab:48:
	                    6f:e4:35:b0:2c:b3:46:91:43:8f:93:f9:9a:ec:bc:
	                    b5:46:8f:d2:bd:26:47:07:e1:f4:40:27:76:a1:e3:
	                    cf:ce:75:05:1f:d2:6a:37:fc:39:77:74:97:1e:e9:
	                    72:2c:5e:91:3c:9e:74:2d:91
	                Exponent: 65537 (0x10001)
	        X509v3 extensions:
	            X509v3 Authority Key Identifier: 
	                keyid:DD:66:29:32:E6:2E:98:ED:9A:39:89:C2:EF:07:5C:E3:6E:F9:63:B5
	
	            X509v3 Extended Key Usage: 
	                TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
	            X509v3 Basic Constraints: critical
	                CA:FALSE
	    Signature Algorithm: sha1WithRSAEncryption
	         2a:a5:a6:35:68:a3:b0:e4:3a:77:88:28:e6:39:ca:ba:2e:95:
	         28:b3:7d:b3:53:35:1d:f3:4a:1a:02:f1:c4:03:52:c3:02:e6:
	         5d:d5:29:08:17:41:f0:83:e4:c3:f8:a7:58:88:20:0c:93:ff:
	         78:b4:0b:e6:31:53:13:cb:f3:6c:3c:1b:ea:35:67:1e:1f:89:
	         be:f8:10:cc:ec:0b:a7:75:01:89:72:a8:51:95:03:34:3f:17:
	         7a:f1:fd:54:8d:55:8f:10:91:69:a1:55:c2:c8:76:48:a1:f2:
	         d9:dc:47:47:a7:9e:3a:00:a4:c6:ad:44:67:59:96:21:38:0d:
	         dd:0a
	-----BEGIN CERTIFICATE-----
	MIICzzCCAjigAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDTjEQ
	MA4GA1UECBMHSklBTkdTVTEQMA4GA1UEBxMHTkFOSklORzELMAkGA1UEChMCSFkx
	CzAJBgNVBAsTAkhZMQswCQYDVQQDEwJIWTEeMBwGCSqGSIb3DQEJARYPSFlAMTYz
	LAgbW0QbWzN+MB4XDTE4MTEwOTA2MjY1NFoXDTE5MTEwOTA2MjY1NFowejELMAkG
	A1UEBhMCQ04xEDAOBgNVBAgTB0pJQU5HU1UxEDAOBgNVBAcTB05BTkpJTkcxCzAJ
	BgNVBAoTAkhZMQswCQYDVQQLEwJIWTESMBAGA1UEAxMJbG9jYWxob3N0MRkwFwYJ
	KoZIhvcNAQkBFgpIWUAxNjMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
	gQDKh256tQtAtKVfTAN6+fku2ai94tgtRd2hWNjUmDHhqr1DjXfMyPliVmKsDBxK
	WLNGWFy2J6QXAnoKdwa6pen7YOsWRUXkjBOrSG/kNbAss0aRQ4+T+ZrsvLVGj9K9
	JkcH4fRAJ3ah48/OdQUf0mo3/Dl3dJce6XIsXpE8nnQtkQIDAQABo2cwZTAfBgNV
	HSMEGDAWgBTdZiky5i6Y7Zo5icLvB1zjbvljtTA0BgNVHSUELTArBggrBgEFBQcD
	AQYIKwYBBQUHAwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAMBgNVHRMBAf8EAjAA
	MA0GCSqGSIb3DQEBBQUAA4GBACqlpjVoo7DkOneIKOY5yroulSizfbNTNR3zShoC
	8cQDUsMC5l3VKQgXQfCD5MP4p1iIIAyT/3i0C+YxUxPL82w8G+o1Zx4fib74EMzs
	C6d1AYlyqFGVAzQ/F3rx/VSNVY8QkWmhVcLIdkih8tncR0ennjoApMatRGdZliE4
	Dd0K
	-----END CERTIFICATE-----
	-----BEGIN RSA PRIVATE KEY-----
	MIICXQIBAAKBgQDKh256tQtAtKVfTAN6+fku2ai94tgtRd2hWNjUmDHhqr1DjXfM
	yPliVmKsDBxKWLNGWFy2J6QXAnoKdwa6pen7YOsWRUXkjBOrSG/kNbAss0aRQ4+T
	+ZrsvLVGj9K9JkcH4fRAJ3ah48/OdQUf0mo3/Dl3dJce6XIsXpE8nnQtkQIDAQAB
	AoGAbTYSsUCnTMEc3AKVbd8WK9lbUOneQKuIE9VhN2LKozH61U6X52oIcKq8kqIF
	L2IdajWD6QX/ShkfzjzY+BU30kyiVhP+iJctfpWr7wlEp8GchteX2RumBRxAsBg2
	rw6cXdQ9PHo6ykf0nQpwVeiiq2x4ccs4AEWqWkkYVtc9cAECQQDjv0x8USMOr83f
	rD8Egx/c3Os8fDjn7Bq+YKRxuU/qdgqsSAISIMiEWh8h3l+eHDJDmZAF5u2D9FC9
	mYT8PYtRAkEA46dDSsM7b5yOt6WQO+YyfU968KEDP1rX41davnWh7lbwvuiJIlnJ
	PhZ2rysJY8qs2+r+GAJQTSl7LDwSRcduQQJBANRTJZCE6EUp+6p64ClpwcvcHmc+
	fKMjyG8SlFz94hZ5REwHuf6Cl85kYr/lnIlASlAhm1cVSvwJSzjoJkYvbnECQQDD
	Dnio4VjWy+S408IeoKGYHvauoLcgnJyn7RwSXsYNai7C1IlThmzYpvSwKAbWmzy6
	/cETH0BgrO8duqbJZRRBAkAOSOOGHC137WzOwx20iTpqciX8Ir2mOvGMWW8Wd/9p
	yglapIxq3Hd0cGdIxbqHZpSmN7mkUbgfgvYVlH9fW8lz
	-----END RSA PRIVATE KEY-----

(2) 修改freeswitch相关配置

• 修改internal.xml

	[root@254 ssl.ca-0.1]# vim /usr/local/freeswitch/conf/sip_profiles/internal.xml
	设置wss-binding,默认为7443,可修改
	
	
	执行此命令可以看到wss所绑定的端口
	[root@254 ssl.ca-0.1]# fs_cli -x 'sofia status profile internal' | grep WSS-BIND-URL
    WSS-BIND-URL     	sips:[email protected]:7443;transport=wss

• 修改vars.xml

	[root@254 ssl.ca-0.1]# vim /usr/local/freeswitch/conf/vars.xml
	设置以下参数
	
    

修改完成后,请重启freeswitch,然后执行以下命令

	[root@localhost ssl.ca-0.1]# fs_cli
	...	
	...

	+OK log level  [7]
	[email protected]> reloadxml

---

WEB项目使用自签证书

---

此处我们需要使用到之前生成的三个文件,server.crt,server.csr,server.key

1. 将自签证书转为tomcat.p12

	[root@localhost ssl.ca-0.1]# openssl pkcs12 -export -in /usr/local/server/software/ssl.ca-0.1/server.crt -inkey /usr/local/server/software/ssl.ca-0.1/server.key -out /usr/local/server/software/ssl.ca-0.1/tomcat.p12

2. 在springboot项目中引用keystore,使用HTTPS

	# 证书存放路径 根据实际情况放置(绝对路径) 此文件也可以放置在项目中,具体实现可以百度
	server.ssl.key-store=/usr/local/server/tomcat.p12
	#密钥库密码
	server.ssl.key-store-password=111111
	server.ssl.keyStoreType=PKCS12

---

本节主要讲解了fs如何配置https,使用自签证书,下一节会讲解如何结合SIP.JS实现软电话功能

---

##参考资料: https://blog.csdn.net/u013944791/article/details/73551253
##参考资料: https://blog.csdn.net/medivhq/article/details/51188242
##参考资料: https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates