Skip to main content



WebRTC provides Real-Time Communications directly from better web browsers and devices without requiring plug-ins such as Adobe Flash nor Silverlight. WebRTC always operates in secure mode.FreeSWITCH provides a WebRTC portal to its public conference bridge to demonstrate the possibilities for handling telephony via a web page; join us for our weekly conference calls.

The process for configuring FreeSWITCH with WSS certificates is the same whether for use with classic WebRTC or the FreeSWITCH Verto endpoint.

Click to expand Table of Contents


The configuration for Secure Web Sockets is slightly different than for TLS over SIP. This guide covers WSS certificate setup.

Debian 7 (Wheezy)

Install Debian 7 (Wheezy) minimal.

Building FreeSWITCH


apt-get install git build-essential automake autoconf libtool wget python zlib1g-dev libjpeg-dev libncurses5-dev libssl-dev libpcre3-dev libcurl4-openssl-dev libldns-dev libedit-dev libspeexdsp-dev libspeexdsp-dev libsqlite3-dev apache2

cd /usr/src/
git clone

cd freeswitch
./ -j
./configure -C
make install cd-sounds-install cd-moh-install
mkdir -p /usr/local/freeswitch/certs

edit /usr/local/freeswitch/conf/sip_profiles/internal.xml
# Set these params and save the file:
<param name="tls-cert-dir" value="/usr/local/freeswitch/certs"/>
<param name="wss-binding" value=":7443"/>

If behind N.A.T. make sure to set the ext-sip-ip and ext-rtp-ip in vars.xml to the public IP address of your FreeSWITCH.

If talking to clients both inside and outside the N.A.T. you must set the local-network-acl, and prefix the ext-sip-ip and ext-rtp-ip to autonat:X.X.X.X

Install Certificates

Layout of /usr/local/freeswitch/certs/wss.pem:


Cert, Key and Chain(s) are all contained in a single file in this order:


Start FreeSWITCH

/usr/local/freeswitch/bin/freeswitch -ncwait

Once started execute:

fs_cli -x 'sofia status profile internal' | grep WSS-BIND-URL

If you get output then your wss on FreeSWITCH is setup correctly.

Setting up Apache:

a2enmod ssl


(Configure your certificates/chain/keys per standard https docs; this is beyond the scope of this document so not covered here.)

Now verify your certs using

Verify the hostname and hostname:7443 so you can verify that your certificate chain is intact.


Notes captured from the freeswitch-users mailing list:

From: Dan Edwards
Sent: Monday, 01 February, 2016 09:35
Subject: Re: [Freeswitch-users] WebSocket behind NGINX

I'm also running behind Nginx and what I found worked was to proxy to the actual IP address ( vs., then explicitly removing from the localnet ACL in acl.conf. I had to remove from localnet so FS will offer external IP addresses for RTP.

-----Original Message-----

From: Anton
Sent: Saturday, January 30, 2016 2:20 PM
Subject: [Freeswitch-users] WebSocket behind NGINX

Hello All,

I have to proxy all websocket requests though a nginx server. Right now I am using next configuration:

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;

server {
listen 443;

ssl on;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/private.key;

location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400s;

access_log /var/log/nginx/wss_access;
error_log /var/log/nginx/wss_error debug; }

I dumped traffic from nginx and found out that "switching protocol"
phrase was successful but INVITE message from my browser in pending state.
Maybe FreeSWITCH wants real IP not loopback? Who have faced with similar problem?


A quick how to from bkw (Brian K. West):


# Create certificates:

tar zxfv
perl -i -pe 's/md5/sha256/g' *.sh
perl -i -pe 's/1024/4096/g' *.sh
cat > /usr/local/freeswitch/certs/wss.pem

# Setup Apache:

# default-ssl:

SSLCertificateFile /usr/local/freeswitch/certs/wss.pem
SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem

# Setup Sofia TLS:

cat > /usr/local/freeswitch/certs/agent.pem
cat ca.crt > /usr/local/freeswitch/certs/cafile.pem

# vars.xml:

<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>

# Restart FreeSWITCH.

## Now make sure your system has ca.crt imported so it will trust your new found hotness.


openssl s_client -connect
openssl s_client -connect
openssl s_client -connect
openssl s_client -connect

# Depending on what you've setup you'll see:

subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web Server/
issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang Bang/OU=Certification Services Division/CN=WBB Root CA/

# Or there abouts.


The latest version of Freeswitch should automatically generate self-signed certificates. However, self-signed certs often don't work very well, since you will need to induce the prompt to allow an untrusted certificate. You should use a trusted certificate, just as you would your website. If you take your WebRTC url, such as <wss://> and change it to you can visit it in the browser and give it a permanent exception. On macOS and Windows you may import the ca.crt into your trust store.


If you see the following:

Profile Error

[ERR] sofia.c:2855 Error Creating SIP UA for profile: external (sip:host@;maddr=;transport=udp,tcp) ATTEMPT 1 (RETRY IN 5 SEC)

The likely causes for this are:

1) Another application is already listening on the specified address.

2) The IP address to which the profile is attempting to bind is not local to this system.

There could be a certificate problem and the wss directive will cause the whole profile to fail.


Now Proceed to configure sipjs/sipml5.



If you want you can use Opus codec for high audio quality. If you do, be careful with testing with software SIP clients, because SIP clients which implement it according to the RFC's are currently rare (possibly non-existent). You'd better call between two WebRTC peers. If you for example want to use Jitsi, my current experience is that you can call with Jitsi with the Opus codec to Freeswitch (probably because Freeswitch accepts the not 100% correct SDP sent by Jitsi), but when Freeswitch originates a call it won't work.

Use this to see if ws and wss work:

sofia status profile internal


WebRTC Glossary

Test firewall for proper WebRTC ports