browser phone with wss

[edimondi]

hi, i am trying to use browser phone with wss, or tls if its better but for some reason cant make it work. Because i am using now with ws and i am not sure if the connection is secure with ws, thanks

[InnovateAsterisk]

Although Asterisk has the option of a ws (http) or wss (tls) connection to its http service, any modern browser will not allow getUserMedia() (basically to capture your microphone) without https, and since the container page would be https/tls, the websocket connection will also have to be wss. Basically the only option is to use wss for browser phone functionality, ws is simply not going to work, and no ws it's not secure.

[edimondi]

in browser phone the websocket path i have /ws and is not working with /wss but i am using browser phone with https so i dont know why /ws is working over https. Added contact 'sip:66e5qhps@myip:2238;transport=ws as you can see its /ws, i also set on the extension transport = 0.0.0.0-wss but it still says that i am using /ws

[InnovateAsterisk]

The path does not determine the protocol. It only refers to the location web socket service on the server. With Asterisk, its only (hard coded) at /ws

If you type > http show status in Asterisk it will show you:

HTTP Server Status:
Prefix: 
Server: Asterisk/certified/16.8-cert3
Server Enabled and Bound to 0.0.0.0:8080

Enabled URI's:
/httpstatus => Asterisk HTTP General Status
/ws => Asterisk HTTP WebSocket

Enabled Redirects:
  None.

as you can see above the path to websocket is /ws

In my example above, you can also see that (in this case) my server is hosting this location as http on port 8080, and that I don't have TLS enabled... but that's because I have this Asterisk box behind a load balancer, and the Load Balancer is terminating my TLS connections, and proxying the non-tls connection into asterisk. I have recently done a video on how to do that:

https://www.innovateasterisk.com/s2e1-webrtc-reverse-proxy/

(For simplicity, and testing, this proxy step isn't necessary)

[InnovateAsterisk]

Added contact 'sip:66e5qhps@myip:2238;transport=ws

Yea, its a bit annoying that... it seems Asterisk is sort of just saying ws websocket... it isnt really specifying the protocol

[edimondi]

in the browser phone console network tab i see this: Request URL: wss://mydomain:8089/ws , is this saying that i am using /wss ? Thanks

[InnovateAsterisk]

The request url, is much like a regular web site url, in that wss://mydomain:8089/ws is made up from: the protocol wss://, the address mydomain with its port (if omitted will use the default for the protocol) and then finally the server path /ws that would specify the exact resource you are looking for.

As an interesting quirk, you can actually test your web socket url in your browser address bar, however if you try:

wss://mydomain:8089/ws

in Chrome address bar, Chrome will give you a protocol error, but if you change it to:

https://mydomain:8089/ws

Chrome will attempt the connection, but of course the server will fail to connect since it will be expecting to be upgraded to websocket.

[edimondi]

i am connecting to browser phone with https, now i am not sure if my connection is secure because, i dont know how to verify that my connection is secure

[InnovateAsterisk]

With Developer Tools open, tab over to security, all the certificate details are there including validation of the certificate.

[edimondi]

yes there is a certificate but is the connection secure between browser phone and asterisk

[InnovateAsterisk]

Well, if you can test the connection with https://... then when you establish a web socket connection to the same server via wss://... then the connection is secure.

Also, modern browsers are not allowed to make a non-secure web socket connections if the parent page is secure.

And then, finally, the last check you can do is to open wireshark and trace the connection out. You will not be able to read the data transmitted inside the packet, but the connection handshake will be visible, and the very fact that the data is encrypted, is your proof.

[edimondi]

I captured with wireshark and there was nothing in the Telephony->Voip Calls tab also the RTP Stream was empty, so it looks like its secure.