proto_wss Module

OpenSIPS Project

Edited by

Razvan Crainea


Table of Contents

1. Admin Guide
1.1. Overview
1.2. Dependencies
1.2.1. OpenSIPS Modules
1.2.2. Dependencies of external libraries
1.3. Exported Parameters
1.3.1. listen=interface
1.3.2. wss_port (integer)
1.3.3. wss_max_msg_chunks (integer)
1.3.4. wss_resource (string)
1.3.5. wss_handshake_timeout (integer)
2. Frequently Asked Questions

List of Examples

1.1. Set listen variable
1.2. Set wss_port variable
1.3. Set wss_max_msg_chunks parameter
1.4. Set wss_resource parameter
1.5. Set wss_handshake_timeout parameter

Chapter 1. Admin Guide

1.1. Overview

The WSS (Secure WebSocket) module provides the ability to communicate with a WebSocket (RFC 6455) client or server over a secure (TLS encrypted) channel. As part of the WebRTC specifications, this protocol can be used to provide secure VoIP calls to HTTPS enabled browsers.

This module behaves as any other transport protocol module: in order to use it, you must define one or more listeners that will handle the secure WebSocket traffic, after the mpath parameter:

...
mpath=/path/to/modules
...
listen=wss:10.0.0.1			# change with the listening IP
listen=wss:10.0.0.1:5060	# change with the listening IP and port
...

Besides that, you need to define the TLS parameters for securing the connection. This is done through the tls_mgm module interface, similar to the proto_tls module:

modparam("tls_mgm", "certificate", "/certs/biloxy.com/cert.pem")
modparam("tls_mgm", "private_key", "/certs/biloxy.com/privkey.pem")
modparam("tls_mgm", "ca_list", "/certs/wellknownCAs")
modparam("tls_mgm", "tls_method", "tlsv1")
modparam("tls_mgm", "verify_cert", "1")
modparam("tls_mgm", "require_cert", "1")

Check the tls_mgm module documentation for more info.

1.2. Dependencies

1.2.1. OpenSIPS Modules

The following modules must be loaded before this module:

  • tls_mgm.

1.2.2. Dependencies of external libraries

OpenSIPS TLS v1.0 support requires the following packages:

  • openssl or libssl >= 0.9.6

  • openssl-dev or libssl-dev

OpenSIPS TLS v1.1/1.2 support requires the following packages:

  • openssl or libssl >= 1.0.1e

  • openssl-dev or libssl-dev

1.3. Exported Parameters

All these parameters can be used from the opensips.cfg file, to configure the behavior of OpenSIPS-WSS.

1.3.1. listen=interface

This is a global parameter that specifies what interface/IP and port should handle WSS traffic.

Example 1.1. Set listen variable

...
listen = wss:1.2.3.4:44344
...
				

1.3.2. wss_port (integer)

The default port to be used for all WSS related operation. Be careful as the default port impacts both the SIP listening part (if no port is defined in the WSS listeners) and the SIP sending part (if the destination WSS URI has no explicit port).

If you want to change only the listening port for WSS, use the port option in the SIP listener defintion.

Default value is 443.

Example 1.2. Set wss_port variable

...
modparam("proto_wss", "wss_port", 44344)
...
				

1.3.3. wss_max_msg_chunks (integer)

The maximum number of chunks in which a SIP message is expected to arrive via WSS. If a received packet is more fragmented than this, the connection is dropped (either the connection is very overloaded and this leads to high fragmentation - or we are the victim of an ongoing attack where the attacker is sending very fragmented traffic in order to decrease server performance).

Default value is 4.

Example 1.3. Set wss_max_msg_chunks parameter

...
modparam("proto_wss", "wss_max_msg_chunks", 8)
...

1.3.4. wss_resource (string)

The resource queried for when a WebSocket handshake is initiated.

Default value is /.

Example 1.4. Set wss_resource parameter

...
modparam("proto_wss", "wss_resource", "/wss")
...

1.3.5. wss_handshake_timeout (integer)

This parameter specifies the time in milliseconds the proto_wss module waits for a WebSocket handshake reply from a WebSocket server.

Default value is 100.

Example 1.5. Set wss_handshake_timeout parameter

...
modparam("proto_wss", "wss_handshake_timeout", 300)
...

Chapter 2. Frequently Asked Questions

2.1.

Does OpenSIPS support fragmented Secure WebSocket messages?

No, the WebSocket fragmentation mechanism is not supported.