Setting up Kamailio with Secured Websocket

This article is about setting up Kamailio SIP server with secured websocket support (WSS) in Ubuntu 14.04 LTS m/c. I would like to keep it minimal (no authentication, mysql support). Just enabling websocket and secured websocket as transport protocol.

Build Kamailio
  • Download latest kamailio source. I have taken kamailio-4.4.2.
  • Untar the source. Go to kamailio source folder. For me the path was /usr/local/src/kamailio-4.4.2. However you can put in any path.
  • Execute below commands in install required packages. These packages are used by Kamailio internally.
    1. sudo apt-get install flex
    2. sudo apt-get install bison
    3. sudo apt-get install libxml++2.6-dev
    4. sudo apt-get install libncurses5-dev
    5. sudo apt-get install libpcre3-dev
  • Now execute below commands to build Kamailio as per our requirement.
    1. make proper
    2. make PREFIX="/usr/local/kamailio-4.0" include_modules="db_auth tls websocket" cfg
    3. make all
    4. make install



Well, you have built now Kamailio and can start using it. The kamailio executable, default config files are in path /usr/local/kamailio-4.0. But by default TLS, websocket are not enabled. Now we need to enable it and add some specific configuration to make it work.


Now kamailio running with udp/tcp mode fine. You need to configure for TLS and websocket. It is always bit ambiguous what are the certificates, how do I generate private key, certificates, cal list etc. As we proceed, I will provide bit more information.

Generate certificate, key and ca list.
  • First lets generate tls private key, certs etc. Lets create a folder kamailio-certs in /usr/local. Lets create a ca folder in kamailio-certs. Now the path looks as /usr/local/kamailio-certs/ca. Go to /usr/local/kamailio-certs/ca path.
  • Execute below commands to have path, files ready.
    1. mkdir demoCA
    2. mkdir demoCA/private
    3. mkdir demoCA/newcerts
    4. touch demoCA/index.txt
    5. echo 01 >demoCA/serial
    6. echo 01 >demoCA/crlnumber
  • To create ca private key, execute below commands
    1. openssl genrsa -out demoCA/private/cakey.pem 2048
    2. chmod 600 demoCA/private/cakey.pem
  • Now create ca self signed certificate
    1. openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
  • Now create server / client certificate, a private key (by name privkey.pem)
    Please note that while creating ca certificate, you have entered organisation name. Same organisation name you need to enter here. Its mandatory. Next you need to sign the newly generated certificate with ca certificate.
    1. openssl req -out kamailio1_cert_req.pem -new -nodes
    2. openssl ca -in kamailio1_cert_req.pem -out kamailio1_cert.pem
  • Now copy the certificate kamailio1_cert.pem and privkey.pem to kamailio home folder (for me /usr/local/kamailio-4.0/etc/kamailio).
  • This private key, should not be shared to clients or other parties anytime. Anyway, you are done with private key and certificate.
  • Next comes ca list. Kamailio can either use system's default ca list or we can create a ca list and use it. If kamailio uses systems default ca list, and certificate generated here is self signed one, probably certificate verification may fail. To avoid that, we can create ca list now.
  • In my case, what I did, I found all cacert.pem files, and used command cat cacert.pem >>calist.pem, to prepare my own calist.pem. So I went / path, and used find -name cacert.pem command. I got below output.

    ./usr/share/abiword-3.0/certs/cacert.pem
    ./usr/local/kamailio-certs/ca/demoCA/cacert.pem
    ./usr/local/src/kamailio-4.2.3/etc/tls/rootCA/cacert.pem
    ./usr/local/src/openssl-1.0.2a/apps/demoCA/cacert.pem
    ./usr/local/src/openssl-1.0.2a/demos/cms/cacert.pem
    ./usr/local/src/openssl-1.0.2a/demos/smime/cacert.pem
    ./usr/local/src/kamailio-4.4.2/etc/tls/rootCA/cacert.pem

    So I did like
    cat ./usr/share/abiword-3.0/certs/cacert.pem >>calist.pem
    cat ./usr/local/kamailio-certs/ca/demoCA/cacert.pem >>calist.pem
    cat ./usr/local/src/kamailio-4.2.3/etc/tls/rootCA/cacert.pem >>calist.pem
    cat ./usr/local/src/openssl-1.0.2a/apps/demoCA/cacert.pem >>calist.pem
    cat ./usr/local/src/openssl-1.0.2a/demos/cms/cacert.pem >>calist.pem
    cat ./usr/local/src/openssl-1.0.2a/demos/smime/cacert.pem >>calist.pem
    cat ./usr/local/src/kamailio-4.4.2/etc/tls/rootCA/cacert.pem >>calist.pem

    Now copy calist.pem to kamailio home folder (/usr/local/kamailio-4.0/etc/kamailio/).
    So in kamailio home folder, you have private key privkey.pem, certificate kamailio1_cert.pem and ca list calist.pem.
    With these 3 files in place, you have completed certificate and key generation. Next we need to configure kamailio to make use of these key/cert files.



The kamailio.cfg, basically includes tls.cfg. In tls.cfg, just modify 3 lines to point to generated certificate files as shown below.

private_key = /usr/local/kamailio-4.0/etc/kamailio/privkey.pem
certificate = /usr/local/kamailio-4.0/etc/kamailio/kamailio1_cert.pem
ca_list = /usr/local/kamailio-4.0/etc/kamailio/calist.pem

Next, kamailio.cfg needs to be modified. You need to mention server IP, listening ports. Also you need to change in many places for websocket support. I am not going to explain each and every change, instead below I am providing the links to kamailio.cfg, tls.cfg and scripts to start/stop/restart kamailio you can use these config files / scripts directly.

Thats all. Now you can start kamailio server using command kamailio -f kamailio.cfg -m 8192 -M 16 command.

Tag: 
Websocket, Kamailio