WebRTC and SIP Over WebSockets
Get started quickly
- Install the repro SIP proxy using the packages from Debian or another Linux distribution like Fedora or Ubuntu.
- Set these options in repro.config:
AssumePath = true DisableOutbound = false EnableFlowTokens = true
- For local testing, you can use regular HTTP (no TLS) on any port, if you do this, it is necessary to set the record route URI to your host or domain name (not IP):
WSPort = 80 RecordRouteUri = sip:example.org
- For production use, it is significantly more reliable to use TLS, this will ensure that the websocket connection can pass through HTTP proxy servers
Transport1Interface = 192.168.1.106:443 Transport1Type = WSS Transport1TlsDomain = sip-ws-server.example.org Transport1TlsClientVerification = None Transport1RecordRouteUri = sip:example.org;transport=WS Transport1TlsCertificate = /etc/ssl/ssl.crt/sip-ws-server.example.org-bundle.pem Transport1TlsPrivateKey = /etc/ssl/private/sip-ws-server.example.org-key.pem
- Notice the domains in the TLS example:
- clients will be configured (in JSCommunicator or whatever client you use) to connect to sip-ws-server.example.org. The server will present a TLS certificate containing the name sip-ws-server.example.org to satisfy the security expectations of the WebSocket client.
- the SIP messages will simply contain the name example.org and only example.org is used in the RecordRouteUri parameter. This is important.
draft-ietf-sipcore-sip-websocket defines a way to use WebSockets formally as a transport for SIP. It is not possible to simply view the WebSocket as a tunnel and pass SIP messages through them. Specfically, SIP user agents and proxies must behave slightly differently when WebSockets is used instead of UDP or TCP, and the draft specifies what this means in practice. Code for implementing this protocol was developed on a branch and has subsequently been merged into the trunk for eventual release in reSIProcate 1.9.
NAT busting: living the dream
- NAT has always been a pain for SIP
- WebRTC offers great hope for NAT busting, by masquerading as HTTP and HTTPS traffic and getting relayed by HTTP proxies
- running a SIP proxy WebSocket server on port 443 makes it look like a real HTTPS server and allows end users to reach it from almost anywhere
- the reSIProcate SIP proxy, repro, can listen on port 443 and talk WebSockets over TLS
- for media relay to traverse NAT, it is also necessary to use a TURN server on port 443
- the reSIProcate TURN server, reTurn, can listen on port 443
- Unresolved issues:
- it is also necessary for the TURN client to use secure TURN (TURNS) over port 443. This is not yet implemented in Google Chrome - bug tracker link
reSIProcate and WebRTC
- WebRTC specifies that ICE/STUN/TURN support is mandatory in user agents/end-points. The reTurn server project and the reTurn client libraries from reSIProcate can fulfil this requirement.
- WebRTC requires some mechanism for finding peers and initiating calls. SIP over WebSockets, interacting with a repro proxy server can fulfill this task.
Current support for WebSockets
- There is support for using cookies from the browser for authentication and routing decisions
- Using options like EnableFlowTokens or full Outbound flow tokens is essential
- Available in trunk and the upcoming reSIProcate v1.9.0 release, beta tarballs and packages are currently available
- Was developed on the b-webrtc feature branch
Outstanding issues for a stable release
- audit the security and resilience of parser code (e.g. against DoS attacks), as it is likely to be exposed to the hostile environment of the public internet
- WS parser must reject frames with unknown extensions (currently they are just logged)
- compatibility tests
- make a list of products to test against
- unit tests
- develop some unit tests for the new WS code
- check hardcoded df7jal23ls0d.invalid
- ifdef USE_SSL for WS code
- checking the type of frame
- handling ping/pong frames?
- keep alive mechanisms
- SIP CRLF keep-alive over WS
- frame and WS Message size checking
- allocating larger buffer if necessary when receiving a big frame
- sizing the WS Message unit buffer in advance to avoid resizing issues
- must insert Content-Length header if relaying a message from WS to TLS, as WS does not mandate the client includes ContentLength
- dealing with WS/WSS distinction in different contexts (e.g. no WSS in a SIP URI transport parameter, see email on list)
- Nice to have (not mandatory for release)
- support WS connections relayed from an Apache server
- SIP over WebSocket client implementation
- better implementation of the WS message unit abstraction
- allowing the via received parameters to be suppressed (as per SIP over WS spec) to hide network topology
- JSCommunicator can be easily embedded into any static HTML or CMS framework
- DruCall WebRTC module for Drupal
WebRTC capable browsers
- The SIP client must be hosted on a web server, any regular Apache instance is fine for this