The Woes of TLS Certificates and WebRTC

The Woes of TLS Certificates and WebRTC

TLS certificates and their management are something we take for granted every day when we visit a website. If you sit down and try to explain to someone how it all fits together however it is quite easy to overwhelm them. It is complicated to understand how it all fits together but it’s the foundation of many things. This applies to WebRTC as well as websites as TLS certificates are also used there in different capacities and has required that WebRTC developers and users also learn about TLS certificates.

 

HTTPS

In order to use WebRTC you have to display a website with Javascript code that uses the WebRTC APIs that the browser makes available. For some time now browsers have required that these be communicated over an HTTPS connection which requires the use of TLS certificates. With the creation of Let’s Encrypt this has become easier to manage and deploy. Instead of having to go to a certificate authority directly and pay you can just get a certificate issued automatically for free.

Websockets

Signaling has been left undefined by the WebRTC standards. What is very common across them though is the use of websockets for talking to the server in a bidirectional fashion. As websockets run over HTTPS they too require a TLS certificate to be in place.

DTLS

DTLS is used by WebRTC to secure the underlying media that is flowing. TLS certificates are required on both sides and the result of the DTLS negotiation is used to key the RTP media. Browsers create ephemeral certificates in the background themselves which are used. Up until now Asterisk has not done this, it has required explicit configuration of TLS certificates.

Asterisk 15

While we do not have Let’s Encrypt support present within Asterisk we now have ephemeral DTLS certificate creation ourselves.  As of Asterisk 15 there is a new option, “dtls_auto_generate_cert”, in PJSIP which can be used to turn on ephemeral DTLS certificate support. This was contributed by community member Sean Bright and is a welcome addition by many. If enabled you no longer need to provide a certificate to the DTLS options. A certificate will be created in the background and used.

Leave a Comment

Your email address will not be published. Required fields are marked *

About the Author

Joshua C. Colp

Joshua C. Colp

Scroll to Top