Browsed by
Tag: dtls-srtp

Chrome/Firefox initiates a call to SIP via WebRTC

Chrome/Firefox initiates a call to SIP via WebRTC

The newly released miniSIPServer (V70 build 20250402) supports an interesting feature: you can use a WebRTC-compatible browser (such as Chrome, Firefox, etc.) to make calls through miniSIPServer to devices within the SIP domain, including IP phones, gateways and other endpoints. The network topology is shown in the figure below:

The audio stream is transmitted via DTLS-SRTP with end-to-end encryption and interconnected with miniSIPServer. Currently, only voice calls are supported; video calls are not available.

The web side adopts a simplified signaling protocol (MCCP, miniSIPServer Call Control Protocol) for call control, and interconnects with miniSIPServer via encrypted WebSocket connections (WSS, WebSocket Secure). Currently, only calls initiated from the Web domain to the SIP domain are supported; reverse calls from the SIP domain to the Web domain are not available.

Simply enter the following URL in the browser to initiate a call to the SIP domain (for example, extension 100 calling extension 101):

https://www.myvoipapp.com/miniwebphone2/lite.html?server=192.168.3.70&clr=100&pwd=100&cld=101

The URL adopts a command-line-like format, with each parameter explained as follows:

  • https://www.myvoipapp.com/miniwebphone2/lite.html is a simple webpage. After being loaded in a browser, it can establish a WSS connection with the specified miniSIPServer server and initiate calls. You may download this webpage along with its related resources to your local device or a local web server; calls can also be initiated normally by opening the local file in a browser.
  • server specifies the address of the miniSIPServer. The miniSIPServer must have successfully loaded the certificate and private key, and enabled the WSS service. By default, miniSIPServer always runs the WSS service on TCP port 5062.
  • clr specifies the caller number for initiating a call. This number must be a valid extension number assigned on miniSIPServer.
  • pwd stands for the authentication password of the caller, which is the password configured for the corresponding extension in miniSIPServer. miniSIPServer authenticates calls by verifying the combination of caller number and password. Only authenticated calls are allowed to connect; otherwise, the call will be rejected directly by miniSIPServer.
  • cld indicates the called number, which can be a local extension number or an outbound dialing number.

The audio stream is transmitted over DTLS-SRTP with end-to-end negotiation and encryption, requiring no additional configuration on miniSIPServer.

To enable the WSS service and accept MCCP call messages from browsers, miniSIPServer only requires configuration of certificate and private key.

miniSIPServer has the following requirements: (1) Certificates and private keys must be stored in the wrtcCert subdirectory under the application data directory; (2) Files must be in PEM format; (3) The certificate must be named server.crt and the private key must be named server.key. For example, on Linux systems, these two files should be located as follows:

$HOME/.minisipserver/wrtcCert/server.crt
$HOME/.minisipserver/wrtcCert/server.key

If the certificate and private key are loaded successfully, miniSIPServer will start the WSS service and prompt the following message:

start WSS service

If using a self-signed certificate, be sure to allow the self-signed certificate to be loaded in browsers such as Chrome and Firefox.

miniSIPPhone V26.1

miniSIPPhone V26.1

The latest version of miniSIPPhone V26.1 has been released recently, which primarily includes the following key features or modifications:

1. support DTLS-SRTP

After miniSIPServer added support for DTLS-SRTP, we updated miniSIPPhone to enable encrypted voice stream transmission via DTLS-SRTP. When deploying enterprise communication networks, especially those involving external public cloud systems, we fully implement high-strength encryption for both signaling and media to ensure the security of enterprise communications.

In both miniSIPServer and miniSIPPhone, we have uniformly implemented the following restrictions for DTLS-SRTP:

(1) DTLS must be DTLSv1.2 or above.

(2) The encryption suite is fixed to SRTP_AES128_CM_SHA1_80. Although the specification defines several encryption suites, we use the highest-strength encryption and do not support negotiating other encryption suites.

(3) The fingerprint always uses SHA-256 encoding and does not support SHA-1 or other encoding methods.

2. Simplify SIP account configuration

In the new version, when configuring SIP accounts, there is no longer a need for separate configuration to specify the port, as shown in the figure below:

Typically, SIP servers use standard ports to provide services, and users do not need to understand the port information specified by the protocol (just as we rarely specify or know about ports like 80 and 443 when accessing the internet). Therefore, we have removed the “Server Port” configuration option.

However, there are cases where SIP servers use non-standard ports (for example, miniSIPServer Cloud uses port 6060 for SIP-TLS access instead of the standard 5061 port). In the new version, we can specify both the address and port information together in the “Server Address” field, for example:

15000.s2.minisipserver.com:6060

If the server provides an IPv6 address and a non-standard port, we can configure it using the following example method:

[fe80::5a11:22ff:fe74:8198]:6060