msgbartop
Various ramblings-on, mostly about Red5
msgbarbottom

23 Dec 15 Securing Red5 Server

I created a helpful doc at work recently that cover using SSL with Red5 Pro, which is now public! While the focus is on Red5 Pro (A commercial version of Red5), you can apply the content to your own Red5 server. Go check it out: Red5 Pro with SSL and if you’re interested in HLS and Mobile, download the SDK and go wild!

I’ve been using the new free certificate from Let’s Encrypt and thus far it works great. Here in this post, I’ll be expanding upon my work with Red5 Pro, we’ll cover setting up RTMPS and WSS (Secure WebSocket) after you’ve gone through the steps in the Red5 Pro documentation for HTTPS. Secure WebSocket is a requirement when using resources served via HTTPS in Chrome. As some of you know RTMPS has been broken for awhile and is most likely because of some change in the Flash Player (see Issue 92).

Secure WebSocket

The first step is to decide which port you’ll be using for your wss connections; I suggest using 8083 if you’re using 8081 for regular WebSocket connections. This is also a suggestion as there is no “standard” or IETF specified port that must be used at this time. Once you’ve decided on a port, open the jee-container.xml file in your red5/conf directory; scroll to the bottom and you should find the webSocketTransport bean shown below:

    <bean id="webSocketTransport" class="org.red5.net.websocket.WebSocketTransport">
        <property name="addresses">
            <list>
                <value>${ws.host}:${ws.port}</value>
            </list>
        </property>
    </bean>

Add the additional bean definition as shown and a webSocketTransportSecure instance will be created when you restart Red5.

    <bean id="webSocketTransport" class="org.red5.net.websocket.WebSocketTransport">
        <property name="addresses">
            <list>
                <value>${ws.host}:${ws.port}</value>
            </list>
        </property>
    </bean>
    <bean id="webSocketTransportSecure" class="org.red5.net.websocket.WebSocketTransport">
        <property name="secureConfig">
            <bean id="webSocketSecureConfig" class="org.red5.net.websocket.SecureWebSocketConfiguration">
                <property name="keystoreType" value="JKS"/>
                <property name="keystoreFile" value="${rtmps.keystorefile}"/>
                <property name="keystorePassword" value="${rtmps.keystorepass}"/>
                <property name="truststoreFile" value="${rtmps.truststorefile}"/>
                <property name="truststorePassword" value="${rtmps.truststorepass}"/>
            </bean>
        </property>
        <property name="addresses">
            <list>
                <value>${wss.host}:${wss.port}</value>
            </list>
        </property>
    </bean>

Those references to rtmp.keystorefile etc are not typos, in these docs we’re using the same parameters for HTTPS, RTMPS, and WSS for simplicity; you are not required to do this and may use parameters of your own.

Now we will add the port and host for wss in the red5.properties file; open the file and locate the section below:

# WebSocket
ws.host=0.0.0.0
ws.port=8081

Add the two lines for wss as shown and then save the file:

# WebSocket
ws.host=0.0.0.0
ws.port=8081
wss.host=0.0.0.0
wss.port=8083

Secure RTMP

To enable RTMPS, we need to first open the red5-core.xml located in the red5/conf directory. Once you’ve got it in your editor, scroll down to the section shown below:

    <!-- RTMPS -->
    <!-- Notes to self: 
         https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites 
         https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
    <bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
        <property name="handler" ref="rtmpHandler" />
        <property name="codecFactory" ref="rtmpCodecFactory" />
        <property name="keystorePassword" value="${rtmps.keystorepass}" />
        <property name="keystoreFile" value="${rtmps.keystorefile}" />
        <property name="truststorePassword" value="${rtmps.truststorepass}" />
        <property name="truststoreFile" value="${rtmps.truststorefile}" />
        <property name="useClientMode" value="false" />
        <property name="needClientAuth" value="false" />
        <property name="cipherSuites">
            <array>
                <value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</value>
                <value>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</value>
                <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>
                <value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
                <value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
                <value>TLS_RSA_WITH_AES_256_CBC_SHA256</value>
                <value>TLS_RSA_WITH_AES_256_CBC_SHA</value>
                <value>SSL_RSA_WITH_RC4_128_SHA</value>
            </array>
        </property>
        <property name="protocols">
            <array>
                <value>TLSv1</value>
                <value>TLSv1.1</value>
                <value>TLSv1.2</value>
            </array>
        </property>
    </bean>
    
    <bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
        <property name="ioHandler" ref="rtmpsMinaIoHandler" />
        <property name="addresses">
            <list>
                 <value>${rtmps.host}:${rtmps.port}</value>
            </list>
        </property>
        <property name="ioThreads" value="${rtmp.io_threads}" />
        <property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
    </bean>

Uncomment-out the rtmpsMinaIoHandler and rtmpsTransport beans. Any properties that you may want to change are once again located in the red5.properties file in the RTMPS labeled section. RTMPS will be available on 8443 if you are using the defaults. To use RTMPS in your flash client, just ensure that you supply the port in the uri like so:

  nc = new NetConnection();
  nc.objectEncoding = ObjectEncoding.AMF3;
  nc.client = this;
  nc.proxyType = "best";
  nc.addEventListener(NetStatusEvent.NET_STATUS, nc.client.onStatus);
  var uri:String = "rtmps://ssl.example.com:8443/live";
  nc.connect(uri, null);

Enabling all these beans / configs should provide your users with SSL secured connections, making the web just a little bit safer for us all.

Lastly, read up on my previous RTMPS posts for additional insights and examples.

Tags: , , , ,



Leave a Comment


Fatal error: Call to undefined function akismet_counter() in C:\xampp\htdocs\paulgregoireblog\wp-content\themes\googlechrome\footer.php on line 9