msgbartop
Various ramblings-on, mostly about Red5
msgbarbottom

23 Dec 15 Securing Red5 Server

I created a helpful doc at work recently that cover using SSL with Red5 Pro, which is now public! While the focus is on Red5 Pro (A commercial version of Red5), you can apply the content to your own Red5 server. Go check it out: Red5 Pro with SSL and if you’re interested in HLS and Mobile, download the SDK and go wild!

I’ve been using the new free certificate from Let’s Encrypt and thus far it works great. Here in this post, I’ll be expanding upon my work with Red5 Pro, we’ll cover setting up RTMPS and WSS (Secure WebSocket) after you’ve gone through the steps in the Red5 Pro documentation for HTTPS. Secure WebSocket is a requirement when using resources served via HTTPS in Chrome. As some of you know RTMPS has been broken for awhile and is most likely because of some change in the Flash Player (see Issue 92).

Secure WebSocket

The first step is to decide which port you’ll be using for your wss connections; I suggest using 8083 if you’re using 8081 for regular WebSocket connections. This is also a suggestion as there is no “standard” or IETF specified port that must be used at this time. Once you’ve decided on a port, open the jee-container.xml file in your red5/conf directory; scroll to the bottom and you should find the webSocketTransport bean shown below:

    <bean id="webSocketTransport" class="org.red5.net.websocket.WebSocketTransport">
        <property name="addresses">
            <list>
                <value>${ws.host}:${ws.port}</value>
            </list>
        </property>
    </bean>

Add the additional bean definition as shown and a webSocketTransportSecure instance will be created when you restart Red5.

    <bean id="webSocketTransport" class="org.red5.net.websocket.WebSocketTransport">
        <property name="addresses">
            <list>
                <value>${ws.host}:${ws.port}</value>
            </list>
        </property>
    </bean>
    <bean id="webSocketTransportSecure" class="org.red5.net.websocket.WebSocketTransport">
        <property name="secureConfig">
            <bean id="webSocketSecureConfig" class="org.red5.net.websocket.SecureWebSocketConfiguration">
                <property name="keystoreType" value="JKS"/>
                <property name="keystoreFile" value="${rtmps.keystorefile}"/>
                <property name="keystorePassword" value="${rtmps.keystorepass}"/>
                <property name="truststoreFile" value="${rtmps.truststorefile}"/>
                <property name="truststorePassword" value="${rtmps.truststorepass}"/>
            </bean>
        </property>
        <property name="addresses">
            <list>
                <value>${wss.host}:${wss.port}</value>
            </list>
        </property>
    </bean>

Those references to rtmp.keystorefile etc are not typos, in these docs we’re using the same parameters for HTTPS, RTMPS, and WSS for simplicity; you are not required to do this and may use parameters of your own.

Now we will add the port and host for wss in the red5.properties file; open the file and locate the section below:

# WebSocket
ws.host=0.0.0.0
ws.port=8081

Add the two lines for wss as shown and then save the file:

# WebSocket
ws.host=0.0.0.0
ws.port=8081
wss.host=0.0.0.0
wss.port=8083

Secure RTMP

To enable RTMPS, we need to first open the red5-core.xml located in the red5/conf directory. Once you’ve got it in your editor, scroll down to the section shown below:

    <!-- RTMPS -->
    <!-- Notes to self: 
         https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites 
         https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
    <bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
        <property name="handler" ref="rtmpHandler" />
        <property name="codecFactory" ref="rtmpCodecFactory" />
        <property name="keystorePassword" value="${rtmps.keystorepass}" />
        <property name="keystoreFile" value="${rtmps.keystorefile}" />
        <property name="truststorePassword" value="${rtmps.truststorepass}" />
        <property name="truststoreFile" value="${rtmps.truststorefile}" />
        <property name="useClientMode" value="false" />
        <property name="needClientAuth" value="false" />
        <property name="cipherSuites">
            <array>
                <value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</value>
                <value>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</value>
                <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>
                <value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
                <value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
                <value>TLS_RSA_WITH_AES_256_CBC_SHA256</value>
                <value>TLS_RSA_WITH_AES_256_CBC_SHA</value>
                <value>SSL_RSA_WITH_RC4_128_SHA</value>
            </array>
        </property>
        <property name="protocols">
            <array>
                <value>TLSv1</value>
                <value>TLSv1.1</value>
                <value>TLSv1.2</value>
            </array>
        </property>
    </bean>
    
    <bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
        <property name="ioHandler" ref="rtmpsMinaIoHandler" />
        <property name="addresses">
            <list>
                 <value>${rtmps.host}:${rtmps.port}</value>
            </list>
        </property>
        <property name="ioThreads" value="${rtmp.io_threads}" />
        <property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
    </bean>

Uncomment-out the rtmpsMinaIoHandler and rtmpsTransport beans. Any properties that you may want to change are once again located in the red5.properties file in the RTMPS labeled section. RTMPS will be available on 8443 if you are using the defaults. To use RTMPS in your flash client, just ensure that you supply the port in the uri like so:

  nc = new NetConnection();
  nc.objectEncoding = ObjectEncoding.AMF3;
  nc.client = this;
  nc.proxyType = "best";
  nc.addEventListener(NetStatusEvent.NET_STATUS, nc.client.onStatus);
  var uri:String = "rtmps://ssl.example.com:8443/live";
  nc.connect(uri, null);

Enabling all these beans / configs should provide your users with SSL secured connections, making the web just a little bit safer for us all.

Lastly, read up on my previous RTMPS posts for additional insights and examples.

Tags: , , , ,

16 Mar 15 Android + Eclipse

The bane of my existence today; After about ~5 Eclipse crashes this morning, I’m considering using my Windows 10 laptop for todays dev work. Here’s what Eclipse Luna is presenting to me on Ubuntu 14.04:


Errors occurred during the build.
Error instantiating builder 'com.android.ide.eclipse.adt.PreCompilerBuilder'.
Plug-in com.android.ide.eclipse.adt was unable to load class com.android.ide.eclipse.adt.internal.build.builders.PreCompilerBuilder.
An error occurred while automatically activating bundle com.android.ide.eclipse.adt (816).
Plug-in com.android.ide.eclipse.adt was unable to load class com.android.ide.eclipse.adt.internal.build.builders.PreCompilerBuilder.
An error occurred while automatically activating bundle com.android.ide.eclipse.adt (816).
Error instantiating builder 'com.android.ide.eclipse.adt.ApkBuilder'.
Plug-in com.android.ide.eclipse.adt was unable to load class com.android.ide.eclipse.adt.internal.build.builders.PostCompilerBuilder.
An error occurred while automatically activating bundle com.android.ide.eclipse.adt (816).
Plug-in com.android.ide.eclipse.adt was unable to load class com.android.ide.eclipse.adt.internal.build.builders.PostCompilerBuilder.
An error occurred while automatically activating bundle com.android.ide.eclipse.adt (816).

Tags:

15 Mar 15 Protecting your privacy on your devices

I get sick to my stomach every time I read a story about someone getting into trouble at a port of entry or similar location because they don’t want their privacy violated. I think its absurd that someone in a position of authority can demand your device unlock sequence and then do who know what with your information and content. So all things considered, I created an Android application which will accept user defined unlock sequences to perform various actions. For instance, if you took some pictures that are personal and you don’t want the individual holding your device to access them, you could give them the sequence which deletes all your pictures/videos; et voila! problem solved. I created two versions of the application (Paid/Free); The free version allows you to set your standard device unlock sequence and also allows the “emergency” sms feature. This feature would send a message to a user defined phone number when the device owner is in some sort of emergency situation. I hope people find the app useful and if anyone has any other ideas to improve the app, let me know.

 
Paid Version

Get it on Google Play

Free Version

Get it on Google Play

Tags:

16 May 12 Ivy and Maven

I’ve added some xml to hopefully support Maven and Ivy projects that use Red5 as a dependency just a little better. The group id is “org.red5” and the artifact id is “red5-server” or “red5-client”. For Ivy, add this pattern to your ivysettings.xml:

<artifact pattern="http://red5.googlecode.com/svn/repository/[organisation]/[artifact]/[revision]/[artifact]-[revision].[ext]" />

For your ivy.xml here are the dependency entries:

<dependency org="org.red5" name="red5-server" rev="1.0-RC2" />
<dependency org="org.red5" name="red5-client" rev="1.0-RC2" />

For Maven use this repository:

<repository>
  <id>Red5</id>   <url>http://red5.googlecode.com/svn/repository</url>
</repository>

and these dependency entries:

<dependency>
  <groupId>org.red5</groupId>
  <artifactId>red5-server</artifactId>
  <version>1.0-RC2</version>
</dependency>

<dependency>
  <groupId>org.red5</groupId>
  <artifactId>red5-client</artifactId>
  <version>1.0-RC2</version>
</dependency>

Tags: , ,

17 Jan 12 Android Market

I have created pro version of my broadcaster app for Android and Blackberry (playbook). The pro version allows for FMS or Red5 authentication as well as selection of all available cameras / microphones. The next two things I’ll be adding are i10n/i18n and h.264; the latter may not be possible in mobile air but I’ll give it a go.

Pro: https://market.android.com/details?id=air.org.gregoire.mobile.BroadcasterPro

Free: https://market.android.com/details?id=air.Broadcaster

The free version probably won’t be seeing any updates since I hate working on it in Flash CS5.

Lastly, If there’s enough interest I’ll do a version for iOS.

Update 1/18/12

I got h264 publish working in Android last night! woot! What a pain that was.. I need to verify that all is well with the stream data and my modifications to the application then I’ll put the update in the market.

Update #2 1/18/12

The latest pro build is up on the market 1.0.3, it allows you to stream h.263 or h.264 from your Android device. Enjoy!

 

Tags: , , , , , , , ,

19 Jul 11 Dynamic streaming with Red5

I will dub this feature beta only because I’m not sure that my handling or signaling is “exactly” right yet. The latest revision is now 4245 and those of you with the skills may use this version to stream like the pros do with FMS and Wowza.. dynamically! Be aware that Q0S is not implemented yet so hold your bugs saying it doesn’t work for now.  The following transitions are currently supported:

  • NetStreamPlayTransitions.RESET – Clears any previous play calls and plays the specified stream immediately.
  • NetStreamPlayTransitions.APPEND – Adds the stream to a playlist and begins playback with the first stream.
  • NetStreamPlayTransitions.APPEND_AND_WAIT – Builds a playlist without starting to play it from the first stream.
  • NetStreamPlayTransitions.SWITCH – Switches from playing one stream to another stream, typically with streams of the same content.
  • NetStreamPlayTransitions.SWAP – Replaces a content stream with a different content stream and maintains the rest of the playlist.
  • NetStreamPlayTransitions.STOP – Stops playing the streams in a playlist.

With any new feature there will be bugs, so bare with us and we’ll get them fixed up as soon as possible. Post any issues (with test code if you have some) to the issue tracker.

Lastly, without the help of Dan Rossi and Abhinav Kapoor’s post (http://www.adobe.com/devnet/flashmediaserver/articles/dynstream_actionscript.html) this would have been a much longer endeavor. Mucho gracias to Infrared5 for allowing me to work on this and other Red5 features. All the testing so far was accomplished with Flowplayer v3.2.6.

12 Jul 11 Red5 fixes galore

In the last couple of days I’ve fixed several issues in Red5 to get it ready for 1.0. Luckily some of these fixes resulted directly from projects being worked on at Infrared5.

The first issue looked into was with shared object usage with RTMPT. This issue seemed to by caused by the way that we manipulate the classloader hierarchy. A word of warning: working with classloaders can be a very scary task and not one that any novice Java developer should want to take on. Briefly, each Red5 application has its own classloader which is separate from any other Red5 application; this is mainly for sandboxing and is the way in which all JEE application servers operate. The internal instances (if enabled) of RTMPT and RTMPS are started in the Tomcat loader thread after all of the applications have been initialized and thus they cannot access the Red5 applications individual classloaders; meaning they can’t share SO’s etc. For that reason I never recommend using the internal instances and instead suggest that implementers use the RTMPT servlet within their Red5 application; this is a simple addition to their web.xml. In the end, after working on this bug and an RTMPT binding issue at the same time I found that the classloader issue was fixed by making sure the internal instances were binding to an IP, instead of allowing Tomcat to handle it as it saw fit. It would appear that Tomcat has some sort of sharing in-place that allowing web application classloaders to talk with each other. The “fix” has been added to trunk around revision 4241 and will be in the 1.0 release configurations.

The last two things that I resolved today were found by using FMLE 3.2 as a test publisher. I must state that we as a team cannot support FMLE due to its EULA, but it is a very handy and capable application for streaming to your media server if you want something other than Sorenson and NellyMoser.  I didn’t find any specific issues for “onFI” or AAC live streaming on the tracker, but these are the two items I fixed using FMLE. The initial work for AAC was done early-on by Tiago and modified by Vladimir Hmelyoff, so a big thank you to them. Fixing live streaming with h.264 and AAC was as easy as making the ClientBroadcastStream check for audio codec information and setting it if it was absent; I love ez fixes!  To fix “onFI” I had to dig around on Google to find out what this call was, for those who don’t know it is used for active timecoding in a stream. The publisher will send the local system time and date as strings in a mixed-array, keyed as “st” and “sd” respectively. All that needed to be done by Red5 at this time was to handle the callback and pass it on to the subscribers.

One last note about FLME, when you stream live it will send parameters with your stream name and we used to simply ignore them. These parameters are now stored on your broadcast stream and may be accessed on the server side by calling getParameters().

Lastly, I don’t know when 1.0 will be available but you may all certainly use the current RC2 version in SVN.

25 Aug 10 Building the latest Xuggler for Windows

I recently had reason to build the latest cutting-edge version of Xuggler for my Windows environment and I want to share the experience. Mind you, I have had to do this a few times before including when the project was still named AAFFMPEG and was “unreleased”. The process has been
made a lot simpler due to the hard work of Xuggle and its community (Special thanks to Jonathan Ben). BTW if you want to skip all the steps and get the build I created, you can find it here: xuggle-xuggler.4.0.1049-win32-setup.exe

Get all of the following applications / tools if you don’t already have them; they are all FREE.
Get the 1.6 JDK
– Install it
Get 7zip (due to MinGW file compression)
– Install it
Get the zlib dll
– Copy into Windows\System32 directory
Get the preconfigured MinGW
– Unzip into C:\MinGW
– Add C:\MinGW\bin path to the PATH environmental variable
Get the Msys installer
– Install to C:\msys (not C:\msys\1.0)
– Create a directory under C:\msys name “local”
– Add C:\msys\bin path to the PATH environmental variable
Get Ant
– Unzip into C:\ant
– Create a new environment variable named “ANT_HOME” with a value of C:\ant
– Add C:\ant\bin path to the PATH environmental variable
Get SilkSVN (good command line tool, otherwise I suggest TortoiseSVN)
– Install it
Get NSIS (if you want to build the installer)
– Install it
– Add C:\Program Files\NSIS path to the PATH environmental variable
Get Visual C++ 2010 Express
– Select your language on the form
– Install it (a reboot will usually be required)
Now for the fun! Be aware that this takes awhile to complete, on my system it took 76 minutes.
1. Enter the Visual Studio command environment by selecting the “Visual Studio Command Prompt (2010)” link in the start menu
2. Change directory to C:\MinGW
3. Execute “msys.bat”
4. Check out the project source from subversion
svn co http://xuggle.googlecode.com/svn/trunk/
6. Navigate to the xuggler directory
cd trunk/java/xuggle-xuggler
7. For the heck of it run this first
ant clobber
8. Now build while also running tests and producing installers
ant run-tests dist

Et voila! (if everything works, as it did for me)

If you run into an issue where “libraries can’t be found”, you are probably missing the zlib library. I have posted a defect for this here.

Tags: , , , , , ,

31 Mar 10 Stop complaining about Flash

If people aren’t complaining about Flash and HTML5 they are falling back to NoSQL vs RDBMS. There is a time and a place for everything, just remember that tidbit. So to get on with it, I would like to state that I am mostly a Windows user and I love Windows 7.. It f#@king rocks! I also use Google Chrome as my primary browser on both OSX and Windows. I recently loaded the latest dev build of Chrome that contains a streamlined Flash Player and I can say that it is awesome.
To test, I started up a Red5 instance with some mp4 and vp6 videos to see what the CPU usage would be and here is the result: Red5 = 0% to 7% and Chrome = 3% to 6% (average 3%)
The playback was smooth as silk and the audio was perfect. Next up for comparison, I tried IE and FF:
IE 8 with FP10.1 = 5% to 11% (average 5%)
Firefox 3.6 with FP 10.1 = 14% to 66% (average 40%)

Tags: , , , , , , ,

12 Nov 09 Native RTMPS in Red5

Red5 now supports “native” RTMPS in addition to RTMPT over SSL. To use this feature you will need to use the current trunk version until 0.9 RC3 or Final are released. A big shout-out goes to Kevin Green for providing the original patch. Using this communication channel, your data will be secured throughout the process from connection to shutdown using TLS/SSL and should provide the secure features you need until RTMPE is ready.

Red5NativeRTMPS

Red5NativeRTMPS


To use this mode in your NetConnection, you must set the proxy type to best like so:

nc = new NetConnection();
nc.client = this;
nc.proxyType = "best";

For this example I used a free opensource ssl cert provided by godaddy.

Step by step process:

1. Create your key

keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ssl.red5.org
What is the name of your organizational unit?
  [Unknown]:  Dev
What is the name of your organization?
  [Unknown]:  Red5
What is the name of your City or Locality?
  [Unknown]:  Henderson
What is the name of your State or Province?
  [Unknown]:  Nevada
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ssl.red5.org, OU=Dev, O=Red5, L=Henderson, ST=Nevada, C=US correct?
  [no]:  yes

Enter key password for <red5>
        (RETURN if same as keystore password):

2. Create a CSR

keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore keystore
Enter keystore password:

3. Submit your CSR to your SSL certificate provider. Godaddy process is described below.

4. After your receive your certificate, import the root cert into your keystore file

keytool -import -alias root -keystore keystore -trustcacerts -file valicert_class2_root.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <valicertclass2ca>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

5. Import the cross certificates

keytool -import -alias cross -keystore keystore -trustcacerts -file gd_cross_intermediate.crt
Enter keystore password:
Certificate was added to keystore

6. Import the intermediate certificates

keytool -import -alias intermed -keystore keystore -trustcacerts -file gd_intermediate.crt
Enter keystore password:
Certificate was added to keystore

7. Import your certificate

keytool -import -alias red5 -keystore keystore -trustcacerts -file ssl.red5.org.crt
Enter keystore password:
Certificate reply was installed in keystore

8. Setup RTMPS in your red5/conf/red5-core.xml. You may notice that some of the rtmp variables are used here, that is only for ease of setup; you could set them to whatever you prefer.

    <bean id="rtmpsMinaIoHandler"
        class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
        <property name="handler" ref="rtmpHandler" />
        <property name="codecFactory" ref="rtmpCodecFactory" />
        <property name="rtmpConnManager" ref="rtmpMinaConnManager" />
	<property name="keyStorePassword" value="${rtmps.keystorepass}" />
        <property name="keystoreFile" value="conf/keystore" />
    </bean>
    
    <bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
        <property name="ioHandler" ref="rtmpsMinaIoHandler" />
        <property name="connectors">
            <list>
                <bean class="java.net.InetSocketAddress">
                    <constructor-arg index="0" type="java.lang.String" value="${rtmps.host}" />  
                    <constructor-arg index="1" type="int" value="${rtmps.port}" />  
                </bean>
            </list>
        </property>
        <property name="receiveBufferSize" value="${rtmp.receive_buffer_size}" />
        <property name="sendBufferSize" value="${rtmp.send_buffer_size}" />
        <property name="eventThreadsCore" value="${rtmp.event_threads_core}" />
        <property name="eventThreadsMax" value="${rtmp.event_threads_max}" />
        <property name="eventThreadsQueue" value="${rtmp.event_threads_queue}" />
        <property name="eventThreadsKeepalive" value="${rtmp.event_threads_keepalive}" />
        <property name="jmxPollInterval" value="1000" />
        <property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
    </bean>

Additional security info can be found here
The testing player source can be found here

Tags: , ,


Fatal error: Call to undefined function akismet_counter() in C:\xampp\htdocs\paulgregoireblog\wp-content\themes\googlechrome\footer.php on line 9