msgbartop
Various ramblings-on, mostly about Red5
msgbarbottom

12 Nov 09 Native RTMPS in Red5

Red5 now supports “native” RTMPS in addition to RTMPT over SSL. To use this feature you will need to use the current trunk version until 0.9 RC3 or Final are released. A big shout-out goes to Kevin Green for providing the original patch. Using this communication channel, your data will be secured throughout the process from connection to shutdown using TLS/SSL and should provide the secure features you need until RTMPE is ready.

Red5NativeRTMPS

Red5NativeRTMPS


To use this mode in your NetConnection, you must set the proxy type to best like so:

nc = new NetConnection();
nc.client = this;
nc.proxyType = "best";

For this example I used a free opensource ssl cert provided by godaddy.

Step by step process:

1. Create your key

keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ssl.red5.org
What is the name of your organizational unit?
  [Unknown]:  Dev
What is the name of your organization?
  [Unknown]:  Red5
What is the name of your City or Locality?
  [Unknown]:  Henderson
What is the name of your State or Province?
  [Unknown]:  Nevada
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ssl.red5.org, OU=Dev, O=Red5, L=Henderson, ST=Nevada, C=US correct?
  [no]:  yes

Enter key password for <red5>
        (RETURN if same as keystore password):

2. Create a CSR

keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore keystore
Enter keystore password:

3. Submit your CSR to your SSL certificate provider. Godaddy process is described below.

4. After your receive your certificate, import the root cert into your keystore file

keytool -import -alias root -keystore keystore -trustcacerts -file valicert_class2_root.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <valicertclass2ca>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

5. Import the cross certificates

keytool -import -alias cross -keystore keystore -trustcacerts -file gd_cross_intermediate.crt
Enter keystore password:
Certificate was added to keystore

6. Import the intermediate certificates

keytool -import -alias intermed -keystore keystore -trustcacerts -file gd_intermediate.crt
Enter keystore password:
Certificate was added to keystore

7. Import your certificate

keytool -import -alias red5 -keystore keystore -trustcacerts -file ssl.red5.org.crt
Enter keystore password:
Certificate reply was installed in keystore

8. Setup RTMPS in your red5/conf/red5-core.xml. You may notice that some of the rtmp variables are used here, that is only for ease of setup; you could set them to whatever you prefer.

    <bean id="rtmpsMinaIoHandler"
        class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
        <property name="handler" ref="rtmpHandler" />
        <property name="codecFactory" ref="rtmpCodecFactory" />
        <property name="rtmpConnManager" ref="rtmpMinaConnManager" />
	<property name="keyStorePassword" value="${rtmps.keystorepass}" />
        <property name="keystoreFile" value="conf/keystore" />
    </bean>
    
    <bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
        <property name="ioHandler" ref="rtmpsMinaIoHandler" />
        <property name="connectors">
            <list>
                <bean class="java.net.InetSocketAddress">
                    <constructor-arg index="0" type="java.lang.String" value="${rtmps.host}" />  
                    <constructor-arg index="1" type="int" value="${rtmps.port}" />  
                </bean>
            </list>
        </property>
        <property name="receiveBufferSize" value="${rtmp.receive_buffer_size}" />
        <property name="sendBufferSize" value="${rtmp.send_buffer_size}" />
        <property name="eventThreadsCore" value="${rtmp.event_threads_core}" />
        <property name="eventThreadsMax" value="${rtmp.event_threads_max}" />
        <property name="eventThreadsQueue" value="${rtmp.event_threads_queue}" />
        <property name="eventThreadsKeepalive" value="${rtmp.event_threads_keepalive}" />
        <property name="jmxPollInterval" value="1000" />
        <property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
    </bean>

Additional security info can be found here
The testing player source can be found here

Tags: , ,

28 Sep 08 Tomcat connectors

In Red5, you have pretty much full access to manipulate the embedded Tomcat engine via Spring. With that being said I would like to give details on how to change the http connector between two available options; there are several other options, but I’ll only be covering NIO and BIO. First a quick explanation of these two options:

  • BIO – Blocking Input / Output, this has been around since the beginning of internet time. It uses one thread per socket connnection to handle requests.
  • NIO – Non-blocking Input / Output, this has been available in the JDK since 1.4. It uses a single thread to handle many socket connections.
In most cases, you should find NIO to be much faster and more able to handle a lot more connections than BIO will. The default connector was set to NIO until today when I switched it to BIO to prevent problems with Unix-based systems (OSX / Linux).
The configuration of Tomcat in Red5 for HTTP, RTMPT, and RTMPS is nearly identical so you may apply the configuration items below to any of the embedded servers. To configure with a BIO connector, locate the connector section and change the constructor arg value:

<property name=”connector”>
  <bean class=”org.apache.catalina.connector.Connector”>
    <constructor-arg type=”java.lang.String” value=”org.apache.coyote.http11.Http11Protocol” />
    <property name=”port”><value>80</value></property>
    <property name=”redirectPort”><value>443</value></property>
    <property name=”enableLookups”><value>false</value></property>
  </bean>
</property>

To use the NIO connector simply change the constructor arg as shown below:

<property name=”connector”>
  <bean class=”org.apache.catalina.connector.Connector”>
    <constructor-arg type=”java.lang.String” value=”org.apache.coyote.http11.Http11NioProtocol” />
    <property name=”port”><value>80</value></property>
    <property name=”redirectPort”><value>443</value></property>
    <property name=”enableLookups”><value>false</value></property>
  </bean>
</property>

Tags: , , , , , , , ,

26 May 08 RTMPS in Red5

Red5 now supports RTMPS, many of you will be very happy about this new feature. Previously, users had to use stunnel or some other “hack” to implement this feature that FMS supports. RTMPS was easy to implement after I realized RTMPS is RTMPT over SSL; this is a big revelation, since I started out thinking it was RTMP via SSL/TLS. So without further rambling, here is how to setup RTMPS in Red5 at zero cost. I would rate the procedure below as Intermediate level.

Create a self-signed certificate

There are many articles on the web which describe how to complete this first task, but I will explain how to do this with the tool included with Java. Execute this command from your console:

keytool -genkey -alias red5 -keyalg RSA -keysize 512 -validity 3650 \
    -keystore keystore -keypass password -storepass password \
    -dname "CN=localhost,OU=Red5,O=Red5,L=Henderson,ST=NV,C=US"

You may change a few of these options if you prefer, but I suggest that you only change some of the DName fields: Location (L), State (ST), and Country (C). Otherwise the feature may not work. Also note that if you are going to use RTMPS on the Internet, you will probably want to get a CA signed certificate.

Upon completion of this task you will have a file named “keystore”, keep track of this since you will need it later on.

Get Red5

The RTMPS feature is not released as part of the current stable server (version 0.7.0) it is however available via SVN starting with revision 2819. This means you have to get an Subversion client, grab the source, build, and deploy; I will not be covering all these steps in this post. Go to http://osflash.org/red5 for links and information on Red5.

Configuration

Once you have Red5, copy the keystore file you created with step one into your conf directory (overwrite the current keystore file in the directory if prompted). The configuration file containing the parameter for RTMPS is in conf/red5-core.xml and you will need to update the RTMPS section if you changed the keystore password. The other configuration file to make note of is red5.properties, it contains the port assignments for the supported protocols. Make sure that you have your ports configured correctly; Adobe suggests that RTMPS be defaulted to port 443, normally this port is reserved for HTTPS. If you change this port to something other than 443 you will need to update your NetConnection urls with the correct port.

For Advanced users, there are a few other options you may specify on your RTMPS connection such as the supported ciphers. You can find additional information on this here. The connectioProperties section is where you would place these additional key / value pairs.

Engage

Start the server and test your applications. I personally tested with the oflaDemo that comes bundled in Red5. Go to http://localhost:5080/demos/oflaDemo.swf and change the rtmp url to rtmps://localhost/oflaDemo et voila! This of course assumes that you didnt change any ports.

Debugging

To see what is going on with SSL at a really low level you can enable this option in your startup:

 -Djavax.net.debug=ssl

It will cause additional information to be displayed on the console.

Tags: ,


Fatal error: Call to undefined function akismet_counter() in C:\xampp\htdocs\paulgregoireblog\wp-content\themes\googlechrome\footer.php on line 9