msgbartop
Various ramblings-on, mostly about Red5
msgbarbottom

23 Dec 15 Securing Red5 Server

I created a helpful doc at work recently that cover using SSL with Red5 Pro, which is now public! While the focus is on Red5 Pro (A commercial version of Red5), you can apply the content to your own Red5 server. Go check it out: Red5 Pro with SSL and if you’re interested in HLS and Mobile, download the SDK and go wild!

I’ve been using the new free certificate from Let’s Encrypt and thus far it works great. Here in this post, I’ll be expanding upon my work with Red5 Pro, we’ll cover setting up RTMPS and WSS (Secure WebSocket) after you’ve gone through the steps in the Red5 Pro documentation for HTTPS. Secure WebSocket is a requirement when using resources served via HTTPS in Chrome. As some of you know RTMPS has been broken for awhile and is most likely because of some change in the Flash Player (see Issue 92).

Secure WebSocket

The first step is to decide which port you’ll be using for your wss connections; I suggest using 8083 if you’re using 8081 for regular WebSocket connections. This is also a suggestion as there is no “standard” or IETF specified port that must be used at this time. Once you’ve decided on a port, open the jee-container.xml file in your red5/conf directory; scroll to the bottom and you should find the webSocketTransport bean shown below:

    <bean id="webSocketTransport" class="org.red5.net.websocket.WebSocketTransport">
        <property name="addresses">
            <list>
                <value>${ws.host}:${ws.port}</value>
            </list>
        </property>
    </bean>

Add the additional bean definition as shown and a webSocketTransportSecure instance will be created when you restart Red5.

    <bean id="webSocketTransport" class="org.red5.net.websocket.WebSocketTransport">
        <property name="addresses">
            <list>
                <value>${ws.host}:${ws.port}</value>
            </list>
        </property>
    </bean>
    <bean id="webSocketTransportSecure" class="org.red5.net.websocket.WebSocketTransport">
        <property name="secureConfig">
            <bean id="webSocketSecureConfig" class="org.red5.net.websocket.SecureWebSocketConfiguration">
                <property name="keystoreType" value="JKS"/>
                <property name="keystoreFile" value="${rtmps.keystorefile}"/>
                <property name="keystorePassword" value="${rtmps.keystorepass}"/>
                <property name="truststoreFile" value="${rtmps.truststorefile}"/>
                <property name="truststorePassword" value="${rtmps.truststorepass}"/>
            </bean>
        </property>
        <property name="addresses">
            <list>
                <value>${wss.host}:${wss.port}</value>
            </list>
        </property>
    </bean>

Those references to rtmp.keystorefile etc are not typos, in these docs we’re using the same parameters for HTTPS, RTMPS, and WSS for simplicity; you are not required to do this and may use parameters of your own.

Now we will add the port and host for wss in the red5.properties file; open the file and locate the section below:

# WebSocket
ws.host=0.0.0.0
ws.port=8081

Add the two lines for wss as shown and then save the file:

# WebSocket
ws.host=0.0.0.0
ws.port=8081
wss.host=0.0.0.0
wss.port=8083

Secure RTMP

To enable RTMPS, we need to first open the red5-core.xml located in the red5/conf directory. Once you’ve got it in your editor, scroll down to the section shown below:

    <!-- RTMPS -->
    <!-- Notes to self: 
         https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites 
         https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
    <bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
        <property name="handler" ref="rtmpHandler" />
        <property name="codecFactory" ref="rtmpCodecFactory" />
        <property name="keystorePassword" value="${rtmps.keystorepass}" />
        <property name="keystoreFile" value="${rtmps.keystorefile}" />
        <property name="truststorePassword" value="${rtmps.truststorepass}" />
        <property name="truststoreFile" value="${rtmps.truststorefile}" />
        <property name="useClientMode" value="false" />
        <property name="needClientAuth" value="false" />
        <property name="cipherSuites">
            <array>
                <value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</value>
                <value>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</value>
                <value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</value>
                <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>
                <value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
                <value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
                <value>TLS_RSA_WITH_AES_256_CBC_SHA256</value>
                <value>TLS_RSA_WITH_AES_256_CBC_SHA</value>
                <value>SSL_RSA_WITH_RC4_128_SHA</value>
            </array>
        </property>
        <property name="protocols">
            <array>
                <value>TLSv1</value>
                <value>TLSv1.1</value>
                <value>TLSv1.2</value>
            </array>
        </property>
    </bean>
    
    <bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
        <property name="ioHandler" ref="rtmpsMinaIoHandler" />
        <property name="addresses">
            <list>
                 <value>${rtmps.host}:${rtmps.port}</value>
            </list>
        </property>
        <property name="ioThreads" value="${rtmp.io_threads}" />
        <property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
    </bean>

Uncomment-out the rtmpsMinaIoHandler and rtmpsTransport beans. Any properties that you may want to change are once again located in the red5.properties file in the RTMPS labeled section. RTMPS will be available on 8443 if you are using the defaults. To use RTMPS in your flash client, just ensure that you supply the port in the uri like so:

  nc = new NetConnection();
  nc.objectEncoding = ObjectEncoding.AMF3;
  nc.client = this;
  nc.proxyType = "best";
  nc.addEventListener(NetStatusEvent.NET_STATUS, nc.client.onStatus);
  var uri:String = "rtmps://ssl.example.com:8443/live";
  nc.connect(uri, null);

Enabling all these beans / configs should provide your users with SSL secured connections, making the web just a little bit safer for us all.

Lastly, read up on my previous RTMPS posts for additional insights and examples.

Tags: , , , ,

12 Nov 09 Native RTMPS in Red5

Red5 now supports “native” RTMPS in addition to RTMPT over SSL. To use this feature you will need to use the current trunk version until 0.9 RC3 or Final are released. A big shout-out goes to Kevin Green for providing the original patch. Using this communication channel, your data will be secured throughout the process from connection to shutdown using TLS/SSL and should provide the secure features you need until RTMPE is ready.

Red5NativeRTMPS

Red5NativeRTMPS


To use this mode in your NetConnection, you must set the proxy type to best like so:

nc = new NetConnection();
nc.client = this;
nc.proxyType = "best";

For this example I used a free opensource ssl cert provided by godaddy.

Step by step process:

1. Create your key

keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ssl.red5.org
What is the name of your organizational unit?
  [Unknown]:  Dev
What is the name of your organization?
  [Unknown]:  Red5
What is the name of your City or Locality?
  [Unknown]:  Henderson
What is the name of your State or Province?
  [Unknown]:  Nevada
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ssl.red5.org, OU=Dev, O=Red5, L=Henderson, ST=Nevada, C=US correct?
  [no]:  yes

Enter key password for <red5>
        (RETURN if same as keystore password):

2. Create a CSR

keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore keystore
Enter keystore password:

3. Submit your CSR to your SSL certificate provider. Godaddy process is described below.

4. After your receive your certificate, import the root cert into your keystore file

keytool -import -alias root -keystore keystore -trustcacerts -file valicert_class2_root.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <valicertclass2ca>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

5. Import the cross certificates

keytool -import -alias cross -keystore keystore -trustcacerts -file gd_cross_intermediate.crt
Enter keystore password:
Certificate was added to keystore

6. Import the intermediate certificates

keytool -import -alias intermed -keystore keystore -trustcacerts -file gd_intermediate.crt
Enter keystore password:
Certificate was added to keystore

7. Import your certificate

keytool -import -alias red5 -keystore keystore -trustcacerts -file ssl.red5.org.crt
Enter keystore password:
Certificate reply was installed in keystore

8. Setup RTMPS in your red5/conf/red5-core.xml. You may notice that some of the rtmp variables are used here, that is only for ease of setup; you could set them to whatever you prefer.

    <bean id="rtmpsMinaIoHandler"
        class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
        <property name="handler" ref="rtmpHandler" />
        <property name="codecFactory" ref="rtmpCodecFactory" />
        <property name="rtmpConnManager" ref="rtmpMinaConnManager" />
	<property name="keyStorePassword" value="${rtmps.keystorepass}" />
        <property name="keystoreFile" value="conf/keystore" />
    </bean>
    
    <bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
        <property name="ioHandler" ref="rtmpsMinaIoHandler" />
        <property name="connectors">
            <list>
                <bean class="java.net.InetSocketAddress">
                    <constructor-arg index="0" type="java.lang.String" value="${rtmps.host}" />  
                    <constructor-arg index="1" type="int" value="${rtmps.port}" />  
                </bean>
            </list>
        </property>
        <property name="receiveBufferSize" value="${rtmp.receive_buffer_size}" />
        <property name="sendBufferSize" value="${rtmp.send_buffer_size}" />
        <property name="eventThreadsCore" value="${rtmp.event_threads_core}" />
        <property name="eventThreadsMax" value="${rtmp.event_threads_max}" />
        <property name="eventThreadsQueue" value="${rtmp.event_threads_queue}" />
        <property name="eventThreadsKeepalive" value="${rtmp.event_threads_keepalive}" />
        <property name="jmxPollInterval" value="1000" />
        <property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
    </bean>

Additional security info can be found here
The testing player source can be found here

Tags: , ,


Fatal error: Call to undefined function akismet_counter() in C:\xampp\htdocs\paulgregoireblog\wp-content\themes\googlechrome\footer.php on line 9