-
-
Notifications
You must be signed in to change notification settings - Fork 992
RTMPS
What is RTMPS?
RTMPS is RTMP over an TLS/SSL connection. It is a means to use encryption to secure your client / server connection. There are two types of RTMPS available, the first is tunneled (essentially RTMPT via HTTPS) and the second is native which doesn't involve RTMPT encoding nor HTTPS transport.
At this point, as far as I can tell "self-signed" certificates do not work at all. If anyone knows how to make this work with FlashPlayer, you should be added to the hall-of-fame.
(Comment: To use self-signed certificates you have to accept the certificate on the client, inserting it into the Trusted Root Certification Authorities store.)
The first step is to ensure you have all the ciphers and protocols needed to support secure connections. This entails downloading the JCE unlimited jurisdiction policy files for your JDK version.
To install the JCE policy files:
- Unzip the downloaded zip
- Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (Note: these jars will be already there so you have to overwrite them)
- Restart your application
To modify the SSL features used, configure these parameters in your JAVA_OPTS
-Dsun.security.ssl.allowUnsafeRenegotiation=true -Dsun.security.ssl.allowLegacyHelloMessages=trueFurther details may be found here: Transport Layer Security (TLS) Renegotiation Issue
Edit the conf/jee-container.xml file; locate the "Tomcat with SSL enabled" section, which consists of these beans:
<bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader" depends-on="context.loader" init-method="start" lazy-init="true">
<property name="webappFolder" value="${red5.root}/webapps" />
<property name="connectors">
<list>
<bean name="httpConnector" class="org.red5.server.tomcat.TomcatConnector">
<property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${http.port}" />
<property name="redirectPort" value="${https.port}" />
</bean>
<bean name="httpsConnector" class="org.red5.server.tomcat.TomcatConnector">
<property name="secure" value="true" />
<property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${https.port}" />
<property name="redirectPort" value="${http.port}" />
<property name="connectionProperties">
<map>
<entry key="port" value="${https.port}" />
<entry key="redirectPort" value="${http.port}" />
<entry key="SSLEnabled" value="true" />
<entry key="sslProtocol" value="TLS" />
<entry key="keystoreFile" value="${rtmps.keystorefile}" />
<entry key="keystorePass" value="${rtmps.keystorepass}" />
<entry key="keystoreType" value="JKS" />
<entry key="truststoreFile" value="${rtmps.truststorefile}" />
<entry key="truststorePass" value="${rtmps.truststorepass}" />
<entry key="clientAuth" value="false" />
<entry key="allowUnsafeLegacyRenegotiation" value="true" />
<entry key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
<entry key="useExecutor" value="true"/>
<entry key="maxThreads" value="${http.max_threads}"/>
<entry key="acceptorThreadCount" value="${http.acceptor_thread_count}"/>
<entry key="processorCache" value="${http.processor_cache}"/>
</map>
</property>
</bean>
</list>
</property>
<property name="baseHost">
<bean class="org.apache.catalina.core.StandardHost">
<property name="name" value="${http.host}" />
</bean>
</property>
</bean>This content is meant to replace the default section marked as "Tomcat without SSL enabled" which does not offer SSL connection handling.
Uncomment the rtmpsMinaIoHandler and rtmpsTransport beans in conf/red5-core.xml
Modify the properties to suit your requirements, below you'll find a default set-up.
<bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
<property name="handler" ref="rtmpHandler" />
<property name="codecFactory" ref="rtmpCodecFactory" />
<property name="keystorePassword" value="${rtmps.keystorepass}" />
<property name="keystoreFile" value="${rtmps.keystorefile}" />
<property name="truststorePassword" value="${rtmps.truststorepass}" />
<property name="truststoreFile" value="${rtmps.truststorefile}" />
<property name="useClientMode" value="false" />
<property name="needClientAuth" value="false" />
<property name="wantClientAuth" value="false" />
<property name="cipherSuites">
<array>
<value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
<value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</value>
<value>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</value>
<value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</value>
<value>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</value>
<value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>
<value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
<value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
<value>TLS_RSA_WITH_AES_256_CBC_SHA256</value>
<value>TLS_RSA_WITH_AES_256_CBC_SHA</value>
<value>SSL_RSA_WITH_RC4_128_SHA</value>
</array>
</property>
<property name="protocols">
<array>
<value>TLSv1</value>
<value>TLSv1.1</value>
<value>TLSv1.2</value>
<value>SSLv2Hello</value>
<value>SSLv3</value>
</array>
</property>
</bean>
<bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
<property name="ioHandler" ref="rtmpsMinaIoHandler" />
<property name="addresses">
<list>
<value>${rtmps.host}:${rtmps.port}</value>
</list>
</property>
<property name="ioThreads" value="${rtmp.io_threads}" />
<property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
</bean>var nc:NetConnection = new NetConnection();
nc.proxyType = "best";
nc.connect("rtmps:\\localhost\app");To debug ssl, add this parameter to your JAVA_OPTS
-Djavax.net.debug=ssl For additional debugging information, you may also change the security parameter to "all" in the JAVA_OPTS; be aware that this produces a lot of logging information.
-Djava.security.debug=all