You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by Christian Wolf <Ch...@gmx.de> on 2018/07/17 13:31:26 UTC
Problems with certificates with RMTPS
Dear community,
I have a strange behavior with my installation of OM. I want to proxy
the web interface through apache (with SSL). This is working. I can
remotely access OM. All right.
Now I want RMTP to be encrypted as well. Here I created another
certificate from Let's Encrypt (LE) just for the RMTPS purpose. The
common name (CN) is simply the host name just like e.g. for the https
server.
Then I wanted to adopt the configuration of OM accordingly. This is set
up that I enabled in <OM>/conf/red5-core.conf the corresponding section,
added in the global configuration (web frontend) flash.secure=true and
flash.secure.proxy=best. I added the keys to the keystore exaclty as in
https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results
as far as I can tell. I tried the network test of OM and get still a red
cross for the RTMP(S) port when using Firefox.
A sniff with wireshark shows that the client connects to port 8443 as
intended and an SSL session is started. The server sends the
certificates I gave plus the intermediate certificate from LE. It does
not send the root certificate. I do not know if this is right or wrong.
Nevertheless, the client seems to refuse the certificate and shuts down
the SSL connection with the reason "Unknown CA". This happen instantly
after the server sent his certificate chain.
When looking into this it looks as Chrome seemed to accept the
certificate. I know that Chrome does many things "differently", thus it
is possible that everything is a problem of my local configuration
withing firefox/OS.
When trying the connection with `openssl s_client ...` I can
successfully connect and verify the certificate chain. Thus in general
it seems to work.
My interpretation is that the (flash) client refuses the LE root
certificate for some reason and terminates the connection due to
security concerns.
Is my interpretation correct? How can I overcome this?
Thank you and cheers
Christian
--
Mit freundlichen Grüßen
Christian Wolf
RE: Problems with certificates with RMTPS
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Christian,
Thank you for your prompt guidance. We will translate it to equivalent config for our proxy.
Sincerely,
Hemant K. Sabat
www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-----Original Message-----
From: Christian Wolf <Ch...@gmx.de>
Sent: Wednesday, July 18, 2018 3:00 AM
To: user@openmeetings.apache.org
Subject: Re: Problems with certificates with RMTPS
Dear Hemant,
> Would you be kind enough to share the Apache SSL configuration?
> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
> are using a different proxy server, but can learn from your Apache
> configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the reason for the reverse proxy need.
<Location /openmeetings/>
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings" "http://localhost:5080/openmeetings"
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
</Location>
> How isyour configurationdifferent from this:
> _____http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the mod_headers. The problem was that the login was refused as OM/red5 detected some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Hemant,
this looks good to me, although I did not try it out in an example
environment. At best you keep a network sniffer at hand to see, what
messages are passed between localhost:5080 and your reverse proxy. This
makes your live a hell of much more easy.
If it does not work out as expected, feel free to ask again. I will try
to help as much as possible.
Cheers
Christian
PS: I do not use the ProxyPreserveHost directive which is Off by default
I think. This could make a small difference.
Am 18.07.2018 um 18:28 schrieb Coscend@OM:
> Hello Christian,
>
> Following yourguidance, here is whatthe config we have for SSL reverse
> proxyfor Apache HTTPD server. Is this correct? If yes, then we will
> create equivalent of this forthe differentproxy serverwe use—we do not
> use Apache HTTPD. Thank you for your guidance.
>
> <VirtualHost _default_:443 [::]:443>
>
> #### SSL
>
> ServerAdminadmin<domain>
>
> ServerName<www.yourdomain.com>
>
> SSLEngine on
>
> SSLCertificateFile /opt/red5403/cert/certserver.crt
>
> SSLCertificateKeyFile /opt/red5403/cert/certserver.key
>
> SSLProxyEngine On
>
> SSLProxyCheckPeerCN on
>
> SSLProxyCheckPeerExpire off
>
> ##########
>
> ###### Reverse proxy
>
> <Location /openmeetings/>
>
> ProxyPreserveHost On
>
> ProxyRequests Off
>
> ProxyPass http://localhost:5080/openmeetings/
>
> ProxyPassReverse
> http://localhost:5080/openmeetings/
>
> RequestHeader edit
> Referer"https://www.example.com/openmeetings"
> "http://localhost:5080/openmeetings"
>
> RewriteEngine on
>
> RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
>
> RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
>
> RewriteRule .*
> ws://localhost:5080%{REQUEST_URI} [P]
>
> ErrorLog /var/log/apache2/red5-error_log
>
> CustomLog /var/log/apache2/red5-access_log common
>
> # LogLevel info rewrite:trace5
>
> # Require all denied
>
> </Location>
>
> ##########
>
> </VirtualHost>
>
> Sincerely,
>
> Hemant K. Sabat
>
> ___www.Coscend.com_<http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *****Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted
> at:_http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html_<http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html>
>
> -----Original Message-----
> From: Christian Wolf <Ch...@gmx.de>
> Sent: Wednesday, July 18, 2018 3:00 AM
> To: user@openmeetings.apache.org
> Subject: Re: Problems with certificates with RMTPS
>
> Dear Hemant,
>
>> Would you be kind enough to share the Apache SSL configuration?
>
>> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
>
>> are using a different proxy server, but can learn from your Apache
>
>> configuration to adapt to our proxy.
>
> I use it in a virtual subdirectory of the main server. This is also the
> reason for the reverse proxy need.
>
> <Location /openmeetings/>
>
> ProxyPasshttp://localhost:5080/openmeetings/
>
> ProxyPassReversehttp://localhost:5080/openmeetings/
>
> RequestHeader edit Referer
>
> "https://www.example.com/openmeetings" "http://localhost:5080/openmeetings"
>
> RewriteEngine on
>
> RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
>
> RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
>
> RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
>
> # LogLevel info rewrite:trace5
>
> # Require all denied
>
> </Location>
>
>
>> How isyour configurationdifferent from this:
>
>> _____http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
>
> The only difference I see is the `RequestHeader` directive from the
> mod_headers. The problem was that the login was refused as OM/red5
> detected some malicious setting due to unmatching domains.
>
> I hope this can help you.
>
> Christian
>
> --
>
> Mit freundlichen Grüßen
>
> Christian Wolf
>
> Waldwiese 9-11
>
> 66123 Saarbrücken
>
> Mobil: 0178 776 79 39
>
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Hemant,
I just found out, I neeeded two more modifications of the HTTP(S)
headers. The added lines are
RequestHeader edit Origin "https://example.com" "http://localhost:5080"
Header edit Content-Security-Policy "ws://localhost:5080"
"wss://example.com"
Cheers
Christian
Am 18.07.2018 um 18:28 schrieb Coscend@OM:
> Hello Christian,
>
> Following yourguidance, here is whatthe config we have for SSL reverse
> proxyfor Apache HTTPD server. Is this correct? If yes, then we will
> create equivalent of this forthe differentproxy serverwe use—we do not
> use Apache HTTPD. Thank you for your guidance.
>
> <VirtualHost _default_:443 [::]:443>
>
> #### SSL
>
> ServerAdminadmin<domain>
>
> ServerName<www.yourdomain.com>
>
> SSLEngine on
>
> SSLCertificateFile /opt/red5403/cert/certserver.crt
>
> SSLCertificateKeyFile /opt/red5403/cert/certserver.key
>
> SSLProxyEngine On
>
> SSLProxyCheckPeerCN on
>
> SSLProxyCheckPeerExpire off
>
> ##########
>
> ###### Reverse proxy
>
> <Location /openmeetings/>
>
> ProxyPreserveHost On
>
> ProxyRequests Off
>
> ProxyPass http://localhost:5080/openmeetings/
>
> ProxyPassReverse
> http://localhost:5080/openmeetings/
>
> RequestHeader edit
> Referer"https://www.example.com/openmeetings"
> "http://localhost:5080/openmeetings"
>
> RewriteEngine on
>
> RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
>
> RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
>
> RewriteRule .*
> ws://localhost:5080%{REQUEST_URI} [P]
>
> ErrorLog /var/log/apache2/red5-error_log
>
> CustomLog /var/log/apache2/red5-access_log common
>
> # LogLevel info rewrite:trace5
>
> # Require all denied
>
> </Location>
>
> ##########
>
> </VirtualHost>
>
> Sincerely,
>
> Hemant K. Sabat
>
> ___www.Coscend.com_<http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *****Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted
> at:_http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html_<http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html>
>
> -----Original Message-----
> From: Christian Wolf <Ch...@gmx.de>
> Sent: Wednesday, July 18, 2018 3:00 AM
> To: user@openmeetings.apache.org
> Subject: Re: Problems with certificates with RMTPS
>
> Dear Hemant,
>
>> Would you be kind enough to share the Apache SSL configuration?
>
>> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
>
>> are using a different proxy server, but can learn from your Apache
>
>> configuration to adapt to our proxy.
>
> I use it in a virtual subdirectory of the main server. This is also the
> reason for the reverse proxy need.
>
> <Location /openmeetings/>
>
> ProxyPasshttp://localhost:5080/openmeetings/
>
> ProxyPassReversehttp://localhost:5080/openmeetings/
>
> RequestHeader edit Referer
>
> "https://www.example.com/openmeetings" "http://localhost:5080/openmeetings"
>
> RewriteEngine on
>
> RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
>
> RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
>
> RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
>
> # LogLevel info rewrite:trace5
>
> # Require all denied
>
> </Location>
>
>
>> How isyour configurationdifferent from this:
>
>> _____http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
>
> The only difference I see is the `RequestHeader` directive from the
> mod_headers. The problem was that the login was refused as OM/red5
> detected some malicious setting due to unmatching domains.
>
> I hope this can help you.
>
> Christian
>
> --
>
> Mit freundlichen Grüßen
>
> Christian Wolf
>
> Waldwiese 9-11
>
> 66123 Saarbrücken
>
> Mobil: 0178 776 79 39
>
RE: Problems with certificates with RMTPS
Posted by "Coscend@OM" <OM...@Coscend.com>.
Hello Christian,
Following your guidance, here is what the config we have for SSL reverse proxy for Apache HTTPD server. Is this correct? If yes, then we will create equivalent of this for the different proxy server we use — we do not use Apache HTTPD. Thank you for your guidance.
<VirtualHost _default_:443 [::]:443>
#### SSL
ServerAdmin admin <domain>
ServerName <www.yourdomain.com>
SSLEngine on
SSLCertificateFile /opt/red5403/cert/certserver.crt
SSLCertificateKeyFile /opt/red5403/cert/certserver.key
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire off
##########
###### Reverse proxy
<Location /openmeetings/>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer "https://www.example.com/openmeetings" "http://localhost:5080/openmeetings"
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
ErrorLog /var/log/apache2/red5-error_log
CustomLog /var/log/apache2/red5-access_log common
# LogLevel info rewrite:trace5
# Require all denied
</Location>
##########
</VirtualHost>
Sincerely,
Hemant K. Sabat
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-----Original Message-----
From: Christian Wolf <Ch...@gmx.de>
Sent: Wednesday, July 18, 2018 3:00 AM
To: user@openmeetings.apache.org
Subject: Re: Problems with certificates with RMTPS
Dear Hemant,
> Would you be kind enough to share the Apache SSL configuration?
> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
> are using a different proxy server, but can learn from your Apache
> configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the reason for the reverse proxy need.
<Location /openmeetings/>
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings" "http://localhost:5080/openmeetings"
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
</Location>
> How isyour configurationdifferent from this:
> _____http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the mod_headers. The problem was that the login was refused as OM/red5 detected some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <Ch...@gmx.de>.
Dear Hemant,
> Would you be kind enough to share the Apache SSL configuration?
> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We are
> using a different proxy server, but can learn from your Apache
> configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the
reason for the reverse proxy need.
<Location /openmeetings/>
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings" "http://localhost:5080/openmeetings"
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
</Location>
> How isyour configurationdifferent from this:
> _____http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the
mod_headers. The problem was that the login was refused as OM/red5
detected some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
RE: Problems with certificates with RMTPS
Posted by "Coscend@OM" <OM...@Coscend.com>.
Hello Christian,
>> I want to proxy the web interface through apache (with SSL). This is working. I can remotely access OM.
Would you be kind enough to share the Apache SSL configuration? We are facing issues in connecting through “proxy HTTPS + OM HTTP”. We are using a different proxy server, but can learn from your Apache configuration to adapt to our proxy.
How is your configuration different from this: http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E?
Thank you.
Sincerely,
Hemant K. Sabat
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-----Original Message-----
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Tuesday, July 17, 2018 9:19 AM
To: Openmeetings user-list <us...@openmeetings.apache.org>
Subject: Re: Problems with certificates with RMTPS
I'm afraid in case of full secured proxied configuration you need to use RTPMTS (tunneled secured RTMP) example of RTMPT config can be found in mail archives, for ex here:
https://markmail.org/message/l7oltgy74zxo2pjc
On Tue, Jul 17, 2018 at 8:31 PM Christian Wolf <ChristianLupus@gmx.de <ma...@gmx.de> > wrote:
>
> Dear community,
>
> I have a strange behavior with my installation of OM. I want to proxy
> the web interface through apache (with SSL). This is working. I can
> remotely access OM. All right.
>
> Now I want RMTP to be encrypted as well. Here I created another
> certificate from Let's Encrypt (LE) just for the RMTPS purpose. The
> common name (CN) is simply the host name just like e.g. for the https
> server.
>
> Then I wanted to adopt the configuration of OM accordingly. This is
> set up that I enabled in <OM>/conf/red5-core.conf the corresponding
> section, added in the global configuration (web frontend)
> flash.secure=true and flash.secure.proxy=best. I added the keys to the
> keystore exaclty as in
> https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdh
> dychl364bp+state:results as far as I can tell. I tried the network
> test of OM and get still a red cross for the RTMP(S) port when using
> Firefox.
>
> A sniff with wireshark shows that the client connects to port 8443 as
> intended and an SSL session is started. The server sends the
> certificates I gave plus the intermediate certificate from LE. It does
> not send the root certificate. I do not know if this is right or wrong.
> Nevertheless, the client seems to refuse the certificate and shuts
> down the SSL connection with the reason "Unknown CA". This happen
> instantly after the server sent his certificate chain.
>
> When looking into this it looks as Chrome seemed to accept the
> certificate. I know that Chrome does many things "differently", thus
> it is possible that everything is a problem of my local configuration
> withing firefox/OS.
> When trying the connection with `openssl s_client ...` I can
> successfully connect and verify the certificate chain. Thus in general
> it seems to work.
>
> My interpretation is that the (flash) client refuses the LE root
> certificate for some reason and terminates the connection due to
> security concerns.
>
> Is my interpretation correct? How can I overcome this?
>
> Thank you and cheers
> Christian
>
> --
> Mit freundlichen Grüßen
> Christian Wolf
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
https://www.avg.com
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
Win 10
FF/Chrome/Edge -- All green
It might be the issue with TLS 1.2 support ... :(((
Not sure yet how to check/fix it :(((
On Tue, Jul 24, 2018 at 1:31 PM Maxim Solodovnik <so...@gmail.com> wrote:
>
> Ubuntu 16.04
>
> All versions are latest with all updates
> Chrome -> All green
> FF -> Port fail
> Cromium -> All green
> Opera -> All green
>
> will try to reproduce this configuration on my test server (hopefully
> this week) ...
>
> On Tue, Jul 24, 2018 at 1:23 PM Christian Wolf
> <ch...@wolf-stuttgart.net> wrote:
> >
> > Dear Maxim,
> > dear openmeetings list,
> >
> > > That is weird :(
> >
> > I know it is weird. This is the reason I asked here.
> >
> > > Maybe you can try to import chain as one file as described here:
> > >
> > https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore
> >
> > In the meantime I tried a few things but non of them worked out
> > correctly. Nevertheless what I found with my current configuration:
> >
> > - Firefox@Windows is working
> > - Chrome@Linux is working
> > - Firefox@Linux is failing
> > - Konqueror@Linux is failing due to missing Flash (could be overcome)
> >
> > I thing the problem might be an old flash used in Firefox@Linux. I know
> > there is pepperflash, but this is something I did not try yet (on the
> > agenda still).
> >
> > I just wanted to give you a heads-up update.
> >
> > Thank you so far
> > Christian
> >
> > PS:
> > Further I wanted to ask some of you who are reading along this post to
> > go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply
> > click the "Network testing" button. The second test is the interesting
> > one. Please report me shortly with your used Browser/OS. Thanks
>
>
>
> --
> WBR
> Maxim aka solomax
--
WBR
Maxim aka solomax
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
Ubuntu 16.04
All versions are latest with all updates
Chrome -> All green
FF -> Port fail
Cromium -> All green
Opera -> All green
will try to reproduce this configuration on my test server (hopefully
this week) ...
On Tue, Jul 24, 2018 at 1:23 PM Christian Wolf
<ch...@wolf-stuttgart.net> wrote:
>
> Dear Maxim,
> dear openmeetings list,
>
> > That is weird :(
>
> I know it is weird. This is the reason I asked here.
>
> > Maybe you can try to import chain as one file as described here:
> >
> https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore
>
> In the meantime I tried a few things but non of them worked out
> correctly. Nevertheless what I found with my current configuration:
>
> - Firefox@Windows is working
> - Chrome@Linux is working
> - Firefox@Linux is failing
> - Konqueror@Linux is failing due to missing Flash (could be overcome)
>
> I thing the problem might be an old flash used in Firefox@Linux. I know
> there is pepperflash, but this is something I did not try yet (on the
> agenda still).
>
> I just wanted to give you a heads-up update.
>
> Thank you so far
> Christian
>
> PS:
> Further I wanted to ask some of you who are reading along this post to
> go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply
> click the "Network testing" button. The second test is the interesting
> one. Please report me shortly with your used Browser/OS. Thanks
--
WBR
Maxim aka solomax
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Maxim,
dear openmeetings list,
> That is weird :(
I know it is weird. This is the reason I asked here.
> Maybe you can try to import chain as one file as described here:
>
https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore
In the meantime I tried a few things but non of them worked out
correctly. Nevertheless what I found with my current configuration:
- Firefox@Windows is working
- Chrome@Linux is working
- Firefox@Linux is failing
- Konqueror@Linux is failing due to missing Flash (could be overcome)
I thing the problem might be an old flash used in Firefox@Linux. I know
there is pepperflash, but this is something I did not try yet (on the
agenda still).
I just wanted to give you a heads-up update.
Thank you so far
Christian
PS:
Further I wanted to ask some of you who are reading along this post to
go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply
click the "Network testing" button. The second test is the interesting
one. Please report me shortly with your used Browser/OS. Thanks
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
That is weird :(
Maybe you can try to import chain as one file as described here:
https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore
On Wed, Jul 18, 2018 at 8:08 PM Christian Wolf
<ch...@wolf-stuttgart.net> wrote:
>
> Dear Maxim,
>
> > On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs
> > Can you check with keytool your keystore contains full chain (including CA)?
> >
> > Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
> >
> > keytool -list -v -keystore keystore.jks
> My certificate chain is Root CA -> Intermediate CA from Let'e Encrypt ->
> RMTPS certificate.
>
> When looking into the keystore, I see only the Intermediate CA -> RMTPS
> certificate chain. The root CA is not included. Is it needed to be
> present as well to make everything working?
>
> I used these commands on the keystore:
> # keytool -importkeystore -srckeystore <tmp>/openmeetings.p12
> -srcstoretype PKCS12 -destkeystore /opt/openmeetings/conf/keystore.jmx
> -alias red5
> # keytool -import -keystore /opt/openmeetings/conf/keystore.jmx
> -trustcacerts -file /etc/letsencrypt/live/openmeetings/chain.pem -alias
> letsencrypt
>
> When trying to add the root CA I got the message stating that that
> certificate was already known in the global CA keystore. I force-added
> it now to test out the effect.
> The result is the same: Firefox cannot connect. I did not redo my
> sniffing. I assume it will look similar.
>
> Thank you so far
> Christian
--
WBR
Maxim aka solomax
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Maxim,
> On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs
> Can you check with keytool your keystore contains full chain (including CA)?
>
> Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
>
> keytool -list -v -keystore keystore.jks
My certificate chain is Root CA -> Intermediate CA from Let'e Encrypt ->
RMTPS certificate.
When looking into the keystore, I see only the Intermediate CA -> RMTPS
certificate chain. The root CA is not included. Is it needed to be
present as well to make everything working?
I used these commands on the keystore:
# keytool -importkeystore -srckeystore <tmp>/openmeetings.p12
-srcstoretype PKCS12 -destkeystore /opt/openmeetings/conf/keystore.jmx
-alias red5
# keytool -import -keystore /opt/openmeetings/conf/keystore.jmx
-trustcacerts -file /etc/letsencrypt/live/openmeetings/chain.pem -alias
letsencrypt
When trying to add the root CA I got the message stating that that
certificate was already known in the global CA keystore. I force-added
it now to test out the effect.
The result is the same: Firefox cannot connect. I did not redo my
sniffing. I assume it will look similar.
Thank you so far
Christian
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs
Can you check with keytool your keystore contains full chain (including CA)?
Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
keytool -list -v -keystore keystore.jks
On Wed, Jul 18, 2018 at 6:00 PM Christian Wolf
<ch...@wolf-stuttgart.net> wrote:
>
> Dear Maxim,
>
> Am 18.07.2018 um 12:40 schrieb Maxim Solodovnik:
> > just re-read your initial email (wasn't practice in English for a long
> > time, hard to read very long emails :(( )
> >
> > Have you added full certificates chain to both keystore and truststore of red5?
>
> As far as I can tell, yes, there are chains in keystore. truststore is a
> simple copy of keystore at the moment.
>
> I tried to verify with the following command (in one line):
> $ openssl s_client -connect www2.wolf-stuttgart.net:8443 -showcerts
> -CApath /etc/ssl/certs/ < /dev/null
> This says, that the certificate could be successfully verified. I thus
> assume, this is running all right.
>
> Now I tried 2 browsers, firefox and chrome, to navigate to
> https://www2.wolf-stuttgart.net/openmeetings/hash?swf=network.
>
> Firefox
> -------
> The second port symbol (RTMP connection) is a red cross.
>
> Investigation with a network sniffer led to the problem, that the client
> refuses/does not find the CA of the cert and closes down the connection.
>
> Chrome
> ------
> The symbol is green as desired.
>
> The handshake of the client/server pair is visible. After that the
> connection is encrypted and only binary "random" data is transmitted
> that cannot be read (as desired) in a sniff.
>
> Cheers
> Christian
--
WBR
Maxim aka solomax
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Maxim,
Am 18.07.2018 um 12:40 schrieb Maxim Solodovnik:
> just re-read your initial email (wasn't practice in English for a long
> time, hard to read very long emails :(( )
>
> Have you added full certificates chain to both keystore and truststore of red5?
As far as I can tell, yes, there are chains in keystore. truststore is a
simple copy of keystore at the moment.
I tried to verify with the following command (in one line):
$ openssl s_client -connect www2.wolf-stuttgart.net:8443 -showcerts
-CApath /etc/ssl/certs/ < /dev/null
This says, that the certificate could be successfully verified. I thus
assume, this is running all right.
Now I tried 2 browsers, firefox and chrome, to navigate to
https://www2.wolf-stuttgart.net/openmeetings/hash?swf=network.
Firefox
-------
The second port symbol (RTMP connection) is a red cross.
Investigation with a network sniffer led to the problem, that the client
refuses/does not find the CA of the cert and closes down the connection.
Chrome
------
The symbol is green as desired.
The handshake of the client/server pair is visible. After that the
connection is encrypted and only binary "random" data is transmitted
that cannot be read (as desired) in a sniff.
Cheers
Christian
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
just re-read your initial email (wasn't practice in English for a long
time, hard to read very long emails :(( )
Have you added full certificates chain to both keystore and truststore of red5?
On Wed, Jul 18, 2018 at 5:37 PM Christian Wolf
<ch...@wolf-stuttgart.net> wrote:
>
> Dear Maxim,
>
> > both direct RTMS and tunneled RTMPTS should work as expected
>
> OK, then I prefer RTMPS.
>
> > what values do you have in Admin->Config for
> > flash.secure
> > flash.secure.proxy
> > http://openmeetings.apache.org/GeneralConfiguration.html
>
> I thing you are referring to the configuration within the web
> application, right? There I have
>
> flash.secure = true
> flash.secure.proxy = best
>
> Cheers
> Christian
--
WBR
Maxim aka solomax
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Maxim,
> both direct RTMS and tunneled RTMPTS should work as expected
OK, then I prefer RTMPS.
> what values do you have in Admin->Config for
> flash.secure
> flash.secure.proxy
> http://openmeetings.apache.org/GeneralConfiguration.html
I thing you are referring to the configuration within the web
application, right? There I have
flash.secure = true
flash.secure.proxy = best
Cheers
Christian
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Christian,
both direct RTMS and tunneled RTMPTS should work as expected
what values do you have in Admin->Config for
flash.secure
flash.secure.proxy
http://openmeetings.apache.org/GeneralConfiguration.html
?
On Wed, Jul 18, 2018 at 5:25 PM Christian Wolf
<ch...@wolf-stuttgart.net> wrote:
>
> Dear Maxim,
>
> Am 17.07.2018 um 16:19 schrieb Maxim Solodovnik:
> > I'm afraid in case of full secured proxied configuration you need to
> > use RTPMTS (tunneled secured RTMP)
> > example of RTMPT config can be found in mail archives, for ex here:
> > https://markmail.org/message/l7oltgy74zxo2pjc
>
> I think I might not have been as specific as I should have been. It is
> ok to forward the RMTPS packets directly to the OM host. In fact this is
> already done.
> I read that RTMPT is introducing quite some unneeded latency. Thus I
> wanted to avoid that if possible.
>
> So I see the following options:
>
> 1. Let Flash pack every single RTMP packet into an HTTPS call and
> install a proxy to handle these packages.
>
> 2. Use native RTMP over SSL on a dedicated, publicly available port.
>
> When I tried option 1 I had the problem/impression that it was not
> working at all. I still got connections on either the RTMPS or the RTMP
> port. This could be a configuration issue.
> I would tackle this if option 2 is not possible. Otherwise I would
> prefer the direct approach.
>
> So are with the current version 4.0.4 of OM both options realizable?
>
> Thanks
> Christian
--
WBR
Maxim aka solomax
Re: Problems with certificates with RMTPS
Posted by Christian Wolf <ch...@wolf-stuttgart.net>.
Dear Maxim,
Am 17.07.2018 um 16:19 schrieb Maxim Solodovnik:
> I'm afraid in case of full secured proxied configuration you need to
> use RTPMTS (tunneled secured RTMP)
> example of RTMPT config can be found in mail archives, for ex here:
> https://markmail.org/message/l7oltgy74zxo2pjc
I think I might not have been as specific as I should have been. It is
ok to forward the RMTPS packets directly to the OM host. In fact this is
already done.
I read that RTMPT is introducing quite some unneeded latency. Thus I
wanted to avoid that if possible.
So I see the following options:
1. Let Flash pack every single RTMP packet into an HTTPS call and
install a proxy to handle these packages.
2. Use native RTMP over SSL on a dedicated, publicly available port.
When I tried option 1 I had the problem/impression that it was not
working at all. I still got connections on either the RTMPS or the RTMP
port. This could be a configuration issue.
I would tackle this if option 2 is not possible. Otherwise I would
prefer the direct approach.
So are with the current version 4.0.4 of OM both options realizable?
Thanks
Christian
Re: Problems with certificates with RMTPS
Posted by Maxim Solodovnik <so...@gmail.com>.
I'm afraid in case of full secured proxied configuration you need to
use RTPMTS (tunneled secured RTMP)
example of RTMPT config can be found in mail archives, for ex here:
https://markmail.org/message/l7oltgy74zxo2pjc
On Tue, Jul 17, 2018 at 8:31 PM Christian Wolf <Ch...@gmx.de> wrote:
>
> Dear community,
>
> I have a strange behavior with my installation of OM. I want to proxy
> the web interface through apache (with SSL). This is working. I can
> remotely access OM. All right.
>
> Now I want RMTP to be encrypted as well. Here I created another
> certificate from Let's Encrypt (LE) just for the RMTPS purpose. The
> common name (CN) is simply the host name just like e.g. for the https
> server.
>
> Then I wanted to adopt the configuration of OM accordingly. This is set
> up that I enabled in <OM>/conf/red5-core.conf the corresponding section,
> added in the global configuration (web frontend) flash.secure=true and
> flash.secure.proxy=best. I added the keys to the keystore exaclty as in
> https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results
> as far as I can tell. I tried the network test of OM and get still a red
> cross for the RTMP(S) port when using Firefox.
>
> A sniff with wireshark shows that the client connects to port 8443 as
> intended and an SSL session is started. The server sends the
> certificates I gave plus the intermediate certificate from LE. It does
> not send the root certificate. I do not know if this is right or wrong.
> Nevertheless, the client seems to refuse the certificate and shuts down
> the SSL connection with the reason "Unknown CA". This happen instantly
> after the server sent his certificate chain.
>
> When looking into this it looks as Chrome seemed to accept the
> certificate. I know that Chrome does many things "differently", thus it
> is possible that everything is a problem of my local configuration
> withing firefox/OS.
> When trying the connection with `openssl s_client ...` I can
> successfully connect and verify the certificate chain. Thus in general
> it seems to work.
>
> My interpretation is that the (flash) client refuses the LE root
> certificate for some reason and terminates the connection due to
> security concerns.
>
> Is my interpretation correct? How can I overcome this?
>
> Thank you and cheers
> Christian
>
> --
> Mit freundlichen Grüßen
> Christian Wolf
--
WBR
Maxim aka solomax