Thursday, December 15, 2011

Red5 Media Server and Security


!±8± Red5 Media Server and Security

Here are the steps to configure SSL in existing Red5 application. This article is keeping in the mind you have basic knowledge of Red5 or you are aware of how Red5 applications are built.

Software required on machine where Red5 server is installed:-

1: Open SSL //Open source SSL libraries required for compiling Stunnel

2: Stunnel //Open source SSL wrapper software uses open SSL works both on
Windows and Linux.

3: gcc // The GNU C compiler (although it always bundled with Linux
Machine, but I did not find it. Necessary if you are compiling the
Open SSL and Stunnel from source. Not required if using RPM

Configuration needed on server machine:-

1:- Install the Open SSL (if windows use exe RPM or source for Linux machine can be downloaded from openssl website).

2:- Install Stunnel (if windows, use exe otherwise RPM or compilation from source is preferred, can be downloaded from stunnel website). Make sure that you already have compiled Open SSL in your machine before proceeding with the installation of Stunnel; otherwise it will fail to compile.

Under Linux the standard command to compile Stunnel from source are described below. For any update please always follow the installation instructions given their website.

machine# gzip -dc stunnel-VERSION.tar.gz tar -xvzf -
machine# cd stunnel-VERSION
machine# ./configure
machine# make
machine# make install

There are several configurations that differ based on your computer and environment. That can be read from the website itself.

3:- Running Stunnel (There are several ways/mode you can run the stunnel. Follow the FAQ available in their website to choose the best which matches your requirements).
To run stunnel, you always require a configuration file. The process of making sample configuration file (stunnel.conf) is described below.

The sample configuration file used was like this:

sample.conf

; Sample stunnel configuration file by Sunil Gupta 2007
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment

cert = /etc/stunnel/stunnel.pem
;chroot = /var/run/stunnel/
pid = /stunnel.pid
key = /etc/stunnel/stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
; Use it for client mode
; client = yes
; Service-level configuration

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20

; vim:ft=dosin

Finish

Note: - When you install Stunnel, you get a default sample file, which is not enough in most of the cases to run the flash application. The additions to configuration file I made are as follows.
Also the line having ; in the start denotes the commented portion in file.

cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem

pem stands for 'privacy enhanced mail' used as a key format. The above two lines tells the location of pem files need to be generated. This will be configured by user. The above is the best location for Stunnel although you can change it to any desired location.

;Some performance tunings

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

The above two lines are for better performance of Stunnel in our case.

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

The above line is a bug in a specific platform, since we are running it in Linux; we commented this line, although it could be needed in some case.

; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes

The above lines are very important, Because Stunnel by default run in background mode. You will never be able to see if it is running. So better to put it in foreground, so that you can make sure that stunnel is running properly. Also the debug = 7 is very important since by default stunnel does not generate any log. You can direct him to generate log, so that you can debug your application by seeing all those log messages. The above mentioned log directory is default Linux directory where all system logs are generated.

; Use it for client mode
; client = yes

In the sample configuration file, you will always find this option un-commented leading to a different architecture, since we are running Stunnel in server mode not client mode, so we will comment this line.

[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20

And the very last lines are mentioned above. In the sample configuration file, you will never find rtmps and it is not even mentioned anywhere in Stunnel. The default file contains only https, add rtmps like it is added here. Also accept port is 443, which is the default port used for secure communication and it is open like port 80 in all corporate firewalls in general. This port is to accept the connection from flash and to get the encrypted data. The connect port is 80; this is the port where stunnel will forward the decrypted data to red5 server.
The TIMEOUTconnect and TIMEOUTclose can be useful in some cases when the server where the data is being forwarded by Stunnel is delaying the connection. This is to make sure that connection is closed only when server is not responding at all. The value is in seconds (i.e. 20 sec.)

Now in order to run your application under secure connection, you require a certificate to be created on the machine where the Stunnel is installed. The procedure for creating a certificate and the possible directory to put this certificate is described below.

Use of certificate:-

When an SSL client connects to an SSL server, the server presents a certificate, essentially an electronic piece of proof that machine is who it claims to be. This certificate is signed by a 'Certificate Authority' (hereafter a CA) -- usually a trusted third party like Verisign. A client will accept this certificate only if
The certificate presented matches the private key being used by the remote end.
The certificate has been signed correctly by the CA. The client recognizes the CA as trusted.

Every stunnel server has a private key. This is contained in the pem file which stunnel uses to initialize its identity. If we notice above, we have given the reference of this pem file in the start of our configuration file under cert.

This private key is put in /usr/local/ssl/certs/stunnel.pem.

Note:-Under client mode we need not to have certificate in most of the cases, but if we are running it in server mode, we require a certificate. Since we are using server mode, I have generated a self certificate.

To make certificate:-

1: Go to /etc/stunnel directory and
2: Run the following command:-'

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

This creates a private key and self-signed certificate. More information on the options of this can be read from FAQ section of Stunnel website.

While executing the command, it will ask for some questions like Country, City, Company etc., Give the answer of those and it will generate the key and self certificate.

4:- Put your sample.conf file in /etc/stunnel directory where the .pem file was created earlier.

5:- Start Stunnel by issuing the command -

machine# stunnel stunnel.conf

If you are /etc/stunnel directory otherwise complete path of configuration file-

machine# stunnel /etc/stunnel/stunnel.conf

The above command will start the stunnel and you can verify the log from /var/logs/stunnel.log file.

Red5 server side changes:-

6:- Now stunnel is up and running, we need to change the Red5 configuration to accept the connection from Stunnel.

Go to red5 installation directory and search for conf folder where all red5 configuration files exist.

Open red5.properties file and under rtmps.host_port property put 443. The sample file can be like below.

rtmp.host_port = 0.0.0.0:1935
rtmp.threadcount = 4
debug_proxy.host_port = 0.0.0.0:1936
proxy_forward.host_port = 127.0.0.1:1935
rtmps.host_port = 127.0.0.1:443
http.host=0.0.0.0
http.port=5080
rtmpt.host=0.0.0.0
rtmpt.port=80

Flash client side changes:-

7:-Now we are done with server side, In order to run application under SSL, we need to change the client side protocol from rtmp to rtmps like below. And compile the flash client and run it on browser, a certificate will pop up, accept it and the application will run under SSL.

nc.connect ("rtmps://yourip/applicationname"); //used rtmps in place of rtmp

To get all Red5 media server related stuffs, visit the website below-


Red5 Media Server and Security

Comparison Simplehuman Trash Bags Order Mission Tiffany Table Lamp




No comments:

Post a Comment


Twitter Facebook Flickr RSS



Fran�ais Deutsch Italiano Portugu�s
Espa�ol ??? ??? ?????







Sponsor Links