The steps on the site are for the "real" certificates ... 1) add certificate to trusted certs of Java
means Java need to know about your certificate I'm using self-signed CA for testing and I'm adding it to /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts Additionally I would recommend to run red5 using red5-debug and modify it by adding "*-Djavax.net.debug=all*" to see all SSL messages On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> wrote: > Hello Maxim, > Don't worry that my question was missed because we all understand how much > work you do. > Your message made me return to the question of HTTPS for OM. > > So... > > 1) add certificate to trusted certs of Java > > Lets see an output of command keytool: > > cd /opt/red5/conf > keytool -list -keystore keystore > Enter keystore password: > xxxxx > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries > > vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, > Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: > 99:67:D5:1C:B8:25:1A:D9:88:0F > root, Aug 16, 2017, trustedCertEntry, > Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: > 6E:2F:1F:9A:83:F9:B0:1F:E1:45 > > Is it OK? > > 2) add certificate to trusted certs of browser (icon should be green) > Done > > 3) correctly create red5 keystore/truststore > Done according to the reference http://openmeetings.apache. > org/RTMPSAndHTTPS.html > truststore is a copy of keystore > OK? > > Maxim, I would like to draw on one detail. > A simple way to test of a SSL-connection is to use the next command: > openssl s_client -connect FQDN:port > For example, > openssl s_client -connect www.mail.ru:443, > openssl s_client -connect www.ya.ru:443 > and so on. > This way does not use browsers and allows to test ssl-connections at a > lower level than using browsers. > This command does not work and hangs for my OM as I wrote before and I > think that the question is not in the types of certificates (trusted or > selfsigned ones). > But where is the problem? I don't now yet... > > Nik > > -----Original Message----- > From: Maxim Solodovnik [mailto:[email protected]] > Sent: Wednesday, August 16, 2017 5:51 PM > To: Openmeetings user-list > Subject: Re: [ANNOUNCE] HTTPS is now required > > Hello Nik, > > I'm trying to answer all emails, sorry if I missed yours :( To make > self-signed certificate work with red5 you MUST > 1) add certificate to trusted certs of Java > 2) add certificate to trusted certs of browser (icon should be green) > 3) correctly create red5 keystore/truststore > > to provide thurther help I need you detailed steps > > On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> > wrote: > > Hi Andreas, > > OK, your opinion is your opinion and I respect it. > > We speak about an internal OM service but not about the world one... > > I understand the trusted certificates are more preferable but in my case > unnecessary I think. > > I'm not sure blacklists are my cases... > > > > Nik > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > Sent: Wednesday, August 16, 2017 4:18 PM > > To: [email protected] > > Subject: Re: [ANNOUNCE] HTTPS is now required > > > > Hi Nik, > > > > sorry - I cannot agree to your "I cannot agree". Most email client > programs do check certificates and deny connections if certificate is not > trusted. May be 5% will work - but 95% will not (and tomorrow percentage is > higher than today). I can not recommend to use any self-signed certificate > (except for internal tasks). Additionally maybe you are added to blacklists > if you are "on the air" using a self-signed certificate. > > > > Best regards > > Andreas > > > > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: > >> I don't agree. > >> I use selfsigned certiticates on other corporate services successfully > (mail, cloud and so on). > >> Yes, browsers ask questions but this is no problem. In this case such > certificates must be added as trusted ones. > >> > >> Nik > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] > >> Sent: Wednesday, August 16, 2017 3:44 PM > >> To: [email protected] > >> Subject: Re: [ANNOUNCE] HTTPS is now required > >> > >> Self-signed will not be accepted by most browsers and will not work. > The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... > >> > >> Try certificates from lets encrypt - they are free ;) > >> > >> Best regards > >> Andreas > >> > >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: > >> > Hi, Maxim! > >> > I have some problems with SSL and no ideas to solve them. > >> > Five months ago I asked community how to install SSL on OM but > nobody answered. > >> > (http://mail-archives.apache.org/mod_mbox/openmeetings- > user/201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 > 08:30:40 GMT ) > >> > The manual listed on page http://openmeetings.apache. > org/RTMPSAndHTTPS.html did not help me. > >> > No any errors in logs, browser hangs and shows an empty page. > >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on > the left bottom side. > >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command > hangs also and outputs only one line: CONNECTED(00000003). > >> > Firewall is off, tcp-5443 port is listening on the OM host. > >> > > >> > Is there any roadmap of using selfsigned serfificates for OM? > >> > > >> > Best regards > >> > Nik > >> > > >> > -----Original Message----- > >> > From: Maxim Solodovnik [mailto:[email protected]] > >> > Sent: Wednesday, August 16, 2017 7:23 AM > >> > To: Openmeetings user-list > >> > Subject: [ANNOUNCE] HTTPS is now required > >> > > >> > Hello All, > >> > > >> > Google developers are trying to move WWW to HTTPS To force this > transition they restrict features available to HTTP sites in > Chrome/Chromium Latest restriction is: Camera and microphone will not be > available to JS/Flash code for HTTP sites: proof: > >> > > >> > "Microphone and Camera access no longer works on insecure origins. To > use this feature, you should consider switching your application to a > secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details." > >> > > >> > So please set up HTTPS for your OM site to prevent camera/microphone > issues. > >> > > >> > -- > >> > WBR > >> > Maxim aka solomax > >> > > >> > > >> > >> > >> > > > > > > > > -- > WBR > Maxim aka solomax > > -- WBR Maxim aka solomax
