Here is useful link I'm using these scripts (with some modifications) Chrome shows green icon :) https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288
On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <[email protected]> wrote: > The steps on the site are for the "real" certificates ... > 1) add certificate to trusted certs of Java > > means Java need to know about your certificate I'm using self-signed CA > for testing and I'm adding it to > /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts > > Additionally I would recommend to run red5 using red5-debug and modify it > by adding "*-Djavax.net.debug=all*" to see all SSL messages > > On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> > wrote: > >> Hello Maxim, >> Don't worry that my question was missed because we all understand how >> much work you do. >> Your message made me return to the question of HTTPS for OM. >> >> So... >> >> 1) add certificate to trusted certs of Java >> >> Lets see an output of command keytool: >> >> cd /opt/red5/conf >> keytool -list -keystore keystore >> Enter keystore password: >> xxxxx >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 2 entries >> >> vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, >> Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: >> 99:67:D5:1C:B8:25:1A:D9:88:0F >> root, Aug 16, 2017, trustedCertEntry, >> Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: >> 6E:2F:1F:9A:83:F9:B0:1F:E1:45 >> >> Is it OK? >> >> 2) add certificate to trusted certs of browser (icon should be green) >> Done >> >> 3) correctly create red5 keystore/truststore >> Done according to the reference http://openmeetings.apache.org >> /RTMPSAndHTTPS.html >> truststore is a copy of keystore >> OK? >> >> Maxim, I would like to draw on one detail. >> A simple way to test of a SSL-connection is to use the next command: >> openssl s_client -connect FQDN:port >> For example, >> openssl s_client -connect www.mail.ru:443, >> openssl s_client -connect www.ya.ru:443 >> and so on. >> This way does not use browsers and allows to test ssl-connections at a >> lower level than using browsers. >> This command does not work and hangs for my OM as I wrote before and I >> think that the question is not in the types of certificates (trusted or >> selfsigned ones). >> But where is the problem? I don't now yet... >> >> Nik >> >> -----Original Message----- >> From: Maxim Solodovnik [mailto:[email protected]] >> Sent: Wednesday, August 16, 2017 5:51 PM >> To: Openmeetings user-list >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> Hello Nik, >> >> I'm trying to answer all emails, sorry if I missed yours :( To make >> self-signed certificate work with red5 you MUST >> 1) add certificate to trusted certs of Java >> 2) add certificate to trusted certs of browser (icon should be green) >> 3) correctly create red5 keystore/truststore >> >> to provide thurther help I need you detailed steps >> >> On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> >> wrote: >> > Hi Andreas, >> > OK, your opinion is your opinion and I respect it. >> > We speak about an internal OM service but not about the world one... >> > I understand the trusted certificates are more preferable but in my >> case unnecessary I think. >> > I'm not sure blacklists are my cases... >> > >> > Nik >> > >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] >> > Sent: Wednesday, August 16, 2017 4:18 PM >> > To: [email protected] >> > Subject: Re: [ANNOUNCE] HTTPS is now required >> > >> > Hi Nik, >> > >> > sorry - I cannot agree to your "I cannot agree". Most email client >> programs do check certificates and deny connections if certificate is not >> trusted. May be 5% will work - but 95% will not (and tomorrow percentage is >> higher than today). I can not recommend to use any self-signed certificate >> (except for internal tasks). Additionally maybe you are added to blacklists >> if you are "on the air" using a self-signed certificate. >> > >> > Best regards >> > Andreas >> > >> > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >> >> I don't agree. >> >> I use selfsigned certiticates on other corporate services successfully >> (mail, cloud and so on). >> >> Yes, browsers ask questions but this is no problem. In this case such >> certificates must be added as trusted ones. >> >> >> >> Nik >> >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] >> >> Sent: Wednesday, August 16, 2017 3:44 PM >> >> To: [email protected] >> >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Self-signed will not be accepted by most browsers and will not work. >> The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... >> >> >> >> Try certificates from lets encrypt - they are free ;) >> >> >> >> Best regards >> >> Andreas >> >> >> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >> >> > Hi, Maxim! >> >> > I have some problems with SSL and no ideas to solve them. >> >> > Five months ago I asked community how to install SSL on OM but >> nobody answered. >> >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/ >> 201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 >> 08:30:40 GMT ) >> >> > The manual listed on page http://openmeetings.apache.org >> /RTMPSAndHTTPS.html did not help me. >> >> > No any errors in logs, browser hangs and shows an empty page. >> >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on >> the left bottom side. >> >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command >> hangs also and outputs only one line: CONNECTED(00000003). >> >> > Firewall is off, tcp-5443 port is listening on the OM host. >> >> > >> >> > Is there any roadmap of using selfsigned serfificates for OM? >> >> > >> >> > Best regards >> >> > Nik >> >> > >> >> > -----Original Message----- >> >> > From: Maxim Solodovnik [mailto:[email protected]] >> >> > Sent: Wednesday, August 16, 2017 7:23 AM >> >> > To: Openmeetings user-list >> >> > Subject: [ANNOUNCE] HTTPS is now required >> >> > >> >> > Hello All, >> >> > >> >> > Google developers are trying to move WWW to HTTPS To force this >> transition they restrict features available to HTTP sites in >> Chrome/Chromium Latest restriction is: Camera and microphone will not be >> available to JS/Flash code for HTTP sites: proof: >> >> > >> >> > "Microphone and Camera access no longer works on insecure origins. >> To use this feature, you should consider switching your application to a >> secure origin, such as HTTPS. See https://goo.gl/rStTGz for more >> details." >> >> > >> >> > So please set up HTTPS for your OM site to prevent camera/microphone >> issues. >> >> > >> >> > -- >> >> > WBR >> >> > Maxim aka solomax >> >> > >> >> > >> >> >> >> >> >> >> > >> > >> >> >> >> -- >> WBR >> Maxim aka solomax >> >> > > > -- > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
