You can fix it by adding self-signed CA to the java/cacerts at the "client" machine (The machine Screen-sharing web-app is started)
On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <[email protected]> wrote: > Tunneling RTMPS > > > > *From:* Maxim Solodovnik [mailto:[email protected]] > *Sent:* Monday, August 21, 2017 5:56 AM > > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > What type of SSL are you checking? "native" of "tunneled" ? > > > > On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <[email protected]> > wrote: > > Hi Maxim, > > Screensharing with SSL does not work. > > > > Java outputs the next errors: > > ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > > > Where can be place the datastore for screensharing and what its file name? > > /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? > > Where should be assigned the password for this keystore? > > > > The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties > files contain the following parameters: > > > > key="keystoreFile" value=...... > > key="keystorePass" value=...... > > key="truststoreFile" value=...... > > key="truststorePass" value=...... > > > > rtmps.keystorepass=xxxxx > > rtmps.keystorefile=conf/keystore.jks > > rtmps.truststorepass=xxxxx > > rtmps.truststorefile=conf/truststore.jks > > > > But for screensharing I could not find relevant information. > > > > Best regards, > > Nik > > > > *From:* Yakovlev N. [mailto:[email protected]] > *Sent:* Saturday, August 19, 2017 8:23 AM > *To:* [email protected] > *Subject:* RE: [ANNOUNCE] HTTPS is now required > > > > Hi Maxim, > > SSL is working fine. > > I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html > manual: > > All keytool commands must have the filename keystore.jks but none > keystore without extension. J > > This also applies to the filename truststore: it should be truststore.jks. > > > > Otherwise the names of kestore and truststore should be changed in > /opt/red5/conf/red5.properties. > > > > Nik > > > > *From:* Maxim Solodovnik [mailto:[email protected] > <[email protected]>] > *Sent:* Saturday, August 19, 2017 7:23 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > I'll try to check steps with self-signed cert and will report back > > > > On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <[email protected]> > wrote: > > Hello Ramon, > > All the hope of Maxim….:) > > > > Nik > > > > *From:* Ramón Zárate Moedano [mailto:[email protected]] > *Sent:* Saturday, August 19, 2017 2:22 AM > > > *To:* [email protected] > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Hello everyone ... > > > > i just cannot install SSL (from namecheap) ... this is beyond my skills. > > > > Is there someone who can help me with the installation in exchange for > some money???? > > > > Thanks in advance. > > > > > > > > 2017-08-18 1:23 GMT-05:00 Yakovlev N. <[email protected]>: > > Hi Maxim, > > Thanks for reply. > > I've reinstalled two times certificates but ssl does not work. > > 1. Both certificates root-CA and client one were added into > /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) with > commands: > > keytool -import -keystore cacerts -file red5.crt -alias red5 > > keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root > > 2. As you recommend OM was started with red5-debug + option > "-Djavax.net.debug=all" > > Logs have nothing while a ssl session was established. > > To exclude the impact of browsers, I tried to start up a session using > telnet. > > Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 > did not. > > In this case, the netstat command shows ESTABLISHED status to port 5443. > > Firewall is off. > > According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two config > files have to be changed: > > 1. Edit red5/conf/jee-container.xml file: > > Comment Tomcat without SSL enabled section > > UNComment Tomcat with SSL enabled section > > 2. Edit red5/webapps/openmeetings/public/config.xml and set > > <protocol>https</protocol> > > <red5httpport>5443</red5httpport> > > Are these changes enough or need more? > > > > Best regards, > > Nik > > > > *From:* Maxim Solodovnik [mailto:[email protected]] > *Sent:* Thursday, August 17, 2017 10:28 AM > *To:* Openmeetings user-list > > > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Here is useful link > > I'm using these scripts (with some modifications) Chrome shows green icon > :) > > https://stackoverflow.com/questions/7580508/getting- > chrome-to-accept-self-signed-localhost-certificate/43666288#43666288 > > > > On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <[email protected]> > wrote: > > The steps on the site are for the "real" certificates ... > > 1) add certificate to trusted certs of Java > > > > means Java need to know about your certificate I'm using self-signed CA > for testing and I'm adding it to > > /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts > > > > Additionally I would recommend to run red5 using red5-debug and modify it > by adding "*-Djavax.net.debug=all*" to see all SSL messages > > > > On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> > wrote: > > Hello Maxim, > Don't worry that my question was missed because we all understand how much > work you do. > Your message made me return to the question of HTTPS for OM. > > So... > > 1) add certificate to trusted certs of Java > > Lets see an output of command keytool: > > cd /opt/red5/conf > keytool -list -keystore keystore > Enter keystore password: > xxxxx > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries > > vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, > Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: > 99:67:D5:1C:B8:25:1A:D9:88:0F > root, Aug 16, 2017, trustedCertEntry, > Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: > 6E:2F:1F:9A:83:F9:B0:1F:E1:45 > > Is it OK? > > 2) add certificate to trusted certs of browser (icon should be green) > Done > > 3) correctly create red5 keystore/truststore > Done according to the reference http://openmeetings.apache. > org/RTMPSAndHTTPS.html > truststore is a copy of keystore > OK? > > Maxim, I would like to draw on one detail. > A simple way to test of a SSL-connection is to use the next command: > openssl s_client -connect FQDN:port > For example, > openssl s_client -connect www.mail.ru:443, > openssl s_client -connect www.ya.ru:443 > and so on. > This way does not use browsers and allows to test ssl-connections at a > lower level than using browsers. > This command does not work and hangs for my OM as I wrote before and I > think that the question is not in the types of certificates (trusted or > selfsigned ones). > But where is the problem? I don't now yet... > > Nik > > -----Original Message----- > From: Maxim Solodovnik [mailto:[email protected]] > > Sent: Wednesday, August 16, 2017 5:51 PM > To: Openmeetings user-list > Subject: Re: [ANNOUNCE] HTTPS is now required > > Hello Nik, > > I'm trying to answer all emails, sorry if I missed yours :( To make > self-signed certificate work with red5 you MUST > 1) add certificate to trusted certs of Java > 2) add certificate to trusted certs of browser (icon should be green) > 3) correctly create red5 keystore/truststore > > to provide thurther help I need you detailed steps > > On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> > wrote: > > Hi Andreas, > > OK, your opinion is your opinion and I respect it. > > We speak about an internal OM service but not about the world one... > > I understand the trusted certificates are more preferable but in my case > unnecessary I think. > > I'm not sure blacklists are my cases... > > > > Nik > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > Sent: Wednesday, August 16, 2017 4:18 PM > > To: [email protected] > > Subject: Re: [ANNOUNCE] HTTPS is now required > > > > Hi Nik, > > > > sorry - I cannot agree to your "I cannot agree". Most email client > programs do check certificates and deny connections if certificate is not > trusted. May be 5% will work - but 95% will not (and tomorrow percentage is > higher than today). I can not recommend to use any self-signed certificate > (except for internal tasks). Additionally maybe you are added to blacklists > if you are "on the air" using a self-signed certificate. > > > > Best regards > > Andreas > > > > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: > >> I don't agree. > >> I use selfsigned certiticates on other corporate services successfully > (mail, cloud and so on). > >> Yes, browsers ask questions but this is no problem. In this case such > certificates must be added as trusted ones. > >> > >> Nik > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] > >> Sent: Wednesday, August 16, 2017 3:44 PM > >> To: [email protected] > >> Subject: Re: [ANNOUNCE] HTTPS is now required > >> > >> Self-signed will not be accepted by most browsers and will not work. > The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... > >> > >> Try certificates from lets encrypt - they are free ;) > >> > >> Best regards > >> Andreas > >> > >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: > >> > Hi, Maxim! > >> > I have some problems with SSL and no ideas to solve them. > >> > Five months ago I asked community how to install SSL on OM but > nobody answered. > >> > (http://mail-archives.apache.org/mod_mbox/openmeetings- > user/201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 > 08:30:40 GMT ) > >> > The manual listed on page http://openmeetings.apache. > org/RTMPSAndHTTPS.html did not help me. > >> > No any errors in logs, browser hangs and shows an empty page. > >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on > the left bottom side. > >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command > hangs also and outputs only one line: CONNECTED(00000003). > >> > Firewall is off, tcp-5443 port is listening on the OM host. > >> > > >> > Is there any roadmap of using selfsigned serfificates for OM? > >> > > >> > Best regards > >> > Nik > >> > > >> > -----Original Message----- > >> > From: Maxim Solodovnik [mailto:[email protected]] > >> > Sent: Wednesday, August 16, 2017 7:23 AM > >> > To: Openmeetings user-list > >> > Subject: [ANNOUNCE] HTTPS is now required > >> > > >> > Hello All, > >> > > >> > Google developers are trying to move WWW to HTTPS To force this > transition they restrict features available to HTTP sites in > Chrome/Chromium Latest restriction is: Camera and microphone will not be > available to JS/Flash code for HTTP sites: proof: > >> > > >> > "Microphone and Camera access no longer works on insecure origins. To > use this feature, you should consider switching your application to a > secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details." > >> > > >> > So please set up HTTPS for your OM site to prevent camera/microphone > issues. > >> > > >> > -- > >> > WBR > >> > Maxim aka solomax > >> > > >> > > >> > >> > >> > > > > > > > > -- > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
