Hi Maxim, This is the first eddition of "self-signed" section.
Using self-signed certificates. Prerequicites: - CA's root certificate: ca.crt - self-signed server certificate: red5.crt (distinguished Name while creating certificate should be assign to FQDN of your site, for example - vkc.company.com) Preparing of OM server. 1. Rename the existing keystore file red5/conf/keystore.jks to red5/conf/keystore.jks.bak Rename the existing truststore file red5/conf/truststore.jks to red5/conf/truststore.jks.bak 2. Export existing keys into PKCS12 format: enter to folder the ca.crt and red5.crt placed openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 -name red5 -certfile ca.crt 3. Import resulting red5.p12 into keystore: keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 -srcstoretype PKCS12 -deststorepass changeit -destkeystore /opt/red5/conf/keystore.jks -alias red5 This command creates the keystore.jks with password changeit (may be any password) 4. Import your CA's root certificate into the keystore: keytool -import -alias root -keystore /opt/red5/conf/keystore.jks -trustcacerts -file ca.crt (need to enter password to keystore.jks - changeit) 5. copy keystore to truststore cd /opt/red5/conf cp keystore.jks truststore.jks 6. Change passwords in /opt/red5/conf/red5.properties: rtmps.keystorepass=changeit rtmps.truststorepass=changeit jmx.keystorepass=changeit 7. Set up SSL according "SSL for the web interface" section. 8. Set up RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. 9. Restart OM service or whole OM server. Now OM server is ready to accept SSL-connections. Preparing of clients. 1. Add the ca.crt certificate as trusted into the CA's list on all windows PC at the system level (certmgr.msc applet). 2. Add the ca.crt certificate as trusted into Firefox if it used (Firefox uses own store of certificates). 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with keytool utility on a PC that organizes screensharing. For example, Java Version 8 Update 144 has been installed on Windows machine by default location path. Copy ca.crt to a folder : c:\ca.crt Start command line interface as administrator: runas /user:AdminAccount cmd.exe Enter admin password Enter to bin directory of java: cd "c:\Program Files\Java\jre1.8.0_144\bin" Import ca.crt into keystore: keytool -import -alias root -keystore ..\lib\security\cacerts -file c:\ca.crt Enter the password to keystore: changeit Now the clients are ready to connect to OM via SSL https:// vkc.company.com:5443. Nik From: Maxim Solodovnik [mailto:[email protected]] Sent: Wednesday, August 23, 2017 8:58 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required I believe this is correct. will try to add "Self-signed" section to site On Wed, Aug 23, 2017 at 12:54 PM, Yakovlev N. <[email protected]> wrote: OK. I would like to sum up all the work with the SSL and I think one will be interesting for our community. 1. The self-signed certificates can be used but using of them requires some manual operations: 1.1. The certificates (root CA and server) must be installed into /opt/red5/conf/keystore.jks and /opt/red5/conf/truststore.jks on OM server as described at http://openmeetings.apache.org/RTMPSAndHTTPS.html page. 1.2. It's not necessary to add the root certificate into java/cacerts on OM server because all works OK with java/cacerts installed by default. 1.3. The root certificate must be added as trusted into the CA list on all windows PC at the system level (certmgr.msc applet). 1.4. The root certificate must be added as trusted into Firefox if it is used (FF has own store for the certificates). 1.5. The root certificate must be added into %JAVA%\lib\security\cacerts with keytool utility on a PC that organizes screensharing. 2. The use of real certificates is more preferable since it does not require as much work as described above. There are only two places where the certificates have to be installed: see 1.1 and 1.5 above. 3. The http://openmeetings.apache.org/RTMPSAndHTTPS.html page should be changed and supplemented. It will allow to exсlude a lot of questions for OM users. Those questions that I had to meet. Is all correct? Nik From: Maxim Solodovnik [mailto:[email protected]] Sent: Wednesday, August 23, 2017 7:41 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required I believe this is standard behavior for Windows systems On Tue, Aug 22, 2017 at 6:37 PM, Yakovlev N. <[email protected]> wrote: After adding CA into windows system store entering into rooms works good. Does FF use not only own ca-store but ca-store in system?! Or it’s not FF? From: Maxim Solodovnik [mailto:[email protected]] Sent: Tuesday, August 22, 2017 2:05 PM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required ERR_UNKNOWN_ISSUER most probably caused by the fact 1) server cert was added to trusted 2) CA was not added in case of Windows it worth to add CA at system level AND to the browser (CA tab with permission to verify sites code etc. I would check all checkboxes) On Tue, Aug 22, 2017 at 4:41 PM, Yakovlev N. <[email protected]> wrote: Yes, the ca certificate was added as trusted. I found one difference in behavior of FF when it connected to https-sites with the self-signed certificates. Typically, the first connection prompts you to add the site to an exception but OM server does not give us this option. See pls two screenshots. This occurs before the СA is added to the Trusted CAs lists. If first an root certificate is added to the CAs list then we can access to an OM cabinet with green lock icon but will have the errors in the rooms as I wrote before. There is something in OM webserver….. Nik From: Maxim Solodovnik [mailto:[email protected]] Sent: Tuesday, August 22, 2017 11:54 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required I guess CA was added to trusted CA's of FF? On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik <[email protected]> wrote: This is the issue of "self-signed" certificate. "Real" certificate provides the way to ensure it wasn't revoked. I would recommend to set up one of the free real certificates to prod system On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <[email protected]> wrote: Hi Maxim, you was right when suggested to add a ca certificate into client machine with screensharing. I added the root certificate not correctly via "java control panel->security->manage certificates". It's wrong and not neсessary. The certificate must be inserted into java/keystore with keytool utility. Now screen sharing works as expected. But... I tried to connect from another machines to the machine with screensharing and all worked fine with remote desktop if IE used but not Firefox. The error screenshots are attached and the errors take place when entering into any rooms. Do you know how to resolve it? And why only FF ? The latest version of FF and Adobe Flash Player for FF is used. Nik From: Maxim Solodovnik [mailto:[email protected]] Sent: Monday, August 21, 2017 11:46 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required I guess first thing to do is to ensure jre is used by javaws and jre containing cacert is the same jre can be checked using by inspecting PATH and checking which binaries are actually started using system task manager On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <[email protected]> wrote: First i tried to add only one CA certificate to java on a client machine. Than the site certificate was added for additional checking. Both cases are unsuccessful. What I should make the next? From: Maxim Solodovnik [mailto:[email protected]] Sent: Monday, August 21, 2017 9:51 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required Works for me What were your steps? BTW no need to add site certificate to trusted certs in case you are having Root CA. Verified Root CA will successfully validate site cert On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <[email protected]> wrote: No, It did not help. The client machine is Windows, the CA root certificate (crt) and the client self-signed certificate (p12) have been added into java via java control panel->security->manage certificates. The full error log is : ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at org.red5.client.net.rtmps.RTMPTSClientConnector.openConnection(RTMPTSClientConnector.java:139) at org.red5.client.net.rtmps.RTMPTSClientConnector.run(RTMPTSClientConnector.java:64) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 27 common frames omitted sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target No context named default was found!! From: Maxim Solodovnik [mailto:[email protected]] Sent: Monday, August 21, 2017 8:45 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required You can fix it by adding self-signed CA to the java/cacerts at the "client" machine (The machine Screen-sharing web-app is started) On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <[email protected]> wrote: Tunneling RTMPS From: Maxim Solodovnik [mailto:[email protected]] Sent: Monday, August 21, 2017 5:56 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required What type of SSL are you checking? "native" of "tunneled" ? On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <[email protected]> wrote: Hi Maxim, Screensharing with SSL does not work. Java outputs the next errors: ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Where can be place the datastore for screensharing and what its file name? /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? Where should be assigned the password for this keystore? The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties files contain the following parameters: key="keystoreFile" value=...... key="keystorePass" value=...... key="truststoreFile" value=...... key="truststorePass" value=...... rtmps.keystorepass=xxxxx rtmps.keystorefile=conf/keystore.jks rtmps.truststorepass=xxxxx rtmps.truststorefile=conf/truststore.jks But for screensharing I could not find relevant information. Best regards, Nik From: Yakovlev N. [mailto:[email protected]] Sent: Saturday, August 19, 2017 8:23 AM To: [email protected] Subject: RE: [ANNOUNCE] HTTPS is now required Hi Maxim, SSL is working fine. I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html manual: All keytool commands must have the filename keystore.jks but none keystore without extension. J This also applies to the filename truststore: it should be truststore.jks. Otherwise the names of kestore and truststore should be changed in /opt/red5/conf/red5.properties. Nik From: Maxim Solodovnik [ <mailto:[email protected]> mailto:[email protected]] Sent: Saturday, August 19, 2017 7:23 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required I'll try to check steps with self-signed cert and will report back On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <[email protected]> wrote: Hello Ramon, All the hope of Maxim….:) Nik From: Ramón Zárate Moedano [mailto:[email protected]] Sent: Saturday, August 19, 2017 2:22 AM To: [email protected] Subject: Re: [ANNOUNCE] HTTPS is now required Hello everyone ... i just cannot install SSL (from namecheap) ... this is beyond my skills. Is there someone who can help me with the installation in exchange for some money???? Thanks in advance. 2017-08-18 1:23 GMT-05:00 Yakovlev N. <[email protected]>: Hi Maxim, Thanks for reply. I've reinstalled two times certificates but ssl does not work. 1. Both certificates root-CA and client one were added into /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) with commands: keytool -import -keystore cacerts -file red5.crt -alias red5 keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root 2. As you recommend OM was started with red5-debug + option "-Djavax.net.debug=all" Logs have nothing while a ssl session was established. To exclude the impact of browsers, I tried to start up a session using telnet. Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 did not. In this case, the netstat command shows ESTABLISHED status to port 5443. Firewall is off. According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two config files have to be changed: 1. Edit red5/conf/jee-container.xml file: Comment Tomcat without SSL enabled section UNComment Tomcat with SSL enabled section 2. Edit red5/webapps/openmeetings/public/config.xml and set <protocol>https</protocol> <red5httpport>5443</red5httpport> Are these changes enough or need more? Best regards, Nik From: Maxim Solodovnik [mailto:[email protected]] Sent: Thursday, August 17, 2017 10:28 AM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required Here is useful link I'm using these scripts (with some modifications) Chrome shows green icon :) https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288 On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <[email protected]> wrote: The steps on the site are for the "real" certificates ... 1) add certificate to trusted certs of Java means Java need to know about your certificate I'm using self-signed CA for testing and I'm adding it to /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts Additionally I would recommend to run red5 using red5-debug and modify it by adding "-Djavax.net.debug=all" to see all SSL messages On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> wrote: Hello Maxim, Don't worry that my question was missed because we all understand how much work you do. Your message made me return to the question of HTTPS for OM. So... 1) add certificate to trusted certs of Java Lets see an output of command keytool: cd /opt/red5/conf keytool -list -keystore keystore Enter keystore password: xxxxx Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57:99:67:D5:1C:B8:25:1A:D9:88:0F root, Aug 16, 2017, trustedCertEntry, Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0:6E:2F:1F:9A:83:F9:B0:1F:E1:45 Is it OK? 2) add certificate to trusted certs of browser (icon should be green) Done 3) correctly create red5 keystore/truststore Done according to the reference http://openmeetings.apache.org/RTMPSAndHTTPS.html truststore is a copy of keystore OK? Maxim, I would like to draw on one detail. A simple way to test of a SSL-connection is to use the next command: openssl s_client -connect FQDN:port For example, openssl s_client -connect www.mail.ru:443, openssl s_client -connect www.ya.ru:443 and so on. This way does not use browsers and allows to test ssl-connections at a lower level than using browsers. This command does not work and hangs for my OM as I wrote before and I think that the question is not in the types of certificates (trusted or selfsigned ones). But where is the problem? I don't now yet... Nik -----Original Message----- From: Maxim Solodovnik [mailto:[email protected]] Sent: Wednesday, August 16, 2017 5:51 PM To: Openmeetings user-list Subject: Re: [ANNOUNCE] HTTPS is now required Hello Nik, I'm trying to answer all emails, sorry if I missed yours :( To make self-signed certificate work with red5 you MUST 1) add certificate to trusted certs of Java 2) add certificate to trusted certs of browser (icon should be green) 3) correctly create red5 keystore/truststore to provide thurther help I need you detailed steps On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> wrote: > Hi Andreas, > OK, your opinion is your opinion and I respect it. > We speak about an internal OM service but not about the world one... > I understand the trusted certificates are more preferable but in my case > unnecessary I think. > I'm not sure blacklists are my cases... > > Nik > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Wednesday, August 16, 2017 4:18 PM > To: [email protected] > Subject: Re: [ANNOUNCE] HTTPS is now required > > Hi Nik, > > sorry - I cannot agree to your "I cannot agree". Most email client programs > do check certificates and deny connections if certificate is not trusted. May > be 5% will work - but 95% will not (and tomorrow percentage is higher than > today). I can not recommend to use any self-signed certificate (except for > internal tasks). Additionally maybe you are added to blacklists if you are > "on the air" using a self-signed certificate. > > Best regards > Andreas > > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >> I don't agree. >> I use selfsigned certiticates on other corporate services successfully >> (mail, cloud and so on). >> Yes, browsers ask questions but this is no problem. In this case such >> certificates must be added as trusted ones. >> >> Nik >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> Sent: Wednesday, August 16, 2017 3:44 PM >> To: [email protected] >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> Self-signed will not be accepted by most browsers and will not work. The >> goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... >> >> Try certificates from lets encrypt - they are free ;) >> >> Best regards >> Andreas >> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >> > Hi, Maxim! >> > I have some problems with SSL and no ideas to solve them. >> > Five months ago I asked community how to install SSL on OM but nobody >> > answered. >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/201703.mbox/browser >> > Subject: SSL with OM Date Mon, 20 Mar 2017 08:30:40 GMT ) >> > The manual listed on page >> > http://openmeetings.apache.org/RTMPSAndHTTPS.html did not help me. >> > No any errors in logs, browser hangs and shows an empty page. >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on the >> > left bottom side. >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command hangs >> > also and outputs only one line: CONNECTED(00000003). >> > Firewall is off, tcp-5443 port is listening on the OM host. >> > >> > Is there any roadmap of using selfsigned serfificates for OM? >> > >> > Best regards >> > Nik >> > >> > -----Original Message----- >> > From: Maxim Solodovnik [mailto:[email protected]] >> > Sent: Wednesday, August 16, 2017 7:23 AM >> > To: Openmeetings user-list >> > Subject: [ANNOUNCE] HTTPS is now required >> > >> > Hello All, >> > >> > Google developers are trying to move WWW to HTTPS To force this transition >> > they restrict features available to HTTP sites in Chrome/Chromium Latest >> > restriction is: Camera and microphone will not be available to JS/Flash >> > code for HTTP sites: proof: >> > >> > "Microphone and Camera access no longer works on insecure origins. To use >> > this feature, you should consider switching your application to a secure >> > origin, such as HTTPS. See https://goo.gl/rStTGz for more details." >> > >> > So please set up HTTPS for your OM site to prevent camera/microphone >> > issues. >> > >> > -- >> > WBR >> > Maxim aka solomax >> > >> > >> >> >> > > -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax -- WBR Maxim aka solomax
