Why do you need additional server? Are you going to set up proxy? On Thu, Aug 24, 2017 at 12:19 AM, Ramón Zárate Moedano <[email protected]> wrote:
> Hello everyone. > > i am issuing a SSL certificate with namecheap. To use a "real one". > > What kind of the server type do i have to choose? > 1 .- Apache / cpanel > 2.- Microsoft IIS / Tomcat > > > Thanks. > > 2017-08-23 11:41 GMT-05:00 Maxim Solodovnik <[email protected]>: > >> Hello Nick, >> >> please check this: https://builds.apache.org/view/M-R/view/OpenMeetings/ >> job/Openmeetings%203.3.x/site/openmeetings-server/RTMPSAndHTTPS.html >> I'm not sure what is the difference between v1 and v2, too much text :( >> >> Thanks a lot for the contribution! >> >> On Wed, Aug 23, 2017 at 3:30 PM, Yakovlev N. <[email protected]> >> wrote: >> >>> Maxim, >>> >>> red5.key missed >>> >>> >>> >>> The second edition. J >>> >>> >>> >>> Using self-signed certificates. >>> >>> Prerequicites: >>> >>> - CA's root certificate: ca.crt >>> >>> - server key: red5.key (distinguished Name while creating key should be >>> assign to FQDN of your site, for example - vkc.company.com) >>> >>> - self-signed server certificate: red5.crt >>> >>> Preparing of OM server. >>> >>> 1. Rename the existing keystore file red5/conf/keystore.jks to >>> red5/conf/keystore.jks.bak >>> >>> Rename the existing truststore file red5/conf/truststore.jks to >>> red5/conf/truststore.jks.bak >>> >>> 2. Export existing keys into PKCS12 format: >>> >>> enter to folder the ca.crt and red5.crt placed >>> >>> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >>> -name red5 -certfile ca.crt >>> >>> 3. Import resulting red5.p12 into keystore: >>> >>> keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 >>> -srcstoretype PKCS12 -deststorepass changeit -destkeystore >>> /opt/red5/conf/keystore.jks -alias red5 >>> >>> This command creates the keystore.jks with password changeit (may be >>> any password) >>> >>> 4. Import your CA's root certificate into the keystore: >>> >>> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >>> -trustcacerts -file ca.crt >>> >>> (need to enter password to keystore.jks - changeit) >>> >>> 5. copy keystore to truststore >>> >>> cd /opt/red5/conf >>> >>> cp keystore.jks truststore.jks >>> >>> 6. Change /opt/red5/conf/red5.properties >>> >>> rtmps.keystorepass=changeit >>> >>> rtmps.truststorepass=changeit >>> >>> jmx.keystorepass=changeit >>> >>> 7. Set up SSL according "SSL for the web interface" section. >>> >>> 8. Set RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >>> >>> 9. Restart OM service or whole OM server. Now OM server is ready to >>> accept SSL-connections. >>> >>> >>> >>> Preparing of clients. >>> >>> 1. Add the ca.crt certificate as trusted into the CA's list on all >>> windows PC at the system level (certmgr.msc applet). >>> >>> 2. Add the ca.crt certificate as trusted into Firefox if it used >>> (Firefox uses own store of certificates). >>> >>> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >>> keytool utility on a PC that organizes screensharing. >>> >>> For example, Java Version 8 Update 144 has been installed on Windows >>> machine by default location path. >>> >>> Copy ca.crt to a folder : c:\ca.crt >>> >>> Start command line interface as administrator: >>> >>> runas /user:AdminAccount cmd.exe >>> >>> Enter admin password >>> >>> Enter to bin directory of java: >>> >>> cd "c:\Program Files\Java\jre1.8.0_144\bin" >>> >>> Import ca.crt into keystore: >>> >>> keytool -import -alias root -keystore ..\lib\security\cacerts -file >>> c:\ca.crt >>> >>> Enter the password to keystore: changeit >>> >>> Now the clients are ready to connect to OM via SSL. >>> >>> >>> >>> >>> >>> *From:* Yakovlev N. [mailto:[email protected]] >>> *Sent:* Wednesday, August 23, 2017 11:04 AM >>> >>> *To:* [email protected] >>> *Subject:* RE: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> Hi Maxim, >>> >>> This is the first eddition of "self-signed" section. >>> >>> >>> >>> Using self-signed certificates. >>> >>> Prerequicites: >>> >>> - CA's root certificate: ca.crt >>> >>> - self-signed server certificate: red5.crt (distinguished Name while >>> creating certificate should be assign to FQDN of your site, for example - >>> vkc.company.com) >>> >>> Preparing of OM server. >>> >>> 1. Rename the existing keystore file red5/conf/keystore.jks to >>> red5/conf/keystore.jks.bak >>> >>> Rename the existing truststore file red5/conf/truststore.jks to >>> red5/conf/truststore.jks.bak >>> >>> 2. Export existing keys into PKCS12 format: >>> >>> enter to folder the ca.crt and red5.crt placed >>> >>> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >>> -name red5 -certfile ca.crt >>> >>> 3. Import resulting red5.p12 into keystore: >>> >>> keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 >>> -srcstoretype PKCS12 -deststorepass changeit -destkeystore >>> /opt/red5/conf/keystore.jks -alias red5 >>> >>> This command creates the keystore.jks with password changeit (may be >>> any password) >>> >>> 4. Import your CA's root certificate into the keystore: >>> >>> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >>> -trustcacerts -file ca.crt >>> >>> (need to enter password to keystore.jks - changeit) >>> >>> 5. copy keystore to truststore >>> >>> cd /opt/red5/conf >>> >>> cp keystore.jks truststore.jks >>> >>> 6. Change passwords in /opt/red5/conf/red5.properties: >>> >>> rtmps.keystorepass=changeit >>> >>> rtmps.truststorepass=changeit >>> >>> jmx.keystorepass=changeit >>> >>> 7. Set up SSL according "SSL for the web interface" section. >>> >>> 8. Set up RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >>> >>> 9. Restart OM service or whole OM server. Now OM server is ready to >>> accept SSL-connections. >>> >>> >>> >>> Preparing of clients. >>> >>> 1. Add the ca.crt certificate as trusted into the CA's list on all >>> windows PC at the system level (certmgr.msc applet). >>> >>> 2. Add the ca.crt certificate as trusted into Firefox if it used >>> (Firefox uses own store of certificates). >>> >>> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >>> keytool utility on a PC that organizes screensharing. >>> >>> For example, Java Version 8 Update 144 has been installed on Windows >>> machine by default location path. >>> >>> Copy ca.crt to a folder : c:\ca.crt >>> >>> Start command line interface as administrator: >>> >>> runas /user:AdminAccount cmd.exe >>> >>> Enter admin password >>> >>> Enter to bin directory of java: >>> >>> cd "c:\Program Files\Java\jre1.8.0_144\bin" >>> >>> Import ca.crt into keystore: >>> >>> keytool -import -alias root -keystore ..\lib\security\cacerts -file >>> c:\ca.crt >>> >>> Enter the password to keystore: changeit >>> >>> Now the clients are ready to connect to OM via SSL https:// >>> vkc.company.com:5443. >>> >>> >>> >>> Nik >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected] >>> <[email protected]>] >>> *Sent:* Wednesday, August 23, 2017 8:58 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> I believe this is correct. >>> >>> >>> >>> will try to add "Self-signed" section to site >>> >>> >>> >>> On Wed, Aug 23, 2017 at 12:54 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> OK. >>> >>> I would like to sum up all the work with the SSL and I think one will be >>> interesting for our community. >>> >>> 1. The self-signed certificates can be used but using of them requires >>> some manual operations: >>> >>> 1.1. The certificates (root CA and server) must be installed into >>> /opt/red5/conf/keystore.jks and /opt/red5/conf/truststore.jks on OM server >>> >>> as described at http://openmeetings.apache.org/RTMPSAndHTTPS.html >>> page. >>> >>> 1.2. It's not necessary to add the root certificate into java/cacerts >>> on OM server because all works OK with java/cacerts installed by default. >>> >>> 1.3. The root certificate must be added as trusted into the CA list >>> on all windows PC at the system level (certmgr.msc applet). >>> >>> 1.4. The root certificate must be added as trusted into Firefox if it >>> is used (FF has own store for the certificates). >>> >>> 1.5. The root certificate must be added into >>> %JAVA%\lib\security\cacerts with keytool utility on a PC that organizes >>> screensharing. >>> >>> 2. The use of real certificates is more preferable since it does not >>> require as much work as described above. >>> >>> There are only two places where the certificates have to be >>> installed: see 1.1 and 1.5 above. >>> >>> 3. The http://openmeetings.apache.org/RTMPSAndHTTPS.html page should >>> be changed and supplemented. >>> >>> It will allow to exсlude a lot of questions for OM users. Those >>> questions that I had to meet. >>> >>> >>> >>> Is all correct? >>> >>> >>> >>> Nik >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Wednesday, August 23, 2017 7:41 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> I believe this is standard behavior for Windows systems >>> >>> >>> >>> On Tue, Aug 22, 2017 at 6:37 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> After adding CA into windows system store entering into rooms works >>> good. >>> >>> Does FF use not only own ca-store but ca-store in system?! Or it’s not >>> FF? >>> >>> >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Tuesday, August 22, 2017 2:05 PM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> ERR_UNKNOWN_ISSUER most probably caused by the fact >>> >>> 1) server cert was added to trusted >>> >>> 2) CA was not added >>> >>> >>> >>> in case of Windows it worth to add CA at system level AND to the browser >>> (CA tab with permission to verify sites code etc. I would check all >>> checkboxes) >>> >>> >>> >>> On Tue, Aug 22, 2017 at 4:41 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> Yes, the ca certificate was added as trusted. >>> >>> I found one difference in behavior of FF when it connected to >>> https-sites with the self-signed certificates. >>> >>> Typically, the first connection prompts you to add the site to an >>> exception but OM server does not give us this option. >>> >>> See pls two screenshots. >>> >>> This occurs before the СA is added to the Trusted CAs lists. If first >>> an root certificate is added to the CAs list then we can access to an OM >>> cabinet with green lock icon but will have the errors in the rooms as I >>> wrote before. >>> >>> There is something in OM webserver….. >>> >>> >>> >>> Nik >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Tuesday, August 22, 2017 11:54 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> I guess CA was added to trusted CA's of FF? >>> >>> >>> >>> On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik <[email protected]> >>> wrote: >>> >>> This is the issue of "self-signed" certificate. >>> >>> "Real" certificate provides the way to ensure it wasn't revoked. >>> >>> >>> >>> I would recommend to set up one of the free real certificates to prod >>> system >>> >>> >>> >>> On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> Hi Maxim, >>> >>> you was right when suggested to add a ca certificate into client machine >>> with screensharing. I added the root certificate not correctly via "java >>> control panel->security->manage certificates". It's wrong and not >>> neсessary. >>> The certificate must be inserted into java/keystore with keytool utility. >>> >>> Now screen sharing works as expected. >>> >>> But... >>> >>> I tried to connect from another machines to the machine with >>> screensharing and all worked fine with remote desktop if IE used but not >>> Firefox. >>> >>> The error screenshots are attached and the errors take place when >>> entering into any rooms. >>> >>> Do you know how to resolve it? And why only FF ? >>> >>> The latest version of FF and Adobe Flash Player for FF is used. >>> >>> >>> >>> Nik >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Monday, August 21, 2017 11:46 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> I guess first thing to do is to ensure >>> >>> jre is used by javaws >>> >>> and >>> >>> jre containing cacert >>> >>> >>> >>> is the same jre >>> >>> >>> >>> can be checked using by inspecting PATH >>> >>> and checking which binaries are actually started using system task >>> manager >>> >>> >>> >>> On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> First i tried to add only one CA certificate to java on a client >>> machine. >>> >>> Than the site certificate was added for additional checking. >>> >>> Both cases are unsuccessful. >>> >>> What I should make the next? >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Monday, August 21, 2017 9:51 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> Works for me >>> >>> >>> >>> What were your steps? >>> >>> >>> >>> BTW no need to add site certificate to trusted certs in case you are >>> having Root CA. Verified Root CA will successfully validate site cert >>> >>> >>> >>> On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> No, >>> >>> It did not help. >>> >>> The client machine is Windows, the CA root certificate (crt) and the >>> client self-signed certificate (p12) have been added into java via java >>> control panel->security->manage certificates. >>> >>> >>> >>> The full error log is : >>> >>> >>> >>> ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} >>> >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find valid certification path to requested target >>> >>> at sun.security.validator.PKIXValidator.doBuild(Unknown >>> Source) >>> >>> at >>> sun.security.validator.PKIXValidator.engineValidate(Unknown >>> Source) >>> >>> at sun.security.validator.Validator.validate(Unknown >>> Source) >>> >>> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown >>> Source) >>> >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown >>> Source) >>> >>> at sun.security.ssl.X509TrustMana >>> gerImpl.checkServerTrusted(Unknown Source) >>> >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(Unknown >>> Source) >>> >>> at sun.security.ssl.ClientHandshaker.processMessage(Unknown >>> Source) >>> >>> at sun.security.ssl.Handshaker.processLoop(Unknown >>> Source) >>> >>> at sun.security.ssl.Handshaker.process_record(Unknown >>> Source) >>> >>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown >>> Source) >>> >>> at sun.security.ssl.SSLSocketImpl >>> .performInitialHandshake(Unknown Source) >>> >>> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >>> Source) >>> >>> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >>> Source) >>> >>> at org.apache.http.conn.ssl.SSLCo >>> nnectionSocketFactory.createLayeredSocket(SSLConnectionSocke >>> tFactory.java:396) >>> >>> at org.apache.http.conn.ssl.SSLCo >>> nnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) >>> >>> at org.apache.http.impl.conn.Defa >>> ultHttpClientConnectionOperator.connect(DefaultHttpClientCon >>> nectionOperator.java:142) >>> >>> at org.apache.http.impl.conn.Pool >>> ingHttpClientConnectionManager.connect(PoolingHttpClientConn >>> ectionManager.java:359) >>> >>> at org.apache.http.impl.execchain >>> .MainClientExec.establishRoute(MainClientExec.java:381) >>> >>> at org.apache.http.impl.execchain >>> .MainClientExec.execute(MainClientExec.java:237) >>> >>> at org.apache.http.impl.execchain >>> .ProtocolExec.execute(ProtocolExec.java:185) >>> >>> at org.apache.http.impl.execchain >>> .RetryExec.execute(RetryExec.java:89) >>> >>> at org.apache.http.impl.client.In >>> ternalHttpClient.doExecute(InternalHttpClient.java:185) >>> >>> at org.apache.http.impl.client.Cl >>> oseableHttpClient.execute(CloseableHttpClient.java:118) >>> >>> at org.apache.http.impl.client.Cl >>> oseableHttpClient.execute(CloseableHttpClient.java:56) >>> >>> at org.red5.client.net.rtmps.RTMP >>> TSClientConnector.openConnection(RTMPTSClientConnector.java:139) >>> >>> at org.red5.client.net.rtmps.RTMP >>> TSClientConnector.run(RTMPTSClientConnector.java:64) >>> >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> >>> at sun.security.provider.certpath >>> .SunCertPathBuilder.build(Unknown Source) >>> >>> at sun.security.provider.certpath >>> .SunCertPathBuilder.engineBuild(Unknown Source) >>> >>> at java.security.cert.CertPathBuilder.build(Unknown >>> Source) >>> >>> ... 27 common frames omitted >>> >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find valid certification path to requested target >>> >>> No context named default was found!! >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Monday, August 21, 2017 8:45 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> You can fix it by adding self-signed CA to the java/cacerts at the >>> "client" machine (The machine Screen-sharing web-app is started) >>> >>> >>> >>> On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> Tunneling RTMPS >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Monday, August 21, 2017 5:56 AM >>> >>> >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> What type of SSL are you checking? "native" of "tunneled" ? >>> >>> >>> >>> On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> Hi Maxim, >>> >>> Screensharing with SSL does not work. >>> >>> >>> >>> Java outputs the next errors: >>> >>> ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} >>> >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find valid certification path to requested target >>> >>> >>> >>> Where can be place the datastore for screensharing and what its file >>> name? >>> >>> /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? >>> >>> Where should be assigned the password for this keystore? >>> >>> >>> >>> The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties >>> files contain the following parameters: >>> >>> >>> >>> key="keystoreFile" value=...... >>> >>> key="keystorePass" value=...... >>> >>> key="truststoreFile" value=...... >>> >>> key="truststorePass" value=...... >>> >>> >>> >>> rtmps.keystorepass=xxxxx >>> >>> rtmps.keystorefile=conf/keystore.jks >>> >>> rtmps.truststorepass=xxxxx >>> >>> rtmps.truststorefile=conf/truststore.jks >>> >>> >>> >>> But for screensharing I could not find relevant information. >>> >>> >>> >>> Best regards, >>> >>> Nik >>> >>> >>> >>> *From:* Yakovlev N. [mailto:[email protected]] >>> *Sent:* Saturday, August 19, 2017 8:23 AM >>> *To:* [email protected] >>> *Subject:* RE: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> Hi Maxim, >>> >>> SSL is working fine. >>> >>> I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html >>> manual: >>> >>> All keytool commands must have the filename keystore.jks but none >>> keystore without extension. J >>> >>> This also applies to the filename truststore: it should be >>> truststore.jks. >>> >>> >>> >>> Otherwise the names of kestore and truststore should be changed in >>> /opt/red5/conf/red5.properties. >>> >>> >>> >>> Nik >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected] >>> <[email protected]>] >>> *Sent:* Saturday, August 19, 2017 7:23 AM >>> *To:* Openmeetings user-list >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> I'll try to check steps with self-signed cert and will report back >>> >>> >>> >>> On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> Hello Ramon, >>> >>> All the hope of Maxim….:) >>> >>> >>> >>> Nik >>> >>> >>> >>> *From:* Ramón Zárate Moedano [mailto:[email protected]] >>> *Sent:* Saturday, August 19, 2017 2:22 AM >>> >>> >>> *To:* [email protected] >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> Hello everyone ... >>> >>> >>> >>> i just cannot install SSL (from namecheap) ... this is beyond my skills. >>> >>> >>> >>> Is there someone who can help me with the installation in exchange for >>> some money???? >>> >>> >>> >>> Thanks in advance. >>> >>> >>> >>> >>> >>> >>> >>> 2017-08-18 1:23 GMT-05:00 Yakovlev N. <[email protected]>: >>> >>> Hi Maxim, >>> >>> Thanks for reply. >>> >>> I've reinstalled two times certificates but ssl does not work. >>> >>> 1. Both certificates root-CA and client one were added into >>> /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) >>> with commands: >>> >>> keytool -import -keystore cacerts -file red5.crt -alias red5 >>> >>> keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root >>> >>> 2. As you recommend OM was started with red5-debug + option >>> "-Djavax.net.debug=all" >>> >>> Logs have nothing while a ssl session was established. >>> >>> To exclude the impact of browsers, I tried to start up a session using >>> telnet. >>> >>> Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 >>> did not. >>> >>> In this case, the netstat command shows ESTABLISHED status to port 5443. >>> >>> Firewall is off. >>> >>> According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two >>> config files have to be changed: >>> >>> 1. Edit red5/conf/jee-container.xml file: >>> >>> Comment Tomcat without SSL enabled section >>> >>> UNComment Tomcat with SSL enabled section >>> >>> 2. Edit red5/webapps/openmeetings/public/config.xml and set >>> >>> <protocol>https</protocol> >>> >>> <red5httpport>5443</red5httpport> >>> >>> Are these changes enough or need more? >>> >>> >>> >>> Best regards, >>> >>> Nik >>> >>> >>> >>> *From:* Maxim Solodovnik [mailto:[email protected]] >>> *Sent:* Thursday, August 17, 2017 10:28 AM >>> *To:* Openmeetings user-list >>> >>> >>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>> >>> >>> >>> Here is useful link >>> >>> I'm using these scripts (with some modifications) Chrome shows green >>> icon :) >>> >>> https://stackoverflow.com/questions/7580508/getting-chrome-t >>> o-accept-self-signed-localhost-certificate/43666288#43666288 >>> >>> >>> >>> On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <[email protected]> >>> wrote: >>> >>> The steps on the site are for the "real" certificates ... >>> >>> 1) add certificate to trusted certs of Java >>> >>> >>> >>> means Java need to know about your certificate I'm using self-signed CA >>> for testing and I'm adding it to >>> >>> /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts >>> >>> >>> >>> Additionally I would recommend to run red5 using red5-debug and modify >>> it by adding "*-Djavax.net.debug=all*" to see all SSL messages >>> >>> >>> >>> On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> >>> wrote: >>> >>> Hello Maxim, >>> Don't worry that my question was missed because we all understand how >>> much work you do. >>> Your message made me return to the question of HTTPS for OM. >>> >>> So... >>> >>> 1) add certificate to trusted certs of Java >>> >>> Lets see an output of command keytool: >>> >>> cd /opt/red5/conf >>> keytool -list -keystore keystore >>> Enter keystore password: >>> xxxxx >>> Keystore type: JKS >>> Keystore provider: SUN >>> >>> Your keystore contains 2 entries >>> >>> vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, >>> Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: >>> 99:67:D5:1C:B8:25:1A:D9:88:0F >>> root, Aug 16, 2017, trustedCertEntry, >>> Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: >>> 6E:2F:1F:9A:83:F9:B0:1F:E1:45 >>> >>> Is it OK? >>> >>> 2) add certificate to trusted certs of browser (icon should be green) >>> Done >>> >>> 3) correctly create red5 keystore/truststore >>> Done according to the reference http://openmeetings.apache.org >>> /RTMPSAndHTTPS.html >>> truststore is a copy of keystore >>> OK? >>> >>> Maxim, I would like to draw on one detail. >>> A simple way to test of a SSL-connection is to use the next command: >>> openssl s_client -connect FQDN:port >>> For example, >>> openssl s_client -connect www.mail.ru:443, >>> openssl s_client -connect www.ya.ru:443 >>> and so on. >>> This way does not use browsers and allows to test ssl-connections at a >>> lower level than using browsers. >>> This command does not work and hangs for my OM as I wrote before and I >>> think that the question is not in the types of certificates (trusted or >>> selfsigned ones). >>> But where is the problem? I don't now yet... >>> >>> Nik >>> >>> -----Original Message----- >>> From: Maxim Solodovnik [mailto:[email protected]] >>> >>> Sent: Wednesday, August 16, 2017 5:51 PM >>> To: Openmeetings user-list >>> Subject: Re: [ANNOUNCE] HTTPS is now required >>> >>> Hello Nik, >>> >>> I'm trying to answer all emails, sorry if I missed yours :( To make >>> self-signed certificate work with red5 you MUST >>> 1) add certificate to trusted certs of Java >>> 2) add certificate to trusted certs of browser (icon should be green) >>> 3) correctly create red5 keystore/truststore >>> >>> to provide thurther help I need you detailed steps >>> >>> On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> >>> wrote: >>> > Hi Andreas, >>> > OK, your opinion is your opinion and I respect it. >>> > We speak about an internal OM service but not about the world one... >>> > I understand the trusted certificates are more preferable but in my >>> case unnecessary I think. >>> > I'm not sure blacklists are my cases... >>> > >>> > Nik >>> > >>> > -----Original Message----- >>> > From: [email protected] [mailto:[email protected]] >>> > Sent: Wednesday, August 16, 2017 4:18 PM >>> > To: [email protected] >>> > Subject: Re: [ANNOUNCE] HTTPS is now required >>> > >>> > Hi Nik, >>> > >>> > sorry - I cannot agree to your "I cannot agree". Most email client >>> programs do check certificates and deny connections if certificate is not >>> trusted. May be 5% will work - but 95% will not (and tomorrow percentage is >>> higher than today). I can not recommend to use any self-signed certificate >>> (except for internal tasks). Additionally maybe you are added to blacklists >>> if you are "on the air" using a self-signed certificate. >>> > >>> > Best regards >>> > Andreas >>> > >>> > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >>> >> I don't agree. >>> >> I use selfsigned certiticates on other corporate services >>> successfully (mail, cloud and so on). >>> >> Yes, browsers ask questions but this is no problem. In this case such >>> certificates must be added as trusted ones. >>> >> >>> >> Nik >>> >> >>> >> -----Original Message----- >>> >> From: [email protected] [mailto:[email protected]] >>> >> Sent: Wednesday, August 16, 2017 3:44 PM >>> >> To: [email protected] >>> >> Subject: Re: [ANNOUNCE] HTTPS is now required >>> >> >>> >> Self-signed will not be accepted by most browsers and will not work. >>> The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... >>> >> >>> >> Try certificates from lets encrypt - they are free ;) >>> >> >>> >> Best regards >>> >> Andreas >>> >> >>> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >>> >> > Hi, Maxim! >>> >> > I have some problems with SSL and no ideas to solve them. >>> >> > Five months ago I asked community how to install SSL on OM but >>> nobody answered. >>> >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/ >>> 201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 >>> 08:30:40 GMT ) >>> >> > The manual listed on page http://openmeetings.apache.org >>> /RTMPSAndHTTPS.html did not help me. >>> >> > No any errors in logs, browser hangs and shows an empty page. >>> >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" >>> on the left bottom side. >>> >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command >>> hangs also and outputs only one line: CONNECTED(00000003). >>> >> > Firewall is off, tcp-5443 port is listening on the OM host. >>> >> > >>> >> > Is there any roadmap of using selfsigned serfificates for OM? >>> >> > >>> >> > Best regards >>> >> > Nik >>> >> > >>> >> > -----Original Message----- >>> >> > From: Maxim Solodovnik [mailto:[email protected]] >>> >> > Sent: Wednesday, August 16, 2017 7:23 AM >>> >> > To: Openmeetings user-list >>> >> > Subject: [ANNOUNCE] HTTPS is now required >>> >> > >>> >> > Hello All, >>> >> > >>> >> > Google developers are trying to move WWW to HTTPS To force this >>> transition they restrict features available to HTTP sites in >>> Chrome/Chromium Latest restriction is: Camera and microphone will not be >>> available to JS/Flash code for HTTP sites: proof: >>> >> > >>> >> > "Microphone and Camera access no longer works on insecure origins. >>> To use this feature, you should consider switching your application to a >>> secure origin, such as HTTPS. See https://goo.gl/rStTGz for more >>> details." >>> >> > >>> >> > So please set up HTTPS for your OM site to prevent >>> camera/microphone issues. >>> >> > >>> >> > -- >>> >> > WBR >>> >> > Maxim aka solomax >>> >> > >>> >> > >>> >> >>> >> >>> >> >>> > >>> > >>> >>> >>> >>> -- >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> Maxim aka solomax >>> >> >> >> >> -- >> WBR >> Maxim aka solomax >> > > -- WBR Maxim aka solomax
