ck0r00的部落格

Here are the staircase to set up SSL in surviving Red5 postulation. This article is conformation in the noesis you have rudimentary ease of Red5 or you are alive of how Red5 applications are improved.

Software necessary on contrivance where on earth Red5 dining-room attendant is installed:-

1: Open SSL //Open beginning SSL libraries necessary for aggregation Stunnel

2: Stunnel //Open wellspring SSL peignoir software system uses amenable SSL industrial plant some on
Windows and Linux.

3: gcc // The GNU C writer (although it ever bundled with Linux
Machine, but I did not brainwave it. Necessary if you are aggregation the
Open SSL and Stunnel from cause. Not essential if using RPM

Configuration requisite on waiter machine:-

1:- Install the Open SSL (if windows use exe RPM or cause for Linux appliance can be downloaded from openssl website).

2:- Install Stunnel (if windows, use exe otherwise RPM or edition from foundation is preferred, can be downloaded from stunnel website). Make confident that you once have compiled Open SSL in your mechanism before legal proceeding next to the instalment of Stunnel; other it will neglect to salt away.

Under Linux the tenet speech act to pile up Stunnel from starting point are described down below. For any news delight e'er locomote the beginning briefing fixed their website.

machine# gzip -dc stunnel-VERSION.tar.gz tar -xvzf -
machine# cd stunnel-VERSION
machine# ./configure
machine# make
machine# form install

There are various configurations that be different based on your electronic computer and environment. That can be publication from the website itself.

3:- Running Stunnel (There are respective distance/mode you can run the stunnel. Follow the FAQ at your disposal in their website to make up one's mind the best which matches your requirements).
To run stunnel, you ever dictate a structure directory. The practice of fashioning preview pattern folder (stunnel.conf) is delineate downwards.

The indication arrangement directory previously owned was similar to this:

sample.conf

; Sample stunnel configuration record by Sunil Gupta 2007
; Some options in use here may not be fair for your individual configuration

; Certificate/key is required in dining-room attendant mode and optional in patron mode
; The non-attendance credential is provided sole for testing and should not
; be used in a productivity environment

cert = /etc/stunnel/stunnel.pem
;chroot = /var/run/stunnel/
pid = /stunnel.pid
key = /etc/stunnel/stunnel.pem

; Some reading tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's habitually easier to use CAfile
;CAfile = certs.pem
; Don't bury to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging shove effective for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
; Use it for patron mode
; consumer = yes
; Service-level configuration

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20

; vim:ft=dosin

Finish

Note: - When you put in Stunnel, you get a default taste file, which is not adequate in furthermost of the cases to run the flash candidature. The additions to configuration report I made are as follows.
Also the row having ; in the beginning denotes the commented component in record.

cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem

pem tiered seats for 'privacy increased mail' in use as a key formatting. The preceding two lines tells the position of pem files entail to be generated. This will be configured by human. The preceding is the high-grade position for Stunnel tho' you can loose change it to any in demand location.

;Some activities tunings

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

The preceding two lines are for well again narration of Stunnel in our defence.

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

The preceding splash is a bug in a ad hoc platform, since we are moving it in Linux; we commented this line, although it could be requisite in some overnight case.

; Some debugging shove utile for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes

The above lines are remarkably important, Because Stunnel by defaulting run in situation style. You will never be able to see if it is running. So finer to put it in foreground, so that you can trade name positive that stunnel is moving properly. Also the correct = 7 is terribly essential since by absence stunnel does not make any log. You can funnel him to generate log, so that you can rectify your candidature by sighted all those log messages. The preceding mentioned log calendar is non-attendance Linux handbook wherever all association kindling are generated.

; Use it for case mode
; client = yes

In the sample plan file, you will always insight this alternative un-commented prima to a conflicting architecture, since we are running Stunnel in waiter fashion not punter mode, so we will remark this dash.

[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20

And the enormously closing lines are mentioned preceding. In the representative configuration file, you will ne'er find rtmps and it is not even mentioned everywhere in Stunnel. The non-attendance record contains lone https, add rtmps like it is supplementary present. Also adopt anchorage is 443, which is the non-attendance marina utilised for secure letter and it is initiate same wharf 80 in all corporate firewalls in plain. This marina is to judge the intersection from flash and to get the encrypted collection. The relate left is 80; this is the quay where stunnel will pass on the decrypted accumulation to red5 server.
The TIMEOUTconnect and TIMEOUTclose can be utilitarian in both cases once the server where the collection is being forwarded by Stunnel is delaying the tie. This is to fashion assured that connection is closed lone once restaurant attendant is not responding at all. The convenience is in seconds (i.e. 20 sec.)

Now in direct to run your request beneath protected connection, you need a papers to be created on the mechanism where the Stunnel is installed. The route for creating a tag and the practical file to put this certification is delineated to a lower place.

Use of certificate:-

When an SSL patron connects to an SSL server, the waiter presents a certificate, essentially an physics bit of substantiation that appliance is who it claims to be. This tag is autographed by a 'Certificate Authority' (hereafter a CA) - by tradition a trusty third carnival suchlike Verisign. A shopper will accept this authorization simply if
The authorization presented matches the closed-door key anyone utilised by the far end.
The document has been signed aright by the CA. The client recognizes the CA as trusty.

Every stunnel waiter has a close key. This is contained in the pem directory which stunnel uses to determine its identity. If we announcement above, we have specified the comment of this pem wallet in the begin of our design folder below foregone conclusion.

This quiet key is put in /usr/local/ssl/certs/stunnel.pem.

Note:-Under case manner we need not to have qualification in most of the cases, but if we are running it in restaurant attendant mode, we demand a credentials. Since we are exploitation waiter mode, I have generated a self permit.

To be paid certificate:-

1: Go to /etc/stunnel book of facts and
2: Run the shadowing command:-'

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

This creates a esoteric key and self-signed card. More news on the options of this can be read from FAQ writing of Stunnel website.

While execution the command, it will ask for several questions like Country, City, Company etc., Give the answer of those and it will make the key and self certificate.

4:- Put your example.conf database in /etc/stunnel alphabetical listing wherever the .pem report was created nearer.

5:- Start Stunnel by issue the speech act -

machine# stunnel stunnel.conf

If you are /etc/stunnel reference book other finished track of configuration file-

machine# stunnel /etc/stunnel/stunnel.conf

The above bid will arrival the stunnel and you can confirm the log from /var/logs/stunnel.log directory.

Red5 server broadside changes:-

6:- Now stunnel is up and running, we condition to rework the Red5 shape to adopt the linkage from Stunnel.

Go to red5 instalment yearbook and dig out for conf ring binder where on earth all red5 pattern files be present.

Open red5.properties database and below rtmps.host_port assets put 443. The illustration directory can be close to down.

rtmp.host_port = 0.0.0.0:1935
rtmp.threadcount = 4
debug_proxy.host_port = 0.0.0.0:1936
proxy_forward.host_port = 127.0.0.1:1935
rtmps.host_port = 127.0.0.1:443
http.host=0.0.0.0
http.port=5080
rtmpt.host=0.0.0.0
rtmpt.port=80

Flash punter on the side changes:-

7:-Now we are through near restaurant attendant side, In command to run postulation beneath SSL, we want to variation the buyer loin protocol from rtmp to rtmps same beneath. And hive away the flash consumer and run it on browser, a credential will pop up, adopt it and the contention will run underneath SSL.

nc.connect ("rtmps://yourip/applicationname"); //used rtmps in place of rtmp

To get all Red5 media server attached stuffs, call on the website below-