Is the red5 video plugin secure?

Gavin1 · September 9, 2008, 1:51pm

I have http_bind ssl working on port 8443 and my sparkweb client is working on the same port. When I use the text chat feature and a packet sniffer I can see the packs are encrypted. Is it the same with the audio/video?

It seems that audio/video connects to the red5 server on port 1935 which I think is unsecure. If that is the case, is it possible to edit the client files so that it uses port 1936 and then enable that port on the red5 server? I have looked through the client (flex) source code and couldn’t find where the port it uses is set.

Thanks for any pointers or assistance you may be able to provide in getting this going.

Gavin1 · September 9, 2008, 5:56pm

I think I may have found my answer. In the SparkWeb.mxml there is a function called activate() which contains:

nc.connect(red5url);

red5url can be defined from the index.html page (I think) but in order to make it secure the red5 server would need to be enabled for rtmpts. The red5 server version 7 (the current latest stable) does not support that but the latest version in svn does. It looks like I would need to figure out how to use the latest version of red5 (from svn) and convert that into the plugin to get the functionality I am after.

If anyone can confirm this, I would find that useful.

Gavin1 · September 16, 2008, 9:58pm

I figured out that to make it secure you can use rtmps as the protocol string in the movie which will then connect to port 443 of your server. On port 443 you can run apache and set up a virtual host containing this:

#############################################
# START: Red5 integration
#############################################
ProxyRequests On
ProxyPreserveHost On
ProxyVia full

<Proxy *>
Order deny,allow
Allow from all

ProxyPass /send http://localhost:8000/send
ProxyPassReverse /send http://localhost:8000/send

ProxyPass /idle http://localhost:8000/idle
ProxyPassReverse /idle http://localhost:8000/idle

ProxyPass /close http://localhost:8000/close
ProxyPassReverse /close http://localhost:8000/close

ProxyPass /open http://localhost:8000/open
ProxyPassReverse /open http://localhost:8000/open

ProxyPass /oflademo http://localhost:8443/oflademo
ProxyPassReverse /oflademo http://localhost:8443/open

ProxyPass /red5/viewer http://localhost:8080/red5/viewer
ProxyPassReverse /red5/viewer http://localhost:8080/open

START: Screen sharing with red5

ProxyPass /red5/screen/screenviewer.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/screenviewer.jar
ProxyPass /red5/screen/commons-collections-3.1.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/commons-collections-3.1.jar
ProxyPass /red5/screen/commons-logging-api.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/commons-logging-api.jar
ProxyPass /red5/screen/commons-logging.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/commons-logging.jar
ProxyPass /red5/screen/quartz-all-1.6.0.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/quartz-all-1.6.0.jar
ProxyPass /red5/screen/kunststoff.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/kunststoff.jar
ProxyPass /red5/screen/jta.jar http://YOUR_DOMAIN_NAME:8443/red5/screen/jta.jar
# END: Screen sharing with red5
#############################################
# END: Red5 integration
#############################################

The above assume that you have the http bind ssl port set at 8443 within the openfire admin interface. The above means the request form the flash will be send to apache which will act as a proxy server for red5 (which is the one running on port 8000). The 4 URL’s /open, /close, /idle and /send are the ones used during an rtmp(t)/(s) connection.

Dele_Olajide · September 17, 2008, 10:18am

that is quite correct. I generally do not update the red5 plugin with red5 SVN versions (red5phone was the exception). If you do get the SVN version working with RTMPTS, then I will be quite happy to update the red5 plugin with it. I suspect that you could get to work with plugin right now if you modify red5-rtmpt.xml.

<!-- see: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL -->
<!--
<bean id="sslConnector"
    class="org.mortbay.jetty.security.SslSocketConnector">
    <property name="host" value="127.0.0.1" />
 <property name="port" value="1936" />
 <property name="maxIdleTime" value="30000" />
 <property name="keystore" value="${red5.config_root}/keystore.jmx" />
 <property name="password" value="password" />
 <property name="keyPassword" value="password" />
 <property name="truststore" value="${red5.config_root}/truststore.jmx" />
 <property name="trustPassword" value="trustword" />
</bean>
-->

But you may have to deal with certificates before it all works.

Gavin1 · September 17, 2008, 11:26am

Thanks for replying.

I currently have the sparkplug red5 plugin (for use with the spark client not sparkweb) working with rtmps using apache as the proxy server. I am using apache because Red5 does not support rtmps up until very recently version (revision 2819 onwards in Red5 SVN version 7 - see http://gregoire.org/2008/05/26/rtmps-in-red5/), I have made an assumption that the build of Red5 in the red5-plugin is not the most recent one from Red5’s svn repo (I tried to integrate the latest Red5’s svn version with the openfire red5-plugin but couldn’t get it working).

I would be interested in getting SparkWeb running with rtmps (tunnelled) as well but I haven’t really managed to figure out how to do it. For some reason looking at SparkWeb confuses me. The URL used to connect to Red5 is:

rtmps:/sip

This is clearly something to do with the sip side of things and I don’t have Asterisk set up and lack the time to learn. In the sparkplug the URL I use is:

rtmps:/oflaDemo

When I use rtmps for video I am using /oflaDemo, I think this is maybe something completly different from /sip, is that the case?

In reality, I have things set up pretty much as I need them for now. I am happy to help people who want to get it running as I have (I have had to modify a few classes to get it working, and a few more to get it working on LInux) but if I have a steep learning curve to learn the /sip part it is probably more of a stretch thatn I can manage right now.

Finally, yes, I am having trouble with certificates. My self signed simply do not do the job, especially as I have converted the red5 sparkplug browser opening code to run with mozswing and xulrunner for Linux compatibility. I am currently waiting for a real SSL certificate to see if it will fix this problem. I would offer the new browser opening code back to openfire but it is large, 19 Meg due to xulrunner. I may chat with Isaac who seems to be managing the red5 spark plugin if I get it working when my ssl certificate arrives.

Red5 is a great plugin by the way, there is no way I could have gotten any form of secure video/audio working without it. Thanks for your work on it.

Dele_Olajide · September 17, 2008, 2:26pm

I will put rtmpts with red5 on my todo list

Red5 SparkWeb uses the same method as Spark red5 plugin to get the red5 url for red5 audio/video calls. It is stored as a global parameter in Openfire and configured from the plugin config web page in Openfire web console. By default it is rtmp:/oflaDemo. The red5 properties file is to enable it to be changed on the client (Red5 SparkWeb does not use red5.properties).

Red5phone (embedded in SparkWeb) uses the rtmp:/sip application. Because there is also a standalone version which does not use Openfire, this parameter was not stored in Openfire, but as part of SparkWeb web page parameters. If you do not need to call SIP hard phones or analog telephones over the PSTN, then you do not need it and red5 calls should just do fine. You however do not need Asterisk to use it as most voice ISPs have their own proxy servers. I use it with www.voiptalk.org in the UK.

The browser opening code will be most useful especially for Mac users. The Spark web browser does not work with flash on Macs and I am currently sourcing a solution, so anything posted on it will very, very useful.

Thanks for the kind words. One last thing you can do to make it all worthwhile is to post a short document in the docments section about how to setup secure audio/video with openfire and red5.

Gavin1 · September 17, 2008, 5:40pm

I would find getting rtmps support into Red5 very useful so would love it if you built in support.

I have sent you an email about how I made the code changes to get browser support in Linux from the red sparkplug. It works with rtmpt but I am waiting on a non-self signed certificate to see if it works with rtmps. As I say, it doesn’t work with a self signed certificate. That would be something else to consider before using the code I sent!

I am happy to provide a document detailing how I got the red5 sparkplug to work over rtmps. Can you provide a link to the documents section? I couldn’t find it.

One other thing, I found changing the http bind port for ssl difficult to do in Openfire 3.0.6a. It always seemed to set the value to 0 (but it did update the value in the database) after I tried to change it. I have had to modify openfire.jar to make it work (I have just hard coded in a vlaue of 8443). Is there a place I can file a bug report on this?

Dele_Olajide · September 17, 2008, 5:52pm

Red5 Plugin Documents

http://www.igniterealtime.org/community/community/plugins/red5?view=documents

Openfire Support Discussion

http://www.igniterealtime.org/community/community/support/openfire_(formerly_wil dfire)_support

Gavin1 · September 17, 2008, 6:04pm

They both lead to 404’s for me. I did find this page:

http://www.igniterealtime.org/projects/openfire/plugins-beta.jsp

and this one:

http://www.igniterealtime.org/projects/openfire/documentation.jsp

but no way to add a document.

Gavin1 · September 17, 2008, 6:27pm

I have also now tested with a non-self signed SSL certificate and the browser opening code I am using works fine with it.

Dele_Olajide · September 17, 2008, 6:55pm

Clearspace is playing up. Just past the link into a browser

http://www.igniterealtime.org/community/community/plugins/red5?view=documents

http://www.igniterealtime.org/community/community/support/openfire_(formerly_wil dfire)_support

Gavin1 · September 18, 2008, 1:23pm

I have dropped a document describing how to get Spark with Red 5 working for rtmps here:

http://www.igniterealtime.org/community/docs/DOC-1633

I have also attached the files that I had to modify so no additional compilation should be necessary.

Did you get the email I sent you? It went to the address that appears when I hover my mouse over your name.

Dele_Olajide · September 18, 2008, 3:04pm

Thanks for doing the document. You are a good person .

mudassir · October 29, 2008, 10:08am

i have tested your document ,its all working, i checked audio/vidio ports through wireshark it shows rtmp protocol while attempting red5call but i need rtmps or tls protocols, plz tell me what are further ssl settings , i also modify red5-rtmpt.xml for ssl but i failed to do that

where we can provide valid SSL certificate ,i provided it in /etc/openfire/security/ after creating my own ssl certificates

http://docs.codehaus.org/display/JETTY/How+to+configure+SSL?

Mudassir

Gavin1 · October 29, 2008, 5:59pm

I don’t have a lot to go on from what you are saying. In wireshark which port number do you see? It should be either 80 (non-ssl) or 443 (SSL). RTMPS is simply RTMP over HTTPS. SO if you are seeing port 443 being used then I think you willl be OK.

I never did manage to get my own SSL certificate into Openfire but the one I use for Apache seemed to be enough to get the job done.

I also didn’t have to edit the red5-rtmpt.xml file you mentioned.

mudassir · October 29, 2008, 7:30pm

Thanks @klogger

i installed openfire 3.6a with latest spark 2.5.8 beta on my Ubuntu box with apache settings in httpd.conf as you mention in your document ,all is working(audio vidio confrence,red5 call ,desktop sharing ,chat…) ,on wireshark i saw jabber on chat and rtmp on audio/vidio meetings ,in this scniro i install every thing according to your document and did not modify any thing else.

i* need secure(encrypted) chating and confrencing??*

Would secure(encrypted chat) is possible ???

i successfully test your sparkclient (with multiple features) ,sparkweb ,red5 calls .desktop sharing in both linux and windows platform,

i hope you would understand my scnerios.

Thanks in advance

Mudassir

Gavin1 · October 29, 2008, 10:21pm

Secure audio and video is possible as I have it set up and working here. It is a little difficult to say why it isn’t working for you as I can’t see your wireshark. configuration files, log files etc. When I have wireshark running I can see a whole lot of TLSV1 and SSL packets. When I click on one of them I can see it is running over ports 443 which is the apache secure proxy port.

I assume that you have apache and openfire running on the same box?

When you say you have video chat working, you are using Spark with the Red5 plugin?

What port numbers are shown in wireshark for your rtmp packets?

My guess is that your spark client is connecting directly to openfire. In your home directory there should be a file:

/home/$YOUR_USER_DIRECTORY/.Spark/plugins/red5-plugin/red5.properties

It should look something like this:

server=example.com

https.port=443

http.connection.protocol=https

red5.protocol=rtmps

As you say you are seeing rtmp then I assume that your installation of Spark and the red5 plugin is not quite working correctly.

Another thing to look out for is the Spark connection flowing through your Apache log files. Have a look in there and see if you can see anything like this:

192.168.0.1 - - [14/Sep/2008:23:22:16 +0100] “GET /red5/video/video320x240.lzx.swf HTTP/1.1” 200 74817 “https://red5.example.co.uk/red5/video/video320x240.html?me=gavin&you=fred&bw=200 000&pq=0&fps=30&msr=44&url=rtmps://red5.example.co.uk/oflaDemo&date=Sun%20Sep%20 14%2023:22:02%20BST%202008” "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
192.168.0.1 - - [14/Sep/2008:23:22:17 +0100] “GET /red5/video/myVideo3.swf HTTP/1.1” 200 66 “-” "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

If you have that then your Spark client is requesting the Flash movie (that enables audio/video conferencing) and telling the movie to connect using rtmps.

mudassir · October 30, 2008, 6:52am

Thank you for your guidelines

I install apache2 and openfire3.6a on the same box
I tried to download the red5 plugin for openfire from http://www.igniterealtime.org/projects/openfire/plugins-beta.jsp ,but website access was disabled so i copy red5.war which was attached with openfire-red5-spark-rtmps-required-files.zip with your document ,and copy it according to your instructions ,it create red5 folder and every thing was nice and fine except rtmps.
Spark with red5 plugin
i set Red5.properties for every user in /home//.Spark/plugins/red5-plugin/Red5.properties /// i set same as in windows(Document & Settings/user/Spark/plugin/red5/…)

server=linux147

https.port=443

http.connection.protocol=https

red5.protocol=rtmps

I install fresh openfire with no extra settings

i attached screen shots as well as apache log with this email

Mudassir
SEMS_Openfire.tar.gz (2509872 Bytes)

mudassir · October 30, 2008, 7:11am

Spark log

Oct 30, 2008 9:18:49 AM org.jivesoftware.spark.util.log.Log error

SEVERE: Red5-Error: Properties-file does not exist=

/home/mudassir/Spark/red5.properties

Oct 30, 2008 9:18:49 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Bandwidth = 25600

Oct 30, 2008 9:18:49 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Pic Quality = 0

SEVERE: Message recieved/sent <phone-event
type="org.jivesoftware.phone.

client.PhoneEvent$EventStatus@266230"
callID=“md9Ys-40”

ring|mudassir@linux147/spark|25600|0|15|8|rtmp:/oflaDemo|7070|red5</ callerID>mudassir
JavaSound Capture Supported = false

openfire error.log

at org.red5.server.war.WarLoaderServlet.contextInitialized(WarLoaderServlet.java:1 14)

at org.mortbay.jetty.handler.ContextHandler.startContext(ContextHandler.java:540)

at org.mortbay.jetty.servlet.Context.startContext(Context.java:135)

at org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1220)

at org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:510)

at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:448)

at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:39)

at org.mortbay.jetty.handler.HandlerCollection.doStart(HandlerCollection.java:152)

at org.mortbay.jetty.handler.ContextHandlerCollection.doStart(ContextHandlerCollec tion.java:156)

at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:39)

at org.mortbay.jetty.handler.HandlerCollection.doStart(HandlerCollection.java:152)

at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:39)

at org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)

at org.mortbay.jetty.Server.doStart(Server.java:222)

at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:39)

at org.jivesoftware.openfire.http.HttpBindManager.changeHttpBindPorts(HttpBindMana ger.java:274)

at org.jivesoftware.openfire.http.HttpBindManager.setHttpBindPorts(HttpBindManager .java:238)

at org.jivesoftware.openfire.admin.http_002dbind_jsp.handleUpdate(http_002dbind_js p.java:28)

at org.jivesoftware.openfire.admin.http_002dbind_jsp._jspService(http_002dbind_jsp .java:104)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)