Is the red5 video plugin secure?

The most obvious looking problem is that Spark is not finding your file. For some reason it is looking in:


when it should be looking in:


Notice the ‘.’ before ‘Spark’ in my folder path as well which is missing on yours. I am using Debian which should be the same as Ubantu; but there is a chance I am wrong.

I guess the easiest solution for now, is to simply move the properties file to where Spark is looking for it. It was a little while ago that I was getting this to work and I can’t remember exactly how Spark looks for the properties file. I do know that I had to modify the Red5 plugin source code to make it look in the correct place. If I remember correctly (and I am not sure that I do) yours is still looking inthe old location for some reason.

I can see from your screengrabs that you are connecting to port 1935 which is the default unsecure port on Red5. If you look in dd7.png, in the second window down and the 4th line from the top of that window it says:

Src Port: macromedia-fcs (1935)

I am assuming that because Spark didn’t find the properties file, it is now reverting back to it’s default values and so not opening a secure connection to Apache (which then forwards the request on to Red5 at localhost).

Something else I notice is that in your screegrab ‘Screenshot.png’ of the Openfire admin console, your HTTP Binding port is set at 7443. Mine is set at 8443 and if you used the replacement openfire.jar (?? not 100% sure of the name) file I included with the document then I think I hard coded that to use port 8443. I did that because in my installation of Openfire I could not set the Secure HTTP_BIND port at all; I am unsure why. I would suggest changing your setting to 8443 if possible. I can’t remember if that will make a difference of the top of my head.

Your VirtualHost setting looks fine to me.

Your Apache log file doesn’t show any connections coming through Apache, I am hoping that if you move the file then you may start to see something there.

I don’t see any problems inyour openfire_info.log - good.

Could I also check that you have moved the neccesary folder (sorry I forget which one of the top of my head! - the document should say) from Openfire, Red5 plugin folder to the location that your VirtualHost is looking for it? Your VirtualHost is looking in /var/www/red5. I think there were also a couple of modified files (which should be attached to the document) that needed to be copied into the /var/www/red5 folder.

Something else I notice from your screengrabs (dd8.png) is that you are using Firefox 3 on KDE. If you are running on Linux then the code I am using uses XUL Runner to open the video chat window. As you are using Firefox, XULRunner is not handleing the window opening. This would suggest that you are not using the correct version of the red5-plugin.jar.Your


should contain a jar file called:


However, if you are using the wrong version of red5-plugin.jar then I am not sure how you could have gotten the additional properties in your files that I added in order to enable support for rtmps. Just double check that the version of red5-plugin.jar that you are using is the one attached to the document.

you are right ,i am using old red5 plugin for spark ,now i reinstall my spark with your document instructions with attach red5 plugin (size 1.9MB)

ARNING: Red5-Info: Properties-file does exist= /home/mudassir/.Spark/plugins/red5-plugin/
Oct 31, 2008 4:15:04 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Red-Info: Red5-servername from properties-file is=
Oct 31, 2008 4:15:04 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Red5-Info: Red5-port from properties-file is= 443
Oct 31, 2008 4:15:04 PM org.jivesoftware.spark.util.log.Log warning
WARNING: red5URL [rtmps:///oflaDemo

but when i open roster it says

Unable to resolve XULRunner home location

WARNING: xulrunnerLocaltion [/home/mudassir/.Spark/plugins/red5-plugin/xulrunner/linux]
Oct 31, 2008 4:15:16 PM org.mozilla.browser.common.XULRunnerFinder checkXULRunner
WARNING: Invalid mozswing xulrunner java property: mozswing.xulrunner.home=/home/mudassir/.Spark/plugins/red5-plugin/xulrunner/lin ux
Oct 31, 2008 4:15:16 PM org.mozilla.browser.MozillaInitialization initialize
SEVERE: failed to initialize mozilla Unable to resolve XULRunner home location
at org.mozilla.browser.MozillaInitialization.initialize( :98)
at org.mozilla.browser.MozillaPanel.(
at org.mozilla.browser.MozillaPanel.(
at org.jivesoftware.spark.plugin.red5.SparkBrowser.(
at org.jivesoftware.spark.plugin.red5.Red5Plugin.displayConfBrowser(Red5Plugin.jav a

i also copy xulrunner to /home/mudassir/.Spark/plugins/red5-plugin/xulrunner/linux but it fails!!!

also i found red5-plugin-modified.jar in the above red5 plugin

but when i take red5 plugin from (size 70.3 KB ),every thing works fine except encryption, also there is no red5-plugin-modified.jar in this!

spark—logs.tar.gz (850557 Bytes)

On my installation, in the /home/USER_NAME/.Spark/plugins/red5-plugin I have a folder called ‘xulrunner’. Inside of that I have a folder called ‘linux’ which then contains the ‘chrome’ , ‘components’ etc. folders of XULRunner.

As for the:

not containing the red5-plugin-modified.jar and not supporting encryption then that is correct. I made modifications to the version dated 8th Spetember that would allow it to support encryption. Encryption is not currently supported in the red5-plugin but I believe it is on the todo list. I am not affiliated with Openfire or Red5 and have just hacked their code in order to make it support encryption as it was something I needed. That is why you MUST use the versions of files that are attached to the document as they have all had modifications that enable the support of encryption. Of course if you want to update your version of the Red5 plugin within openfire (to a newer release) then things may start failing as my modifications have not been incorperated into SVN. I believe that is someting Dele (one of the developers) has on his todo list though.

I followed your advice both in linux and windows setups with your recommended red5 plugin but i still fail,i was also not share my desktop both in windows and linux spark clients,

what about this?? (spark log in linux)

org.mozilla.browser.MozillaException: java.lang.UnsatisfiedLinkError: Unable to load library ‘gtk-x11-2.0’: cannot open shared object file: No such file or directory

please suggest me what i can do for secure audio/vidio and secure chat??

logs.tar.gz (2167189 Bytes)

I am not sure that I have the secure desktop sharing working either but as I don’t actually need it then I never really looked into that.

For you UnsatisfiedLinkError I would suggest hunting through Google. I think it means that you are either missing the library gtk-x11-2.0 or missing a symlink to it. I don’t think this is related specifically to Spark/Red5 but rather your Linux installation.

Your Spark log looks to me as if it can’t find your Openfire installation. I am not sure why that is but I would suggest fixing the above library error first. If that doesn’t make the error vanish then check that you have access to Openfire from your client machine. Again, this is not something specific to the code I have altered and if you are having problems with it then maybe searcing/asking in another forum thread may solve that specific error. Maybe a firewall issue? Are you using IP Tables? If so you will need ports:

iptables -A THRU -i $interface -p tcp -m tcp --dport 3478 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 3479 -j ACCEPT

in openfire. Only the ‘old ssl’ port seems to be encrypted.

iptables -A THRU -i $interface -p tcp -m tcp --dport 5222 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 5223 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 5229 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 5269 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 7070 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 7777 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 8080 -j ACCEPT

9090 is default non-ssl. Use 9091 for default ssl instead.

iptables -A THRU -i $interface -p tcp -m tcp --dport 9090 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 9091 -j ACCEPT

Red5 streaming flash server

iptables -A THRU -i $interface -p tcp -m tcp --dport 1935 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 1936 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 5080 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 7443 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 8443 -j ACCEPT

1935 and 39036 are needed for web cam access. If there are more than

two people then you may need to open up more ports!

iptables -A THRU -i $interface -p tcp -m tcp --dport 19150 -j ACCEPT
iptables -A THRU -i $interface -p tcp -m tcp --dport 39036 -j ACCEPT

  • i made a softlink to ,after runnning spark it took the paths correctly*

WARNING: Red5-Info: Properties-file does exist= /home/sanaullah/.Spark/plugins/red5-plugin/

WARNING: Red-Info: Red5-servername from properties-file is=

Nov 3, 2008 10:22:02 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Red5 URL = rtmps://

WARNING: Red5 Web Root = red5

WARNING: Web Port = 443
Nov 3, 2008 10:22:44 AM org.mozilla.browser.MozillaInitialization initialize
INFO: Using xul runner dir: /home/sanaullah/.Spark/plugins/red5-plugin/xulrunner/linux

when i open audio/vidio roster ,browser will open and says

Failed to Connect

The connection was refused when attempting to contact

Try again

There is no firewall issue ,i am on LAN, same scnerio when openfire and spark on same box

also when i set port==8443 in , it says

Secure Connection Fail uses an invalid security certificate.

The certificate is not trusted because it is self signed.
The certificate is not valid for any server names.

(Error code: sec_error_ca_cert_invalid)

Spark–openfire.tar.gz (272125 Bytes)

Good, it looks like you have red5-plugin.jar almost comfigured correctly as it is now finding the file

In your I would try changing the ‘server’ property to use either a fully qualified domain name (e.g. or the servers name on the network (e.g. myopenfireserver , mylinuxserversname or whatever your Linux server is called) rather than just an IP address. I was expecting it to work with an IP address but when I use one her it also fails, so use a fqdn or a server name (server name works OK but you will get the SSL error with it - see below). If you use a server name you may need to put an entry into your /etc/host file.

The problem with the security certificate is something unique to Firefox 3. When XULRunner opens a browser window it does actually use Mozilla Firefox as the browser engine. There is a lot of debate on the web about how Firefox 3 handles SSL certificates, hopefuly it will change in the future as the security warning is a little too vigerous in my opinion. If you are using Firefox 3 then the only option is to use a valid SSL security certificate in your Apache 2 installation. A self-signed certificate is not good enough as Firefox rejects it and XULRunner does not yet support adding a certificate exception to allow you to use a self-signed certificate. I bought a valid SSL certificate for £15 from and it works fine but check:

for a free SSL certificate (I couldn’t get it to work but you may be able to). If you do get a valid SSL certificate then it will most likely be attached to a domain name such as ‘’. As that is the case then you may as well also switch the ‘server’ property in the ‘’ file to the same ‘’. You could also use Firefox2 which I think will work OK. I think there is a way to tell XULRunner to use a different version of Firefox (you change a symlink somewhere) but I really can’t remember how to do it.

i made certs with name serverxx.pem and serverx.key from ,where i can import it to either on client browser or server ??

what further settings requried in openfire server ?

i also made ssl certificates from my ejbca server in xx.p12 and other formats , i import these in my browsers ,but still have same errors as previous!!!

i also setuped spark with red5 plugin on windows, it accepted self-sign certificates as i added exceptions in my browser ‘https:/./linux147:8443’ (encryption–>view_certificate->server–>addexception) , i called to another online user in same other windows setup ,both users were only view themselves on screen but not each other ,how to fix it ???

openfire_logs (9997 Bytes)
pictures.tar.gz (308056 Bytes)

You will need to set up the SSL certificate in your Apache web server as we are using Apache to do the proxy-pass through. This is very simple and there are loads of tutorials on the web on how to do this if the following doesn’t work:

  1. In your /etc/apache2/sites-available/default you may see a <VirtualHost *:443>. In here you will need to add:

SLEngine on
SSLCertificateFile /etc/apache2/ssl-keys/YOUR_DOMAIN.COM/YOUR_CRT.crt
SSLCertificateKeyFile /etc/apache2/ssl-keys/YOUR_DOMAIN.COM/YOUR_KEY.key

You are using a .pem as a certificate. As far as I know that just means the .crt and the .key are in the same file. I think for that you would just use your_certificate.pem for both the SSLCertificateFile and the SSLCertificateKeyFile but I am not very good with SSL certificates so you may need to look into that yourself.

If the above doesn’t work (remember to reboot Apache) you may also need to add the root certificate for the certificate provider. That can be done by:

SSLCertificateChainFile /etc/apache2/ssl-keys/YOUR_DOMAIN.COM/godaddy-root-cert.crt

and you should be able to get your root-cert from your SSL certificate provider. This is not always necessary and depends upon whether or not the web browser supports your certificate provider by default. If not you need to add the certificate chain.

You do not need to add the certificate into Openfire or anywhere else. We are using Apache to handle the SSL for us and not Openfire. There is a bit in the document on this under ‘The request/response cycle’.

After you have done the above then check your Apache logs and you should see something in there relating to Openfire.

If the above doesn’t work then check google for how to set it up for your distribution.


I set up openfire with perfect ssl setup ,but i still got error when i open red5 roster

Secure Connection Failed uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

I made my certs from ,i also import my ‘cacecacert-root.crt’ to my client browser and made it trusted ,but it still fails ,

i think xulrunner did n’t read from firefox browser!

why i saw this sign Self-signed certificates should be signed by a Certificate Authority to be trusted and accepted by clients and other servers. in Openfire Server Certificates (dsa and rsa) , i also made these certs to trust but still fails

i mention my every steps in attached files ,plz suggest my mistake



openfire_files.tar.gz (99049 Bytes)



I can see that you have told apache about your SSL certificates, that part looks OK to me.

In one of the PDF’s you have attached you say you have an issue with:

[Sat Nov 08 15:42:33 2008] [warn] NameVirtualHost *:443 has no VirtualHosts
[Sat Nov 08 15:42:33 2008] [warn] NameVirtualHost *:80 has no VirtualHosts

I would fix those in case that was causing the problem. You should check Google on how to do it as I can’t really help you with that one. I am not really a server administrator but a java programmer who has to fuddle through setting up servers.



Also check your Apache SSL log files for your VirtualHost to see if there are any requests in there for the Red5 plugin page (video_320x240.html I think is the name of the page but I haven’t checked that).

I believe XULRunner actually uses the Gecko engine from Firefox and you should see that the SSL error page you are seeing is the same as the one from Firefox:

Looking through the attached PDF’s it seems that you understand that it is Spark (XULRunner) that is making the SSL connection to Apache and that Apache then forwards the request to Openfire. Could you just confirm that is you understanding to make sure we are talking about the same components in the setup?

You mention that you imported the certificates into Firefox. I don’t think that will help as XULRunner is running a seperate instance of the Gecko engine (as far as I understand). Once you get the SSL certificate installed correctly into Apache then XULRunner will just accept them; you will not need to import anything into either XULRunner, Firefox or Openfire.

Can you show me your Apache SSL log file after attempting a request from Spark? You should see an attempt to connect that fails due to the SSL error. I would expect that you do have that as you are getting an invalid certificate error but it may be useful to see it.

The image (SSL_Certificates.png) you attached about the SSL certificates is not needed. The certificates in Openfire are not used in the setup I have and they will not be used in your setup either. The SSL link is betwen Spark (XULRunner) and Apache and Openfire is NOT involved in the audio-video SSL encryption at all. In fact (at the time of writing the document), neither Openfire nor Red5 can handle RTMPS at the moment which is the reason for having to use Apache. Remember that RTMPS is just RTMP over SSL; nothing more.

Thanks for ur guidelines

I already fixed all errors and warnings related to apache

(“NameVirtualHost :443 has no VirtualHosts" and ":80” ) ,sorry for

previous lines in document ,now my apache was start without any


apache error.log

I assume you still have the problem with Spark saying that your SSL certificate is invalid?

I also notice that you SSL certificate file is called:

but the VirtualHost is called ‘’ with an alias of ‘linux147’. As I say, I am not great at server admin work but does that not mean your VirtualHost is running on a sub domain? I think your VirtualHost ServerName should be ‘’ as that is where your SSL certificate is for. I don’t think SSL certificates work on subdomains in Apache2 (unless you use a mod). I know that putting the proxy-pass through on your main VHost is not ideal but it will work as long as the website on your main VHost does not use any of the paths that RTMP uses which are /send, /idle, /close, /open and maybe /oflademo and /red5 (but I don’t think the last two are required).

If changing the VHost does not work, I am not sure your Apache log uploaded correctly in your last post, could you try and upload again and also attach your access log for that VHost and your Spark log?