|
Home > Archive > Macromedia Flash Server > August 2006 > rtmps with self-signed cert fails,
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
rtmps with self-signed cert fails,
|
|
| Alexander Farber 2006-08-05, 7:11 am |
| Hello everyone,
first of all: I have setup a simple test case for my problem
here, with all my settings and the problem described:
http://pref.dyndns.org:8080/live/live.html
And now to the problem itself: I'm running FMS 2.0.2 r51 on
Debian Linux 3.1r2 and have problems with the rtmps, while
rtmp and rtmpt work just fine. When I run the flash movie,
a window pops up "The Certificate Issuer for this site is
untrusted or unknown. Do you wish to proceed? Yes - No"
I click "Yes", but then get "NetConnection.Connect.Failed".
The netstat command only shows the server listening
at the port 443 (https), but no additional connections to
that port seem to be happening, so I am guessing that
the flash movie doesn't like the certficate and that is why
doesn't even try to connect:
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
.......
tcp 0 0 *:https *:* LISTEN
And here is how I've generated the certificate:
openssl req -x509 -days 365 -newkey rsa:1024 \
-out self-signed-certificate.pem -keyout pub-sec-key.pem
I've also tried to generate it another way, but with same result:
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key
-out server.crt
Can anybody please share his/her experiences here?
I don't want to buy a certificate from Verisign or Thatwe yet
(and I think it shouldn't be necessary with a correct self-signed cert).
Thank you
Alex
PS: My movie flash simply publishes a stream and then plays it back.
PPS: My /var/log/messages show successful listening at port 443:
Service[2666]: Server starting...
Server[2666]: No primary license key found. Switching to Developer Edition.
Service[2666]: Server started (/usr/local/fms/conf/Server.xml).
Server[2678]: No primary license key found. Switching to Developer Edition.
Server[2675]: No primary license key found. Switching to Developer Edition.
Adaptor[2675]: Listener started ( _defaultRoot__edge1 ) : 19350
Adaptor[2675]: Listener started ( _defaultRoot__edge1 ) : 443 (secure)
Adaptor[2675]: Listener started ( _defaultRoot__edge1 ) : 80
Adaptor[2675]: Listener started ( _defaultRoot__edge1 ) : 1935
Service[2824]: Server starting...
Server[2824]: No primary license key found. Switching to Developer Edition.
Adaptor[2824]: Listener started ( FCSAdminIpcProtocol ) : 11110
Adaptor[2824]: Listener started ( FCSAdminAdaptor ) : 1111
Service[2824]: Server started (./conf/Server.xml).
--
http://preferans.de
________________________________________
_______
FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
| |
| Stefan Richter 2006-08-07, 7:11 am |
| Brilliant, I'll have to try that
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of
> Dario De Agostini
> Sent: 07 August 2006 08:43
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] rtmps with self-signed cert fails,
> while rtmp andrtmpt work ok
>
> Stefan Richter wrote:
> step-by-step
> on 24/01/2006 i wrote:
> Well... documentation is quite good this time :-) I've
> followed steps written there and had only minor problems.
>
> Anyway you just need to :
> 1) create a self signed certificate
> 2) edit fms.ini specifying that server has to listen to port
> -443 (port 443, with ssl handshaking)
> 3) edit conf/adaptor.xml adding path to the cert file, key
> file and passhphrase if needed
> 4) open the CA certificate file on your client, install the
> certificate.
> 5) connect to fms with protocol rtmps
>
>
> edit:
> it's REALLY easy to do.
> Problems arise if you want to use a certificate from a CA
> which is not on your browser's CA list ... but there is a
> tricky solution for that problem too.
>
> i use SSL for videostreaming for some of our customers...
> works like a charm.
> Overhead is less than rtmpt (smaller delay over
> communication... but this is strange to me... i would guess
> the opposite)
>
>
> Dario De Agostini
> ________________________________________
_______
> FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
> Brought to you by Fig Leaf Software
> Premier Authorized Adobe Consulting and Training
> http://www.figleaf.com http://training.figleaf.com
>
________________________________________
_______
FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
| |
| Alexander Farber 2006-08-07, 1:11 pm |
| Hello Dario,
On 8/7/06, Dario De Agostini <dario-GCN6p6BpY0//wltNWqQaag@public.gmane.org> wrote:
> Alexander Farber wrote:
[vbcol=seagreen]
> if the client pops up this request you won't connect.
> It's a "bug"... flash player won't connect even if you answer
> yes to the request.
that's right! I have asked the same question (how to use
a self-signed certificate with rtmps) in quite few places
and only you have given me the correct answer, thank you.
When a dialog window pop-ups for any reason (unknown CA,
not matching hostname, whatever...) then you have lost.
I have now generated a self-signed certificate this way:
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt \
-CAkey ca.key -set_serial 01 -out server.crt
and imported the ca.crt on my PC (both in Windows
and also in Mozilla Firefox) and after that the
http://pref.dyndns.org:8080/live/live.html works.
However the real reason I was trying to setup rtmps,
was that I wanted to make the https-tunneling work.
And this unfortunately still fails: eventhough I'm able
to tunnel PuTTY through https in the firewall here,
I'm unable to access rtmps://pref.dyndns.org/live -
I just get the same "NetConnection.Connect.Failed".
(without firewall everything does work fine now).
I wonder if you or someone else has experience with
the http(s)-tunneling? How did you debug this?
If SSH over https works, why would rtmps fail over the
same corp. firewall? FMS can't be that bad (or is it? ;-)
Regards
Alex
--
http://preferans.de
________________________________________
_______
FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
| |
| Alexander Farber 2006-08-07, 7:11 pm |
| Hello Dario,
On 8/7/06, Dario De Agostini <dario-GCN6p6BpY0//wltNWqQaag@public.gmane.org> wrote:
> Alexander Farber wrote:
[vbcol=seagreen]
> i was not able to debug... but... this is strange.
> your 443 is open because you can connect with putty
> using that port...
> but you can't connect with fms... looks like it's not a port problem.
> in addition to this: there are very few firewalls which inspect traffic
> which goes on port 443... looks like your firewall is doing something.
I was almost going to give up, but then I thought again about
your comment, that the port 443 is "open" and since SSH goes
through, then rtmps should go through as well... because the
over-https-tunneling is actually simple. And actually I don't
believe any firewall is able to filter SSL/TLS at the app. level.
I've installed Ethereal and discovered, that while the flash
movie repeatedly tries to connect to the ports 1935, 80 and 443
(as expected), it wasn't trying to contact the web proxy here.
So I've set up the proxy in the MSIE browser (which I wasn't
using at all, but Mozilla Firefox). And now everything works -
both rtmpt and rtmps. Thanks for your help.
Regards
Alex
--
http://preferans.de
________________________________________
_______
FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
| |
| Stefan Richter 2006-08-09, 7:11 am |
| Just warming this up:
How exactly is rtmps used, I mean for what reasons did clients request it? I
agree that from a marketing standpoint it's great to have but what are the
real world applications?
I'm assuming that this is more applicable for live streams (conferencing)
than it is for on demand streaming, correct?
Stefan
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of
> Dario De Agostini
> Sent: 08 August 2006 09:54
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] rtmps with self-signed cert fails,
> while rtmp andrtmpt work ok
>
> Alexander Farber wrote:
> through, then
> over-https-tunneling is
> is able to
> wasn't using at
> rtmpt and
> wonderful!
> i was not thinking about that when i wrote, but i'm glad you
> solved your problem  I think ssl support is a VERY
> important fms2 feature, especially for marketing purposes...
> security is a big issue when selling a product.
>
> In addition to that, fms2 ssl implementation is quite fast & stable.
> Nice job Adobe.
>
> Dario De Agostini
> ________________________________________
_______
> FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
> Brought to you by Fig Leaf Software
> Premier Authorized Adobe Consulting and Training
> http://www.figleaf.com http://training.figleaf.com
>
________________________________________
_______
FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
| |
| Bill Sanders 2006-08-09, 7:11 am |
| Hi Dario,
Streaming ON2 VP6 using recorded materials is important. Also, it's
important for working your own player created in Flash. If Windows
Media server allowed you to create your own player and had the
distribution base that Flash player has, I'd agree with you. However,
I've got too much flexibility with FMS2 and high quality to give it up.
Where you have low broadband, I think that some kind of streaming is
extremely important.
Bill
On Aug 9, 2006, at 5:41 AM, Dario De Agostini wrote:
> Stefan Richter wrote:
> To be really honest i can't see ANY point in using fms for non live
> things.
> Fms is great for "breeze" like apps, it's great for ria, it's great
> for enhancing websites with realtime stuff.
> In this scenario having a secure connection IS important (for
> marketing)... adding 1/10th sec delay over a realtime stream is a
> acceptable loss for a secure voice connection.
>
> I'm sure outside Italy you can have a huge market for video
> streaming (since everyone sells it)... but it's not so important in
> countries in which average bw is less than adsl.
> And i agree... why should i watch a video using ssl ? Rarely useful.
>
>
> Dario De Agostini
> ________________________________________
_______
> FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
> Brought to you by Fig Leaf Software
> Premier Authorized Adobe Consulting and Training
> http://www.figleaf.com
> http://training.figleaf.com
bill sanders | www.sandlight.com | bloomfield, ct | 860-242-2260
________________________________________
_______
FlashComm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
|
|
|
|
|