 |
|
 |
|
|
 |
Securing FCS with SSL/Stunnel |
 |
 |
|
 | | | |  |
|
|
|
lti-1a8g-LMbKfuCQv7pBDgjK7y7TUQ@public.gmane.o |
|
|
|
|
|
|
|
   | | |  | |
|
07-18-05 12:45 PM
Hello,
According to this
http://www.macromedia.com/devnet/mx...alls_proxy.html
(specifically, this page
http://www.macromedia.com/devnet/mx...ls_proxy04.html
), it's possible to secure the connection between a client and a FCS
with SSL.
Whereas the flash client can use the HTTPS protocol present in the web
browser that hosts it, FCS has not (yet ?) native SSL support. So one
has to use a hardware or software solution to receive SSL-encrypted
rtmps calls from the client and forward them to the server.
So far, I've been trying to setup a stunnel solution : stunnel listens
for connection on a given IP and a given port, say MYREALIP:4540 and
forward them to 127.0.0.1:2035
The IP:port "127.0.0.1:2035" is an additionnal <HostPort> that I added
to the Adaptor.xml <HostPortList>, along with the existing
<HostPort>MYREALIP:1935</HostPort>
The point is that FCS would either be contacted "from anywhere" on the
MYREALIP, on port 1935, but would accept connections on port 2035 only
on the loopback interface, and so, only from the local stunnel process.
The stunnel command to type is then :
<<stunnel -f -D 7 -d MYREALIP:4540 -r 127.0.0.1:2035>>
the "-f" option force stunnel to stay in foreground, to be able to see
the debug messages (-D 7 option)
the "-d MYREALIP:4540" stands for "daemon mode on host MYREALIP, port 4540
the "-r 127.0.0.1:2035" stands for "the remote service to forward the
deciphered data to is host 127.0.0.1, port 2035"
Here is the result of the command :
[root@ns30069 test_stunnel]# stunnel -f -D 7 -d MYREALIP:4540 -r
127.0.0.1:2035
2005.07.18 14:19:14 LOG5[13428:1024]: Using '127.0.0.1.2035' as
tcpwrapper service name
2005.07.18 14:19:14 LOG7[13428:1024]: RAND_status claims sufficient
entropy for the PRNG
2005.07.18 14:19:14 LOG6[13428:1024]: PRNG seeded successfully
2005.07.18 14:19:14 LOG7[13428:1024]: Certificate:
/usr/share/ssl/certs/stunnel.pem
2005.07.18 14:19:14 LOG5[13428:1024]: stunnel 3.26 on
i386-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6m [engine] 17
Mar 2004
2005.07.18 14:19:14 LOG7[13428:1024]: Created pid file
/var/run/stunnel.127.0.0.1.2035.pid
2005.07.18 14:19:14 LOG5[13428:1024]: FD_SETSIZE=1024, file ulimit=1024
-> 500 clients allowed
2005.07.18 14:19:14 LOG7[13428:1024]: SO_REUSEADDR option set on accept
socket
2005.07.18 14:19:14 LOG7[13428:1024]: 127.0.0.1.2035 bound to MYREALIP:4
540
When I launch my web page containing the flash client, which connects to
rtmps://MYREALIP:4540/mysampleapp, a SSL certificate warning is
displayed, and then ... nothing happens, my client can't connect to FCS.
Here is the the extra log I get in the server console :
2005.07.18 14:20:48 LOG7[13428:1024]: 127.0.0.1.2035 accepted FD=6 from
83.200.146.141:33551
2005.07.18 14:20:48 LOG7[26152:1026]: 127.0.0.1.2035 started
2005.07.18 14:20:48 LOG5[26152:1026]: 127.0.0.1.2035 connected from
83.200.146.141:33551
2005.07.18 14:20:48 LOG7[26152:1026]: 127.0.0.1.2035 connecting
127.0.0.1:2035
2005.07.18 14:20:48 LOG7[26152:1026]: Remote FD=9 initialized
2005.07.18 14:20:48 LOG7[26152:1026]: Stunnel manual RSA blinding enable
d
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): before/accept
initialization
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 read
client hello A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 write
server hello A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 write
certificate A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 write
server done A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 flush da
ta
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 read
client key exchange A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 read
finished A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 write
change cipher spec A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 write
finished A
2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept): SSLv3 flush da
ta
2005.07.18 14:20:48 LOG7[26152:1026]: 1 items in the session cache
2005.07.18 14:20:48 LOG7[26152:1026]: 0 client connects (SSL_connect(
))
2005.07.18 14:20:48 LOG7[26152:1026]: 0 client connects that finished
2005.07.18 14:20:48 LOG7[26152:1026]: 0 client renegotiatations reque
sted
2005.07.18 14:20:48 LOG7[26152:1026]: 1 server connects (SSL_accept()
)
2005.07.18 14:20:48 LOG7[26152:1026]: 1 server connects that finished
2005.07.18 14:20:48 LOG7[26152:1026]: 0 server renegotiatiations
requested
2005.07.18 14:20:48 LOG7[26152:1026]: 0 session cache hits
2005.07.18 14:20:48 LOG7[26152:1026]: 1 session cache misses
2005.07.18 14:20:48 LOG7[26152:1026]: 0 session cache timeouts
2005.07.18 14:20:48 LOG6[26152:1026]: Negotiated ciphers:
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
2005.07.18 14:20:48 LOG7[26152:1026]: SSL socket closed on SSL_read
2005.07.18 14:20:48 LOG5[26152:1026]: Connection closed: 0 bytes sent to
SSL, 0 bytes sent to socket
2005.07.18 14:20:48 LOG7[26152:1026]: 127.0.0.1.2035 finished (0 left)
Basically, the connection is initialized, and then closed ("SSL socket
closed on SSL_read") without any data forwared to FCS, which I can
confirm examining my FCS log : "Connection closed: 0 bytes sent to SSL,
0 bytes sent to socket"
I've tested a simple "telnet MYREALIP 4540", I can connect to FCS and
send bogus data...
Whether the page embedding my flash client is accessed with http or
https doesn't change the result.
Whether I use or not the "transparent proxy mode" (specifying an
additionnal "-T" option to the stunnel command) doesn't change the result.
Has anyone already successfully configured a FCS+Stunnel solution and
could give me any hint, or direct me to a detailled tutorial ?
Sincerely,
lti-1a8g (and yes, I sued my parents for giving me such a name)
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
RE: Securing FCS with SSL/Stunnel |
|
|
|
|
07-18-05 10:45 PM
One thing you want to be absolutely sure of is the hostname that you are
connecting to in the NetConnection.connect() call on the client, and
make sure that matches the name that is in the certificate that is
returned.
Another thing to check is that if the certificate you've configured
stunnel to return is one that you've created yourself using something
like OpenSSL, make sure that you have installed the cert for the
Certificate Authority (CA) used to sign the cert (you probably would
have set up your own CA using OpenSSL). If you are using a cert that
you received from a big name certificate authority such as Verisign, you
shouldn't have to worry about installing the CA cert as Windows comes
shipped with these certs pre-installed.
When you get that security dialog, it is a good indication that one of
these things is not right. And even though the dialog gives you an
option to continue, it doesn't. That's a long standing bug. And though
misleading, you should not run into it if you have everything set up
properly.
Hope that helps.
Ed
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org=
20
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gman
e.org] On Behalf Of=20
> lti-1a8g-LMbKfuCQv7pBDgjK7y7TUQ@public.gmane.org
> Sent: Monday, July 18, 2005 5:38 AM
> To: flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> Subject: [Flashcomm] Securing FCS with SSL/Stunnel=20
>=20
> Hello,
>=20
> According to this
> http://www.macromedia.com/devnet/mx...ticles/firewall
> s_proxy.html
> (specifically, this page
> http://www.macromedia.com/devnet/mx...ticles/firewall
> s_proxy04.html
> ), it's possible to secure the connection between a client=20
> and a FCS with SSL.
>=20
> Whereas the flash client can use the HTTPS protocol present=20
> in the web browser that hosts it, FCS has not (yet ?) native=20
> SSL support. So one has to use a hardware or software=20
> solution to receive SSL-encrypted rtmps calls from the client=20
> and forward them to the server.
>=20
> So far, I've been trying to setup a stunnel solution :=20
> stunnel listens for connection on a given IP and a given=20
> port, say MYREALIP:4540 and forward them to 127.0.0.1:2035=20
> The IP:port "127.0.0.1:2035" is an additionnal <HostPort>=20
> that I added to the Adaptor.xml <HostPortList>, along with=20
> the existing <HostPort>MYREALIP:1935</HostPort>
> The point is that FCS would either be contacted "from=20
> anywhere" on the MYREALIP, on port 1935, but would accept=20
> connections on port 2035 only on the loopback interface, and=20
> so, only from the local stunnel process.
>=20
> The stunnel command to type is then :
> <<stunnel -f -D 7 -d MYREALIP:4540 -r 127.0.0.1:2035>> the=20
> "-f" option force stunnel to stay in foreground, to be able=20
> to see the debug messages (-D 7 option) the "-d=20
> MYREALIP:4540" stands for "daemon mode on host MYREALIP, port=20
> 4540 the "-r 127.0.0.1:2035" stands for "the remote service=20
> to forward the deciphered data to is host 127.0.0.1, port 2035"
>=20
> Here is the result of the command :
> [root@ns30069 test_stunnel]# stunnel -f -D 7 -d MYREALIP:4540 -r
> 127.0.0.1:2035
> 2005.07.18 14:19:14 LOG5[13428:1024]: Using '127.0.0.1.2035'=20
> as tcpwrapper service name
> 2005.07.18 14:19:14 LOG7[13428:1024]: RAND_status claims=20
> sufficient entropy for the PRNG
> 2005.07.18 14:19:14 LOG6[13428:1024]: PRNG seeded successfully
> 2005.07.18 14:19:14 LOG7[13428:1024]: Certificate:=20
> /usr/share/ssl/certs/stunnel.pem
> 2005.07.18 14:19:14 LOG5[13428:1024]: stunnel 3.26 on=20
> i386-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6m=20
> [engine] 17 Mar 2004
> 2005.07.18 14:19:14 LOG7[13428:1024]: Created pid file=20
> /var/run/stunnel.127.0.0.1.2035.pid
> 2005.07.18 14:19:14 LOG5[13428:1024]: FD_SETSIZE=3D1024, file=20
> ulimit=3D1024=20
> -> 500 clients allowed
> 2005.07.18 14:19:14 LOG7[13428:1024]: SO_REUSEADDR option set=20
> on accept socket
> 2005.07.18 14:19:14 LOG7[13428:1024]: 127.0.0.1.2035 bound to=20
> MYREALIP:4540
>=20
> When I launch my web page containing the flash client, which=20
> connects to rtmps://MYREALIP:4540/mysampleapp, a SSL=20
> certificate warning is displayed, and then ... nothing=20
> happens, my client can't connect to FCS.
> Here is the the extra log I get in the server console :
> 2005.07.18 14:20:48 LOG7[13428:1024]: 127.0.0.1.2035 accepted=20
> FD=3D6 from
> 83.200.146.141:33551
> 2005.07.18 14:20:48 LOG7[26152:1026]: 127.0.0.1.2035 started
> 2005.07.18 14:20:48 LOG5[26152:1026]: 127.0.0.1.2035 connected from
> 83.200.146.141:33551
> 2005.07.18 14:20:48 LOG7[26152:1026]: 127.0.0.1.2035 connecting
> 127.0.0.1:2035
> 2005.07.18 14:20:48 LOG7[26152:1026]: Remote FD=3D9 initialized
> 2005.07.18 14:20:48 LOG7[26152:1026]: Stunnel manual RSA=20
> blinding enabled
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> before/accept initialization
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 read client hello A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 write server hello A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 write certificate A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 write server done A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 flush data
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 read client key exchange A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 read finished A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 write change cipher spec A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 write finished A
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL state (accept):=20
> SSLv3 flush data
> 2005.07.18 14:20:48 LOG7[26152:1026]: 1 items in the session cache
> 2005.07.18 14:20:48 LOG7[26152:1026]: 0 client connects=20
> (SSL_connect())
> 2005.07.18 14:20:48 LOG7[26152:1026]: 0 client connects=20
> that finished
> 2005.07.18 14:20:48 LOG7[26152:1026]: 0 client=20
> renegotiatations requested
> 2005.07.18 14:20:48 LOG7[26152:1026]: 1 server connects=20
> (SSL_accept())
> 2005.07.18 14:20:48 LOG7[26152:1026]: 1 server connects=20
> that finished
> 2005.07.18 14:20:48 LOG7[26152:1026]: 0 server renegotiatiations=20
> requested
> 2005.07.18 14:20:48 LOG7[26152:1026]: 0 session cache hits
> 2005.07.18 14:20:48 LOG7[26152:1026]: 1 session cache misses
> 2005.07.18 14:20:48 LOG7[26152:1026]: 0 session cache timeouts
> 2005.07.18 14:20:48 LOG6[26152:1026]: Negotiated ciphers:=20
> RC4-MD5 SSLv3 Kx=3DRSA Au=3DRSA =20
> Enc=3DRC4(128) Mac=3DMD5
> 2005.07.18 14:20:48 LOG7[26152:1026]: SSL socket closed on SSL_read
> 2005.07.18 14:20:48 LOG5[26152:1026]: Connection closed: 0=20
> bytes sent to SSL, 0 bytes sent to socket
> 2005.07.18 14:20:48 LOG7[26152:1026]: 127.0.0.1.2035 finished (0 left)
>=20
> Basically, the connection is initialized, and then closed=20
> ("SSL socket closed on SSL_read") without any data forwared=20
> to FCS, which I can confirm examining my FCS log :=20
> "Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket"
> I've tested a simple "telnet MYREALIP 4540", I can connect to=20
> FCS and send bogus data...
> Whether the page embedding my flash client is accessed with=20
> http or https doesn't change the result.
> Whether I use or not the "transparent proxy mode" (specifying=20
> an additionnal "-T" option to the stunnel command) doesn't=20
> change the result.
>=20
> Has anyone already successfully configured a FCS+Stunnel=20
> solution and could give me any hint, or direct me to a=20
> detailled tutorial ?
>=20
> Sincerely,
> lti-1a8g (and yes, I sued my parents for giving me such a name)
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>=20
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: Securing FCS with SSL/Stunnel |
|
|
|
| | | | |
|
|
|
lti-1a8g-LMbKfuCQv7pBDgjK7y7TUQ@public.gmane.o |
|
|
|
|
|
|
|
| | | | |
|
07-20-05 10:45 PM
Hmmm, well, there is no hostname in my certificate, which is an
"self-signed" one (x509).
I did create the certificate myself, using
"openssl req -new -x509 -days 365 -nodes -config
/usr/share/ssl/stunnel.cnf -out stunnel.pem -keyout stunnel.pem"
But I remember, a few weeks back, that I saw a tutorial on how to add
SSL support to hostname-based virtual hosts, and It used extra lines in
the openssl configuration file...
Is a CA-signed certificate mandatory ?
Thanks
lti-1a8g (and yes, I sued my parents for giving me such a name)
Edward Chan wrote:
>One thing you want to be absolutely sure of is the hostname that you are
>connecting to in the NetConnection.connect() call on the client, and
>make sure that matches the name that is in the certificate that is
>returned.
>
>Another thing to check is that if the certificate you've configured
>stunnel to return is one that you've created yourself using something
>like OpenSSL, make sure that you have installed the cert for the
>Certificate Authority (CA) used to sign the cert (you probably would
>have set up your own CA using OpenSSL). If you are using a cert that
>you received from a big name certificate authority such as Verisign, you
>shouldn't have to worry about installing the CA cert as Windows comes
>shipped with these certs pre-installed.
>
>When you get that security dialog, it is a good indication that one of
>these things is not right. And even though the dialog gives you an
>option to continue, it doesn't. That's a long standing bug. And though
>misleading, you should not run into it if you have everything set up
>properly.
>
>Hope that helps.
>
>Ed
>
>
>
>
>=---------------------------------------------------------
>Supported by Fig Leaf Software - http://www.figleaf.com
>=---------------------------------------------------------
>
>To change your subscription options or search the archive:
>http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
RE: Securing FCS with SSL/Stunnel |
|
|
|
|
07-20-05 10:45 PM
Well, I'm hardly an SSL expert. But I am willing to bet that a
self-signed cert is probably not supported. I think the player "must"
match the hostname in the connect uri, to that in the certificate in
order for the connection to go thru.
Ed=20
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org=
20
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gman
e.org] On Behalf Of=20
> lti-1a8g-LMbKfuCQv7pBDgjK7y7TUQ@public.gmane.org
> Sent: Wednesday, July 20, 2005 11:25 AM
> To: FlashComm Mailing List
> Subject: Re: [Flashcomm] Securing FCS with SSL/Stunnel
>=20
> Hmmm, well, there is no hostname in my certificate, which is=20
> an "self-signed" one (x509).
>=20
> I did create the certificate myself, using "openssl req -new=20
> -x509 -days 365 -nodes -config /usr/share/ssl/stunnel.cnf=20
> -out stunnel.pem -keyout stunnel.pem"
> But I remember, a few weeks back, that I saw a tutorial on=20
> how to add SSL support to hostname-based virtual hosts, and=20
> It used extra lines in the openssl configuration file...
>=20
> Is a CA-signed certificate mandatory ?
>=20
> Thanks
> lti-1a8g (and yes, I sued my parents for giving me such a name)
>=20
> Edward Chan wrote:
>=20
> certificate that is=20
> something=20
> cert that=20
> that one of=20
> and a FCS=20
> in the web=20
> support. So one=20
> anywhere" on the=20
> port 2035 only=20
> "-f" option=20
> "daemon mode=20
> [engine] 17=20
> which connects=20
> session cache
> bytes sent=20
> finished (0 left)
> ("SSL socket=20
> to FCS and=20
> solution and=20
>=20
>=20
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>=20
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 05:47 AM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
Medical and Health forum | Computer Games Reviews | Graphics design forum
|
 |
|
 |
|
