I guess CA was added to trusted CA's of FF? On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik <[email protected]> wrote:
> This is the issue of "self-signed" certificate. > "Real" certificate provides the way to ensure it wasn't revoked. > > I would recommend to set up one of the free real certificates to prod > system > > On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <[email protected]> > wrote: > >> Hi Maxim, >> >> you was right when suggested to add a ca certificate into client machine >> with screensharing. I added the root certificate not correctly via "java >> control panel->security->manage certificates". It's wrong and not neсessary. >> The certificate must be inserted into java/keystore with keytool utility. >> >> Now screen sharing works as expected. >> >> But... >> >> I tried to connect from another machines to the machine with >> screensharing and all worked fine with remote desktop if IE used but not >> Firefox. >> >> The error screenshots are attached and the errors take place when >> entering into any rooms. >> >> Do you know how to resolve it? And why only FF ? >> >> The latest version of FF and Adobe Flash Player for FF is used. >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 11:46 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I guess first thing to do is to ensure >> >> jre is used by javaws >> >> and >> >> jre containing cacert >> >> >> >> is the same jre >> >> >> >> can be checked using by inspecting PATH >> >> and checking which binaries are actually started using system task manager >> >> >> >> On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <[email protected]> >> wrote: >> >> First i tried to add only one CA certificate to java on a client >> machine. >> >> Than the site certificate was added for additional checking. >> >> Both cases are unsuccessful. >> >> What I should make the next? >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 9:51 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Works for me >> >> >> >> What were your steps? >> >> >> >> BTW no need to add site certificate to trusted certs in case you are >> having Root CA. Verified Root CA will successfully validate site cert >> >> >> >> On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <[email protected]> >> wrote: >> >> No, >> >> It did not help. >> >> The client machine is Windows, the CA root certificate (crt) and the >> client self-signed certificate (p12) have been added into java via java >> control panel->security->manage certificates. >> >> >> >> The full error log is : >> >> >> >> ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> at sun.security.validator.PKIXValidator.doBuild(Unknown >> Source) >> >> at >> sun.security.validator.PKIXValidator.engineValidate(Unknown >> Source) >> >> at sun.security.validator.Validator.validate(Unknown >> Source) >> >> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown >> Source) >> >> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown >> Source) >> >> at sun.security.ssl.X509TrustMana >> gerImpl.checkServerTrusted(Unknown Source) >> >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(Unknown >> Source) >> >> at sun.security.ssl.ClientHandshaker.processMessage(Unknown >> Source) >> >> at sun.security.ssl.Handshaker.processLoop(Unknown >> Source) >> >> at sun.security.ssl.Handshaker.process_record(Unknown >> Source) >> >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown >> Source) >> >> at sun.security.ssl.SSLSocketImpl >> .performInitialHandshake(Unknown Source) >> >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >> Source) >> >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >> Source) >> >> at org.apache.http.conn.ssl.SSLCo >> nnectionSocketFactory.createLayeredSocket(SSLConnectionSocke >> tFactory.java:396) >> >> at org.apache.http.conn.ssl.SSLCo >> nnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) >> >> at org.apache.http.impl.conn.Defa >> ultHttpClientConnectionOperator.connect(DefaultHttpClientCon >> nectionOperator.java:142) >> >> at org.apache.http.impl.conn.Pool >> ingHttpClientConnectionManager.connect(PoolingHttpClientConn >> ectionManager.java:359) >> >> at org.apache.http.impl.execchain >> .MainClientExec.establishRoute(MainClientExec.java:381) >> >> at org.apache.http.impl.execchain.MainClientExec.execute( >> MainClientExec.java:237) >> >> at org.apache.http.impl.execchain.ProtocolExec.execute( >> ProtocolExec.java:185) >> >> at org.apache.http.impl.execchain >> .RetryExec.execute(RetryExec.java:89) >> >> at org.apache.http.impl.client.In >> ternalHttpClient.doExecute(InternalHttpClient.java:185) >> >> at org.apache.http.impl.client.Cl >> oseableHttpClient.execute(CloseableHttpClient.java:118) >> >> at org.apache.http.impl.client.Cl >> oseableHttpClient.execute(CloseableHttpClient.java:56) >> >> at org.red5.client.net.rtmps.RTMP >> TSClientConnector.openConnection(RTMPTSClientConnector.java:139) >> >> at org.red5.client.net.rtmps.RTMP >> TSClientConnector.run(RTMPTSClientConnector.java:64) >> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> >> at sun.security.provider.certpath >> .SunCertPathBuilder.build(Unknown Source) >> >> at sun.security.provider.certpath >> .SunCertPathBuilder.engineBuild(Unknown Source) >> >> at java.security.cert.CertPathBuilder.build(Unknown >> Source) >> >> ... 27 common frames omitted >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> No context named default was found!! >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 8:45 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> You can fix it by adding self-signed CA to the java/cacerts at the >> "client" machine (The machine Screen-sharing web-app is started) >> >> >> >> On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <[email protected]> >> wrote: >> >> Tunneling RTMPS >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 5:56 AM >> >> >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> What type of SSL are you checking? "native" of "tunneled" ? >> >> >> >> On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <[email protected]> >> wrote: >> >> Hi Maxim, >> >> Screensharing with SSL does not work. >> >> >> >> Java outputs the next errors: >> >> ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> >> >> Where can be place the datastore for screensharing and what its file name? >> >> /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? >> >> Where should be assigned the password for this keystore? >> >> >> >> The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties >> files contain the following parameters: >> >> >> >> key="keystoreFile" value=...... >> >> key="keystorePass" value=...... >> >> key="truststoreFile" value=...... >> >> key="truststorePass" value=...... >> >> >> >> rtmps.keystorepass=xxxxx >> >> rtmps.keystorefile=conf/keystore.jks >> >> rtmps.truststorepass=xxxxx >> >> rtmps.truststorefile=conf/truststore.jks >> >> >> >> But for screensharing I could not find relevant information. >> >> >> >> Best regards, >> >> Nik >> >> >> >> *From:* Yakovlev N. [mailto:[email protected]] >> *Sent:* Saturday, August 19, 2017 8:23 AM >> *To:* [email protected] >> *Subject:* RE: [ANNOUNCE] HTTPS is now required >> >> >> >> Hi Maxim, >> >> SSL is working fine. >> >> I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html >> manual: >> >> All keytool commands must have the filename keystore.jks but none >> keystore without extension. J >> >> This also applies to the filename truststore: it should be >> truststore.jks. >> >> >> >> Otherwise the names of kestore and truststore should be changed in >> /opt/red5/conf/red5.properties. >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected] >> <[email protected]>] >> *Sent:* Saturday, August 19, 2017 7:23 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I'll try to check steps with self-signed cert and will report back >> >> >> >> On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <[email protected]> >> wrote: >> >> Hello Ramon, >> >> All the hope of Maxim….:) >> >> >> >> Nik >> >> >> >> *From:* Ramón Zárate Moedano [mailto:[email protected]] >> *Sent:* Saturday, August 19, 2017 2:22 AM >> >> >> *To:* [email protected] >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Hello everyone ... >> >> >> >> i just cannot install SSL (from namecheap) ... this is beyond my skills. >> >> >> >> Is there someone who can help me with the installation in exchange for >> some money???? >> >> >> >> Thanks in advance. >> >> >> >> >> >> >> >> 2017-08-18 1:23 GMT-05:00 Yakovlev N. <[email protected]>: >> >> Hi Maxim, >> >> Thanks for reply. >> >> I've reinstalled two times certificates but ssl does not work. >> >> 1. Both certificates root-CA and client one were added into >> /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) with >> commands: >> >> keytool -import -keystore cacerts -file red5.crt -alias red5 >> >> keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root >> >> 2. As you recommend OM was started with red5-debug + option >> "-Djavax.net.debug=all" >> >> Logs have nothing while a ssl session was established. >> >> To exclude the impact of browsers, I tried to start up a session using >> telnet. >> >> Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 >> did not. >> >> In this case, the netstat command shows ESTABLISHED status to port 5443. >> >> Firewall is off. >> >> According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two >> config files have to be changed: >> >> 1. Edit red5/conf/jee-container.xml file: >> >> Comment Tomcat without SSL enabled section >> >> UNComment Tomcat with SSL enabled section >> >> 2. Edit red5/webapps/openmeetings/public/config.xml and set >> >> <protocol>https</protocol> >> >> <red5httpport>5443</red5httpport> >> >> Are these changes enough or need more? >> >> >> >> Best regards, >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Thursday, August 17, 2017 10:28 AM >> *To:* Openmeetings user-list >> >> >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Here is useful link >> >> I'm using these scripts (with some modifications) Chrome shows green icon >> :) >> >> https://stackoverflow.com/questions/7580508/getting-chrome- >> to-accept-self-signed-localhost-certificate/43666288#43666288 >> >> >> >> On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <[email protected]> >> wrote: >> >> The steps on the site are for the "real" certificates ... >> >> 1) add certificate to trusted certs of Java >> >> >> >> means Java need to know about your certificate I'm using self-signed CA >> for testing and I'm adding it to >> >> /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts >> >> >> >> Additionally I would recommend to run red5 using red5-debug and modify it >> by adding "*-Djavax.net.debug=all*" to see all SSL messages >> >> >> >> On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> >> wrote: >> >> Hello Maxim, >> Don't worry that my question was missed because we all understand how >> much work you do. >> Your message made me return to the question of HTTPS for OM. >> >> So... >> >> 1) add certificate to trusted certs of Java >> >> Lets see an output of command keytool: >> >> cd /opt/red5/conf >> keytool -list -keystore keystore >> Enter keystore password: >> xxxxx >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 2 entries >> >> vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, >> Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: >> 99:67:D5:1C:B8:25:1A:D9:88:0F >> root, Aug 16, 2017, trustedCertEntry, >> Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: >> 6E:2F:1F:9A:83:F9:B0:1F:E1:45 >> >> Is it OK? >> >> 2) add certificate to trusted certs of browser (icon should be green) >> Done >> >> 3) correctly create red5 keystore/truststore >> Done according to the reference http://openmeetings.apache.org >> /RTMPSAndHTTPS.html >> truststore is a copy of keystore >> OK? >> >> Maxim, I would like to draw on one detail. >> A simple way to test of a SSL-connection is to use the next command: >> openssl s_client -connect FQDN:port >> For example, >> openssl s_client -connect www.mail.ru:443, >> openssl s_client -connect www.ya.ru:443 >> and so on. >> This way does not use browsers and allows to test ssl-connections at a >> lower level than using browsers. >> This command does not work and hangs for my OM as I wrote before and I >> think that the question is not in the types of certificates (trusted or >> selfsigned ones). >> But where is the problem? I don't now yet... >> >> Nik >> >> -----Original Message----- >> From: Maxim Solodovnik [mailto:[email protected]] >> >> Sent: Wednesday, August 16, 2017 5:51 PM >> To: Openmeetings user-list >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> Hello Nik, >> >> I'm trying to answer all emails, sorry if I missed yours :( To make >> self-signed certificate work with red5 you MUST >> 1) add certificate to trusted certs of Java >> 2) add certificate to trusted certs of browser (icon should be green) >> 3) correctly create red5 keystore/truststore >> >> to provide thurther help I need you detailed steps >> >> On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> >> wrote: >> > Hi Andreas, >> > OK, your opinion is your opinion and I respect it. >> > We speak about an internal OM service but not about the world one... >> > I understand the trusted certificates are more preferable but in my >> case unnecessary I think. >> > I'm not sure blacklists are my cases... >> > >> > Nik >> > >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] >> > Sent: Wednesday, August 16, 2017 4:18 PM >> > To: [email protected] >> > Subject: Re: [ANNOUNCE] HTTPS is now required >> > >> > Hi Nik, >> > >> > sorry - I cannot agree to your "I cannot agree". Most email client >> programs do check certificates and deny connections if certificate is not >> trusted. May be 5% will work - but 95% will not (and tomorrow percentage is >> higher than today). I can not recommend to use any self-signed certificate >> (except for internal tasks). Additionally maybe you are added to blacklists >> if you are "on the air" using a self-signed certificate. >> > >> > Best regards >> > Andreas >> > >> > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >> >> I don't agree. >> >> I use selfsigned certiticates on other corporate services successfully >> (mail, cloud and so on). >> >> Yes, browsers ask questions but this is no problem. In this case such >> certificates must be added as trusted ones. >> >> >> >> Nik >> >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] >> >> Sent: Wednesday, August 16, 2017 3:44 PM >> >> To: [email protected] >> >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Self-signed will not be accepted by most browsers and will not work. >> The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... >> >> >> >> Try certificates from lets encrypt - they are free ;) >> >> >> >> Best regards >> >> Andreas >> >> >> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >> >> > Hi, Maxim! >> >> > I have some problems with SSL and no ideas to solve them. >> >> > Five months ago I asked community how to install SSL on OM but >> nobody answered. >> >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/ >> 201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 >> 08:30:40 GMT ) >> >> > The manual listed on page http://openmeetings.apache.org >> /RTMPSAndHTTPS.html did not help me. >> >> > No any errors in logs, browser hangs and shows an empty page. >> >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on >> the left bottom side. >> >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command >> hangs also and outputs only one line: CONNECTED(00000003). >> >> > Firewall is off, tcp-5443 port is listening on the OM host. >> >> > >> >> > Is there any roadmap of using selfsigned serfificates for OM? >> >> > >> >> > Best regards >> >> > Nik >> >> > >> >> > -----Original Message----- >> >> > From: Maxim Solodovnik [mailto:[email protected]] >> >> > Sent: Wednesday, August 16, 2017 7:23 AM >> >> > To: Openmeetings user-list >> >> > Subject: [ANNOUNCE] HTTPS is now required >> >> > >> >> > Hello All, >> >> > >> >> > Google developers are trying to move WWW to HTTPS To force this >> transition they restrict features available to HTTP sites in >> Chrome/Chromium Latest restriction is: Camera and microphone will not be >> available to JS/Flash code for HTTP sites: proof: >> >> > >> >> > "Microphone and Camera access no longer works on insecure origins. >> To use this feature, you should consider switching your application to a >> secure origin, such as HTTPS. See https://goo.gl/rStTGz for more >> details." >> >> > >> >> > So please set up HTTPS for your OM site to prevent camera/microphone >> issues. >> >> > >> >> > -- >> >> > WBR >> >> > Maxim aka solomax >> >> > >> >> > >> >> >> >> >> >> >> > >> > >> >> >> >> -- >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> > > > > -- > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
