Dear community,
I have a strange behavior with my installation of OM. I want to proxy
the web interface through apache (with SSL). This is working. I can
remotely access OM. All right.
Now I want RMTP to be encrypted as well. Here I created another
certificate from Let's Encrypt (LE) just for the RMTPS purpose. The
common name (CN) is simply the host name just like e.g. for the https
server.
Then I wanted to adopt the configuration of OM accordingly. This is set
up that I enabled in <OM>/conf/red5-core.conf the corresponding section,
added in the global configuration (web frontend) flash.secure=true and
flash.secure.proxy=best. I added the keys to the keystore exaclty as in
https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results
as far as I can tell. I tried the network test of OM and get still a red
cross for the RTMP(S) port when using Firefox.
A sniff with wireshark shows that the client connects to port 8443 as
intended and an SSL session is started. The server sends the
certificates I gave plus the intermediate certificate from LE. It does
not send the root certificate. I do not know if this is right or wrong.
Nevertheless, the client seems to refuse the certificate and shuts down
the SSL connection with the reason "Unknown CA". This happen instantly
after the server sent his certificate chain.
When looking into this it looks as Chrome seemed to accept the
certificate. I know that Chrome does many things "differently", thus it
is possible that everything is a problem of my local configuration
withing firefox/OS.
When trying the connection with `openssl s_client ...` I can
successfully connect and verify the certificate chain. Thus in general
it seems to work.
My interpretation is that the (flash) client refuses the LE root
certificate for some reason and terminates the connection due to
security concerns.
Is my interpretation correct? How can I overcome this?
Thank you and cheers
Christian
--
Mit freundlichen Grüßen
Christian Wolf
