I'm afraid in case of full secured proxied configuration you need to use RTPMTS (tunneled secured RTMP) example of RTMPT config can be found in mail archives, for ex here: https://markmail.org/message/l7oltgy74zxo2pjc On Tue, Jul 17, 2018 at 8:31 PM Christian Wolf <christianlu...@gmx.de> wrote: > > Dear community, > > I have a strange behavior with my installation of OM. I want to proxy > the web interface through apache (with SSL). This is working. I can > remotely access OM. All right. > > Now I want RMTP to be encrypted as well. Here I created another > certificate from Let's Encrypt (LE) just for the RMTPS purpose. The > common name (CN) is simply the host name just like e.g. for the https > server. > > Then I wanted to adopt the configuration of OM accordingly. This is set > up that I enabled in <OM>/conf/red5-core.conf the corresponding section, > added in the global configuration (web frontend) flash.secure=true and > flash.secure.proxy=best. I added the keys to the keystore exaclty as in > https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results > as far as I can tell. I tried the network test of OM and get still a red > cross for the RTMP(S) port when using Firefox. > > A sniff with wireshark shows that the client connects to port 8443 as > intended and an SSL session is started. The server sends the > certificates I gave plus the intermediate certificate from LE. It does > not send the root certificate. I do not know if this is right or wrong. > Nevertheless, the client seems to refuse the certificate and shuts down > the SSL connection with the reason "Unknown CA". This happen instantly > after the server sent his certificate chain. > > When looking into this it looks as Chrome seemed to accept the > certificate. I know that Chrome does many things "differently", thus it > is possible that everything is a problem of my local configuration > withing firefox/OS. > When trying the connection with `openssl s_client ...` I can > successfully connect and verify the certificate chain. Thus in general > it seems to work. > > My interpretation is that the (flash) client refuses the LE root > certificate for some reason and terminates the connection due to > security concerns. > > Is my interpretation correct? How can I overcome this? > > Thank you and cheers > Christian > > -- > Mit freundlichen Grüßen > Christian Wolf
-- WBR Maxim aka solomax
