On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs Can you check with keytool your keystore contains full chain (including CA)?
Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html keytool -list -v -keystore keystore.jks On Wed, Jul 18, 2018 at 6:00 PM Christian Wolf <christ...@wolf-stuttgart.net> wrote: > > Dear Maxim, > > Am 18.07.2018 um 12:40 schrieb Maxim Solodovnik: > > just re-read your initial email (wasn't practice in English for a long > > time, hard to read very long emails :(( ) > > > > Have you added full certificates chain to both keystore and truststore of > > red5? > > As far as I can tell, yes, there are chains in keystore. truststore is a > simple copy of keystore at the moment. > > I tried to verify with the following command (in one line): > $ openssl s_client -connect www2.wolf-stuttgart.net:8443 -showcerts > -CApath /etc/ssl/certs/ < /dev/null > This says, that the certificate could be successfully verified. I thus > assume, this is running all right. > > Now I tried 2 browsers, firefox and chrome, to navigate to > https://www2.wolf-stuttgart.net/openmeetings/hash?swf=network. > > Firefox > ------- > The second port symbol (RTMP connection) is a red cross. > > Investigation with a network sniffer led to the problem, that the client > refuses/does not find the CA of the cert and closes down the connection. > > Chrome > ------ > The symbol is green as desired. > > The handshake of the client/server pair is visible. After that the > connection is encrypted and only binary "random" data is transmitted > that cannot be read (as desired) in a sniff. > > Cheers > Christian -- WBR Maxim aka solomax
