At least related to Traffic sniffer, to ensure encryption of audio/camera
traffic, if you can verify that?
secure connection to KMS is not a big issue as long as it's on the same server
as the OM, but it's desirable after all.
بتاريخ الاثنين، 27 تموز 2020 8:15:50 ص غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
I don't have free time right now to do testsHopefully someone else can help
On Mon, 27 Jul 2020 at 13:08, Online Use <[email protected]> wrote:
Hello,
Just to follow up, is there any updates regarding test case for the below
mentioned points? I just want to make sure where is the issue?
Thank you.
بتاريخ الأحد، 19 تموز 2020 8:30:29 ص غرينتش+2، Online Use
<[email protected]> كتب:
Yes you are right, I just needed to refresh the page.
So to summarize, I'm waiting for confirmation regarding:
- Use of wss / tls for KMS connection- Traffic sniffer results, if possible.
Thanks.
بتاريخ الأحد، 19 تموز 2020 8:02:52 ص غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
On Sun, 19 Jul 2020 at 12:41, Online Use <[email protected]> wrote:
I used WebRTC Internals (about:webrtc in Firefox) to log WebRTC activity, but
nothing got logged when I opened an audio & video session using OM. Why, if
WebRTC is actually utilized?
just have checked using latest FF at Ubuntu 20.04about:webrtcand demo-next
https://om.alteametasoft.com:8443/next/
WebRTC info is displayed as expected
بتاريخ الأحد، 19 تموز 2020 3:00:25 ص غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
Will do top posting
It seems I wasn't clear enough while describing how everything worksHere is the
diagram
https://doc-kurento.readthedocs.io/en/stable/user/writing_applications.html#application-architecture
(the beautiful one)As you can see OM is only "control server"All streams goes
directly to/via KMS
I'll try to set up secured KMS, but unfortunately have no ETAI do remember I
have difficulties with certificate ....
On Sun, 19 Jul 2020 at 01:23, Online Use <[email protected]> wrote:
Encryption
Encryption is mandatory part of WebRTC and is enforced on all aspects of
establishing and maintaining a connection. It makes it effectively impossible
for someone to gain access to the contents of a communication stream because
all media streams are securely encrypted through standardized and time-tested
encryption protocols. Only those applications with the secret encryption key
are able to decode the streams.
The best practice for this is to use perfect forward secrecy (PFS) ciphers in a
DTLS (Datagram Transport Layer Security) handshake to securely exchange key
data (this is the method Frozen Mountain uses). For audio and video, key data
can then be used to generate AES (Advanced Encryption Standard) keys which are
in turn used by SRTP (Secure Real-time Transport Protocol) to encrypt and
decrypt the media. This acronym-rich stack of technologies translates to
extremely secure connections that are impossible to break with current
technology. Both WebRTC and ORTC mandate this particular stack, which is
backwards-compatible and interoperable with VoIP systems.
https://www.frozenmountain.com/developers/blog/what-you-need-to-know-about-webrtc-security
Does this apply to the OM system? because you said you guess audio and video
are not encrypted, but since WebRTC is used already in OM, wouldn't that mean
encryption is effective already, or it there something missing?
بتاريخ السبت، 18 تموز 2020 8:14:03 م غرينتش+2، Online Use
<[email protected]> كتب:
I have been able to use TLS port and certificates with TURN in the
applicationContext.xml file without a problem, but the TURN url doesn't include
protocol (https or wss) only the TLS port number. I have actually commented out
the non-secure port setting in coturn conf. file. It's working fine, but I'm
not sure if the url should contain protocol directive https or wss or none?
When I used the https directive I got an error message NS_ERROR_UNEXPECTED. Any
comments?
My problem now is with the KMS url, I have specified the TLS port and
certificates, but when I use the wss:// protocol I get the error of media
server is not accessible. Could someone try to use this secure setting and
confirm if it's working properly or not to make sure what is the issue at my
end?
بتاريخ السبت، 18 تموز 2020 7:54:31 م غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
On Sun, 19 Jul 2020 at 00:26, Online Use <[email protected]> wrote:
Can you please share with me the architecture of the OM system, showing
components and interfaces?
we don't have such diagram ATM
I don't understand how https is secure while the KMS socket is not secure? And
what is the role of TURN in securing the connection? What should TURN be used
in case of https protocol?
Out-of-the-box OM provides HTTPS which ensures login and all UI actions are
securedKMS out-of-the-box is NOT secured, and it is OM-server-admin task to
secure it
TURN is used to be able to negotiate connection with users without real IPIt
tries to resolve user IP so direct connection can be established
establishedORbypass all WebRTC traffic like SOCKS proxy if IT is NOT
resolvable(I believe you can easily Google above info with much more details)
So if you want fully secured system you have to ensure both KMS and TURN are
secured as well
I think security of the system is questionable. Did you try to use wss:// in
KMS url to test it before release?
I see no need in such testWe are using KMS API to control connections (drop,
create recording chains etc.) We are not working with audio/video streams
directly this is the task of media server
بتاريخ السبت، 18 تموز 2020 6:21:15 م غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
On Fri, 17 Jul 2020 at 15:29, Online Use <[email protected]> wrote:
I also used cert and key files for TLS in COTURN, I used https in turnurl in
the applicationContext.xml file, but I got and NS_ERROR_UNEXPECTED.
Probably the application itself is not designed to use TLS for Kurento and
COTURN?
Not sure which application are you talking about :(OM doesn't use TURN, WebRTC
in browser uses TURN ....
بتاريخ الخميس، 16 تموز 2020 12:34:11 م غرينتش+2، Online Use
<[email protected]> كتب:
I found this note in Kurento documentation:
https://doc-kurento.readthedocs.io/en/stable/features/security.html
Keep in mind that serving your application through HTTPS, forces you to use
WebSockets Secure (WSS) if you are using websockets to control your application
server.
So how the OM system is working while the applicationContext.xml used ws://
connection url?
I would check the traffic with some sniffer and the ask KMS devsFrom my point
of view right now everything works as expectedOM uses HTTPS and wss for
internal websocket messagesAND it has KMS at ws URL ....
Is it secure enough to use https in the browser without using wss connection?
Are all media streams including audio and video encrypted this way?
I guess audio/video is NOT encryptedthis is why i wrote you need to secure KMS
....
Moreover, I edited the kurento.conf.json file to include path to the
certificate file, and edited the applicationContext.xml file to use wss:// with
secure port, but the OM raised an error message saying the media server is
inaccessible. What is the porblem?
I can't say from this descriptionyou have to check 1) KMS logs2) KMS URL (i
guess port will be different in case of wss)3) OM logs4) browser console logs
and/or browser's WebRTC debugging tools
بتاريخ الخميس، 16 تموز 2020 3:26:25 ص غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
On Tue, 14 Jul 2020 at 13:31, Online Use <[email protected]> wrote:
I installed KMS using podman not docker, I can't find the configuration file
path you mentioned, where could it be located?
Unfortunately I can't help hereI neve use podman
So the steps are to edit the kurento.conf.json to enable secure connection,
then to edit the applicatonContext.xml file to use wss// instead of ws:// in
Kurento url, right?
most probably you will need to create certificate for KMS (never did it myself,
so you will have to experiment here)
In a previous reply you mentioned that:In WebRTC tunneling is made by front-end
proxy (the config is not trivial)OR with TURN server if user is behind strict FW
So how to enable WebRTC tunneling with TURN server?
TURN server was designed fo unhide user IP address (so tunneling is not
necessary)Or to proxy WebRTCSo it will work out-of-the-box
بتاريخ الثلاثاء، 14 تموز 2020 4:21:54 ص غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
On Mon, 13 Jul 2020 at 14:11, Online Use <[email protected]> wrote:
I tried using wss:// protocol in Kurento url in the ApplicationContext.xml
file, but in this case the media server wasn't accessible. So how the wss
protocol is supposed to be used?
You have to configure KMS to be secured BEFORE you you will made changes to
applicationContext.xml
please check /etc/kurento/kurento.conf.jsonAnd official KMS documentation
Also how to configure tunneling with the TURN sever?
Thank you.
بتاريخ الاثنين، 13 تموز 2020 6:55:48 ص غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
On Sun, 12 Jul 2020 at 23:46, Online Use <[email protected]> wrote:
Excuse me, but what is wss?
You can easily google thisWSS is secured version of WS both WS and WSS are
protocol prefix for WebSockets
Will SSL and wss provide tunneling of audio and video streaming like RTMPS?
RTMPS doesn't provide tunneling, you need RTMPTS for tunnelingAnd NO In WebRTC
tunneling is made by front-end proxy (the config is not trivial)OR with TURN
server if user is behind strict FW
Don't you have any plans for including red5 and RTMPS in future releases? What
is the alternative technology?
NORTMP if part of Adobe Flash which is discontinued This is why we have moved
from RTMP to WebRTC
Thanks.
بتاريخ الأحد، 12 تموز 2020 3:36:57 م غرينتش+2، Maxim Solodovnik
<[email protected]> كتب:
RTMP/RTMPT/RTMPS is for 4.0.x onlyfor 5.0.x+ you need to secure KMS i.e. set
up certificate and use wss :))
On Sun, 12 Jul 2020 at 13:48, Online Use <[email protected]> wrote:
Hello,
Is RTMPS enabled by default once SSL is implemented?
I know red5 is not supported for M4 release, but how to enable RTMPS for
audio/video encryption?
I understand red5 is only needed for IP telephone not for PC voip, is that
correct?
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
