RTMP over SSL - Solved

View: New views

20 Messages — Rating Filter: Alert me

< Prev | 1 - 2 | Next >

	RTMP over SSL - Solved by Kevin Green-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have read a lot of discussions recently on whether or not it is possible to do RTMP over Native SSL not tunnelling through HTTPS. I've taken some time to figure this out and contribute it back before the release of Red5 0.9. The answer is YES is is possible to do RTMP over SSL without HTTPS. There a a few pieces to getting it to work and I hope the core Dev's will take my contribution and clean it up to fit in better. First, the attached class NativeRTMPSMinaIoHandler.java (MODIFIED FROM Red5 0.8) contains only one modified function "sessionOpened" in which I declare the SSL context, import the keystore, and apply the SSLFilter to the socket session. This is what does the actual SSL on the connection. NOTE: The keystore is currently hardcoded to a file and should be edited to be a part of the Spring framework. There is also likely an issue with this when used in client mode, I didn't have the chance to try that out. You then need to add this into the Spring configuration files similar to this: in red5-core.xml right above RTMPT stuff <!-- Native RTMPS over SSL --> <!-- Contributed by: Kevin Green (kevygreen at gmail dot com) --> <bean id="nativeRtmpsMinaIoHandler" class="org.red5.server.net.rtmp.NativeRTMPSMinaIoHandler"> <property name="handler" ref="rtmpHandler" /> <property name="codecFactory" ref="rtmpCodecFactory" /> <property name="rtmpConnManager" ref="rtmpMinaConnManager" /> </bean> <bean id="nativeRtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop"> <property name="ioHandler" ref="nativeRtmpsMinaIoHandler" /> <property name="connectors"> <list> <bean class="java.net.InetSocketAddress"> <constructor-arg index="0" type="java.lang.String" value="${native_rtmps.host}" /> <constructor-arg index="1" type="int" value="${native_rtmps.port}" /> </bean> <!-- You can now add additional ports and ip addresses <bean class="java.net.InetSocketAddress"> <constructor-arg index="0" type="java.lang.String" value="${native_rtmps.host}" /> <constructor-arg index="1" type="int" value="1936" /> </bean> --> </list> </property> <property name="receiveBufferSize" value="${native_rtmps.receive_buffer_size}" /> <property name="sendBufferSize" value="${native_rtmps.send_buffer_size}" /> <property name="eventThreadsCore" value="${native_rtmps.event_threads_core}" /> <property name="eventThreadsMax" value="${native_rtmps.event_threads_max}" /> <property name="eventThreadsQueue" value="${native_rtmps.event_threads_queue}" /> <property name="eventThreadsKeepalive" value="${native_rtmps.event_threads_keepalive}" /> <!-- This is the interval at which the sessions are polled for stats. If mina monitoring is not enabled, polling will not occur. --> <property name="jmxPollInterval" value="1000" /> <property name="tcpNoDelay" value="${native_rtmps.tcp_nodelay}" /> </bean> and in red5.properties # Native RTMPS # Contributed by: Kevin Green (kevygreen at gmail dot com) native_rtmps.host=0.0.0.0 native_rtmps.port=1936 native_rtmps.event_threads_core=16 native_rtmps.event_threads_max=64 # event threads queue: -1 unbounded, 0 direct (no queue), n bounded queue native_rtmps.event_threads_queue=0 native_rtmps.event_threads_keepalive=60 native_rtmps.send_buffer_size=271360 native_rtmps.receive_buffer_size=65536 native_rtmps.ping_interval=1000 native_rtmps.max_inactivity=60000 native_rtmps.tcp_nodelay=true In Flash, you must connect using *proxyType="best"* and with a *rtmps:\\* url. similiar to: var nc:NetConnection = new NetConnection(); nc.proxyType = "best"; nc.connect("rtmps:\\localhost\app"); With these pieces you should be able to get RTMP to work using native SSL. Remember not all systems may be capable of this and you can check in Flash by using flash.system.Capabilites.hasTLS(); If you have any questions about the workings of this code this please feel free to email me but please do not email asking how to create a proper keystore (that is something you can look up online and should learn on your own if you want to use this in production). If the core dev team could include this in the trunk with the couple changes that would be required to make it more configurable that would be greatly appreciated. Regards, Kevin Green JohnnyVoIP 350 Legget Drive Kanata, ON, Canada K2K 2W7 Phone: 613 271 5993 Fax: 613 271 9810 _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org NativeRTMPSMinaIoHandler.java (14K) Download Attachment
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by rfkrocktk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message RTMPE sucks. It's not encrypted. http://lkcl.net/rtmp/ However, RTMPS over native TLS... THANK YOU SO MUCH! This is EXACTLY what I've been looking forward to for a long time. Native TLS/SSL is amazing and the whole polled aspect of RTMPTS is unacceptable. Now, finally, we'll be able to have truly secure connections between FP and Red5! Kevin, thank you so much. To some, this might not mean much, but to me, RTMPS over native TLS/SSL is what I've been hoping for forever! So THANK YOU!!!!! - TK On Mon, Nov 9, 2009 at 9:07 AM, Thomas <iamkenzo@...> wrote: Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Walter Tak :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://en.wikipedia.org/wiki/Protected_Streaming RTMPE sounds better than RTMPS but since Adobe is kindof protecting it's protecting mechanism you might wonder how safe it really is. In fact it isn't since tools can still extract the video-data at the client. You'd only want to use RTMPS or RTMPE when you don't want other people (like spies from North Korea) to tune in on your video-conference-call-of-the-new-weapon-grade-plutonium-factory or webcam-stream-of-naked-women. W. ----- Original Message ----- From: "Thomas" <iamkenzo@...> To: <red5@...> Sent: Monday, 09 November 2009 18:07 Subject: Re: [Red5] RTMP over SSL - Solved > Thank you very much Kevin for you contribution, > > But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe > is extremely easy to set up when the server supports it (like wowza), > add 1 single letter in the netConnection, and you're done. No > keystore, no certificates, no beans, nothing. > > > -- > VOD & visioconference - http://www.digiprof.tv > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Kevin Green-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I believe, though I may be wrong, that RTMPE only encrypts the media not the shared objects and function calls. AKA, SSL is on a NetConnection, and RTMPE is only for streams. If you want to secure things such as passwords, function calls, shared objects, or things along those lines you will want to use RTMPS with SSL. If you are only concerned with securing the media then RTMPE might be alright, but it is also well know that is can be susceptible to a man in the middle attack whereas SSL you are working with a signed certificate and it is significantly harder to become the man in the middle. So again, if you want real security I would suggest investing in signed SSL certificates and using native SSL. If people are concerned with the speed at which the connections operate you can look into hardware based encryption accelerator cards or systems that already have it built in. Regards, Kevin Green JohnnyVoIP 350 Legget Drive Kanata, ON, Canada K2K 2W7 Phone: 613 271 5993 Fax: 613 271 9810 On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@...> wrote: http://en.wikipedia.org/wiki/Protected_Streaming RTMPE sounds better than RTMPS but since Adobe is kindof protecting it's protecting mechanism you might wonder how safe it really is. In fact it isn't since tools can still extract the video-data at the client. You'd only want to use RTMPS or RTMPE when you don't want other people (like spies from North Korea) to tune in on your video-conference-call-of-the-new-weapon-grade-plutonium-factory or webcam-stream-of-naked-women. W. ----- Original Message ----- From: "Thomas" <iamkenzo@...> To: <red5@...> Sent: Monday, 09 November 2009 18:07 Subject: Re: [Red5] RTMP over SSL - Solved Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm only concerned about people sniffing the conferences lines, I don't care about people extracting my video stream. So rtmpe should do the trick? -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: I believe, though I may be wrong, that RTMPE only encrypts the media not the shared objects and function calls. AKA, SSL is on a NetConnection, and RTMPE is only for streams. If you want to secure things such as passwords, function calls, shared objects, or things along those lines you will want to use RTMPS with SSL. RTMPE encrypts everything after the RTMP handshake. That includes SO, invokes, streams, etc. RTMPE is much faster than RTMPS but is useless in terms of security. In fact I think RTMPE is useless in any filed of activity because it awfully misses his solely purpose: encryption. Anyone can decrypt a RTMPE connection if he/she caught the initial handshake (the exchange of keys) If you are only concerned with securing the media then RTMPE might be alright, but it is also well know that is can be susceptible to a man in the middle attack whereas SSL you are working with a signed certificate and it is significantly harder to become the man in the middle. So again, if you want real security I would suggest investing in signed SSL certificates and using native SSL. If people are concerned with the speed at which the connections operate you can look into hardware based encryption accelerator cards or systems that already have it built in. Regards, Kevin Green JohnnyVoIP 350 Legget Drive Kanata, ON, Canada K2K 2W7 Phone: 613 271 5993 Fax: 613 271 9810 On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@...> wrote: http://en.wikipedia.org/wiki/Protected_Streaming RTMPE sounds better than RTMPS but since Adobe is kindof protecting it's protecting mechanism you might wonder how safe it really is. In fact it isn't since tools can still extract the video-data at the client. You'd only want to use RTMPS or RTMPE when you don't want other people (like spies from North Korea) to tune in on your video-conference-call-of-the-new-weapon-grade-plutonium-factory or webcam-stream-of-naked-women. W. ----- Original Message ----- From: "Thomas" <iamkenzo@...> To: <red5@...> Sent: Monday, 09 November 2009 18:07 Subject: Re: [Red5] RTMP over SSL - Solved Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > Anyone can decrypt a RTMPE connection if > he/she caught the initial handshake (the exchange of keys) Wow! Are you sure about that? That's an important issue for me. Therefore I'll stick to rtmps. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm very sure about it. On Nov 9, 2009, at 8:51 PM, Thomas wrote: >> Anyone can decrypt a RTMPE connection if >> he/she caught the initial handshake (the exchange of keys) > Wow! Are you sure about that? That's an important issue for me. > Therefore I'll stick to rtmps. > > > -- > VOD & visioconference - http://www.digiprof.tv > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by rfkrocktk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Yeah. I want to use Red5 as a data source, you know, sending users' passwords, usernames and other secure data back and forth across the wire. With RTMPE, there are huge security problems, and like mentioned above, if someone catches the handshake, he can basically listen in on the whole conversation. With RTMPS, it's not really easily possible to do this since everything is encrypted. On Mon, Nov 9, 2009 at 11:03 AM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: I'm very sure about it. On Nov 9, 2009, at 8:51 PM, Thomas wrote: Anyone can decrypt a RTMPE connection if he/she caught the initial handshake (the exchange of keys) Wow! Are you sure about that? That's an important issue for me. Therefore I'll stick to rtmps. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thank you a million times then. I will then forget about rtmpe. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Andrei Sochirca :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Just curios how can you decrypt RTMPE if you have initial handshake bytes? can you provide the algorithm and its work time estimation? Regards, Andrei. Gavriloaie Eugen-Andrei wrote: > > On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: > >> I believe, though I may be wrong, that RTMPE only encrypts the >> media not the shared objects and function calls. AKA, SSL is on a >> NetConnection, and RTMPE is only for streams. If you want to secure >> things such as passwords, function calls, shared objects, or things >> along those lines you will want to use RTMPS with SSL. > RTMPE encrypts everything after the RTMP handshake. That includes SO, > invokes, streams, etc. > RTMPE is much faster than RTMPS but is useless in terms of security. > In fact I think RTMPE is useless in any filed of activity because it > awfully misses his solely purpose: encryption. Anyone can decrypt a > RTMPE connection if he/she caught the initial handshake (the exchange > of keys) > > >> >> If you are only concerned with securing the media then RTMPE might >> be alright, but it is also well know that is can be susceptible to a >> man in the middle attack whereas SSL you are working with a signed >> certificate and it is significantly harder to become the man in the >> middle. So again, if you want real security I would suggest investing >> in signed SSL certificates and using native SSL. >> >> If people are concerned with the speed at which the connections >> operate you can look into hardware based encryption accelerator cards >> or systems that already have it built in. >> >> Regards, >> Kevin Green >> >> JohnnyVoIP >> 350 Legget Drive >> Kanata, ON, Canada >> K2K 2W7 >> >> Phone: 613 271 5993 >> Fax: 613 271 9810 >> >> >> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@... >> <mailto:walter@...>> wrote: >> >> http://en.wikipedia.org/wiki/Protected_Streaming >> >> RTMPE sounds better than RTMPS but since Adobe is kindof >> protecting it's protecting mechanism you might wonder how safe it >> really is. In fact it isn't since tools can still extract the >> video-data at the client. >> >> You'd only want to use RTMPS or RTMPE when you don't want other >> people (like spies from North Korea) to tune in on your >> video-conference-call-of-the-new-weapon-grade-plutonium-factory >> or webcam-stream-of-naked-women. >> >> W. >> >> ----- Original Message ----- From: "Thomas" <iamkenzo@... >> <mailto:iamkenzo@...>> >> To: <red5@... <mailto:red5@...>> >> Sent: Monday, 09 November 2009 18:07 >> Subject: Re: [Red5] RTMP over SSL - Solved >> >> >> >> Thank you very much Kevin for you contribution, >> >> But are the benefits (if any) of rtmps/ssl over rtmpe? >> Because rtmpe >> is extremely easy to set up when the server supports it (like >> wowza), >> add 1 single letter in the netConnection, and you're done. No >> keystore, no certificates, no beans, nothing. >> >> >> -- >> VOD & visioconference - http://www.digiprof.tv >> <http://www.digiprof.tv/> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... <mailto:Red5@...> >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... <mailto:Red5@...> >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... <mailto:Red5@...> >> http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://code.google.com/p/blue5/wiki/HandshakeImplementations On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: > Just curios how can you decrypt RTMPE if you have initial handshake > bytes? can you provide the algorithm and its work time estimation? > > Regards, Andrei. > > > Gavriloaie Eugen-Andrei wrote: >> >> On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: >> >>> I believe, though I may be wrong, that RTMPE only encrypts the >>> media not the shared objects and function calls. AKA, SSL is on a >>> NetConnection, and RTMPE is only for streams. If you want to >>> secure things such as passwords, function calls, shared objects, >>> or things along those lines you will want to use RTMPS with SSL. >> RTMPE encrypts everything after the RTMP handshake. That includes >> SO, invokes, streams, etc. >> RTMPE is much faster than RTMPS but is useless in terms of >> security. In fact I think RTMPE is useless in any filed of activity >> because it awfully misses his solely purpose: encryption. Anyone >> can decrypt a RTMPE connection if he/she caught the initial >> handshake (the exchange of keys) >> >> >>> >>> If you are only concerned with securing the media then RTMPE >>> might be alright, but it is also well know that is can be >>> susceptible to a man in the middle attack whereas SSL you are >>> working with a signed certificate and it is significantly harder >>> to become the man in the middle. So again, if you want real >>> security I would suggest investing in signed SSL certificates and >>> using native SSL. >>> >>> If people are concerned with the speed at which the connections >>> operate you can look into hardware based encryption accelerator >>> cards or systems that already have it built in. >>> >>> Regards, >>> Kevin Green >>> >>> JohnnyVoIP >>> 350 Legget Drive >>> Kanata, ON, Canada >>> K2K 2W7 >>> >>> Phone: 613 271 5993 >>> Fax: 613 271 9810 >>> >>> >>> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@... <mailto:walter@... >>> >> wrote: >>> >>> http://en.wikipedia.org/wiki/Protected_Streaming >>> >>> RTMPE sounds better than RTMPS but since Adobe is kindof >>> protecting it's protecting mechanism you might wonder how safe it >>> really is. In fact it isn't since tools can still extract the >>> video-data at the client. >>> >>> You'd only want to use RTMPS or RTMPE when you don't want other >>> people (like spies from North Korea) to tune in on your >>> video-conference-call-of-the-new-weapon-grade-plutonium-factory >>> or webcam-stream-of-naked-women. >>> >>> W. >>> >>> ----- Original Message ----- From: "Thomas" <iamkenzo@... >>> <mailto:iamkenzo@...>> >>> To: <red5@... <mailto:red5@...>> >>> Sent: Monday, 09 November 2009 18:07 >>> Subject: Re: [Red5] RTMP over SSL - Solved >>> >>> >>> >>> Thank you very much Kevin for you contribution, >>> >>> But are the benefits (if any) of rtmps/ssl over rtmpe? >>> Because rtmpe >>> is extremely easy to set up when the server supports it (like >>> wowza), >>> add 1 single letter in the netConnection, and you're done. No >>> keystore, no certificates, no beans, nothing. >>> >>> >>> -- VOD & visioconference - http://www.digiprof.tv >>> <http://www.digiprof.tv/> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... <mailto:Red5@...> >>> http://osflash.org/mailman/listinfo/red5_osflash.org >>> >>> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... <mailto:Red5@...> >>> http://osflash.org/mailman/listinfo/red5_osflash.org >>> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... <mailto:Red5@...> >>> http://osflash.org/mailman/listinfo/red5_osflash.org >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: > Just curios how can you decrypt RTMPE if you have initial handshake > bytes? can you provide the algorithm and its work time estimation? Work time estimation? Is 100% deterministic. Requires milliseconds to complete :) _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Andrei Sochirca :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Can you explain what do you mean with the HandshakeImplementations link? It means that you can connect to the server using RTMPE protocol, but it doesn't mean that you can decrypt (in reasonable time) the client-server RTMPE stream if you have all bytes. Regards, Andrei. Gavriloaie Eugen-Andrei wrote: > <div class="moz-text-flowed" style="font-family: > -moz-fixed">http://code.google.com/p/blue5/wiki/HandshakeImplementations > > > On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: > >> Just curios how can you decrypt RTMPE if you have initial handshake >> bytes? can you provide the algorithm and its work time estimation? >> >> Regards, Andrei. >> >> >> Gavriloaie Eugen-Andrei wrote: >>> >>> On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: >>> >>>> I believe, though I may be wrong, that RTMPE only encrypts the >>>> media not the shared objects and function calls. AKA, SSL is on a >>>> NetConnection, and RTMPE is only for streams. If you want to >>>> secure things such as passwords, function calls, shared objects, or >>>> things along those lines you will want to use RTMPS with SSL. >>> RTMPE encrypts everything after the RTMP handshake. That includes >>> SO, invokes, streams, etc. >>> RTMPE is much faster than RTMPS but is useless in terms of security. >>> In fact I think RTMPE is useless in any filed of activity because it >>> awfully misses his solely purpose: encryption. Anyone can decrypt a >>> RTMPE connection if he/she caught the initial handshake (the >>> exchange of keys) >>> >>> >>>> >>>> If you are only concerned with securing the media then RTMPE >>>> might be alright, but it is also well know that is can be >>>> susceptible to a man in the middle attack whereas SSL you are >>>> working with a signed certificate and it is significantly harder to >>>> become the man in the middle. So again, if you want real security I >>>> would suggest investing in signed SSL certificates and using native >>>> SSL. >>>> >>>> If people are concerned with the speed at which the connections >>>> operate you can look into hardware based encryption accelerator >>>> cards or systems that already have it built in. >>>> >>>> Regards, >>>> Kevin Green >>>> >>>> JohnnyVoIP >>>> 350 Legget Drive >>>> Kanata, ON, Canada >>>> K2K 2W7 >>>> >>>> Phone: 613 271 5993 >>>> Fax: 613 271 9810 >>>> >>>> >>>> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@... >>>> <mailto:walter@...>> wrote: >>>> >>>> http://en.wikipedia.org/wiki/Protected_Streaming >>>> >>>> RTMPE sounds better than RTMPS but since Adobe is kindof >>>> protecting it's protecting mechanism you might wonder how safe it >>>> really is. In fact it isn't since tools can still extract the >>>> video-data at the client. >>>> >>>> You'd only want to use RTMPS or RTMPE when you don't want other >>>> people (like spies from North Korea) to tune in on your >>>> video-conference-call-of-the-new-weapon-grade-plutonium-factory >>>> or webcam-stream-of-naked-women. >>>> >>>> W. >>>> >>>> ----- Original Message ----- From: "Thomas" <iamkenzo@... >>>> <mailto:iamkenzo@...>> >>>> To: <red5@... <mailto:red5@...>> >>>> Sent: Monday, 09 November 2009 18:07 >>>> Subject: Re: [Red5] RTMP over SSL - Solved >>>> >>>> >>>> >>>> Thank you very much Kevin for you contribution, >>>> >>>> But are the benefits (if any) of rtmps/ssl over rtmpe? >>>> Because rtmpe >>>> is extremely easy to set up when the server supports it (like >>>> wowza), >>>> add 1 single letter in the netConnection, and you're done. No >>>> keystore, no certificates, no beans, nothing. >>>> >>>> >>>> -- VOD & visioconference - http://www.digiprof.tv >>>> <http://www.digiprof.tv/> >>>> >>>> _______________________________________________ >>>> Red5 mailing list >>>> Red5@... <mailto:Red5@...> >>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>> >>>> >>>> >>>> _______________________________________________ >>>> Red5 mailing list >>>> Red5@... <mailto:Red5@...> >>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>> >>>> >>>> _______________________________________________ >>>> Red5 mailing list >>>> Red5@... <mailto:Red5@...> >>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>> >> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... >> http://osflash.org/mailman/listinfo/red5_osflash.org > > > > </div> > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message No, that means you can easily do the following: FMS <---> MALLET_THE_BAD_SERVER <---> Flash Clients It means you just can impersonate as a FMS. This is opposite to SSL where you can't do that (You need the private key which is secret and not shared or know by any means by anybody else. Only the server knows it). In RTMPE the "server certificate private key" is a simple string: "Genuine bla bla bla...". Hence, you can impersonate as a server and do some "proxy-ing". The client and the legitimate FMS will never know what happened. That is really really bad. That is why I was saying that if you catch the initial handshake, you can do "wonders" On Nov 9, 2009, at 9:45 PM, Andrei Sochirca wrote: > Can you explain what do you mean with the HandshakeImplementations > link? > > It means that you can connect to the server using RTMPE protocol, > but it doesn't mean that you can decrypt (in reasonable time) the > client-server RTMPE stream if you have all bytes. > > Regards, Andrei. > > > Gavriloaie Eugen-Andrei wrote: >> <div class="moz-text-flowed" style="font-family: -moz-fixed">http:// >> code.google.com/p/blue5/wiki/HandshakeImplementations >> >> >> On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: >> >>> Just curios how can you decrypt RTMPE if you have initial >>> handshake bytes? can you provide the algorithm and its work time >>> estimation? >>> >>> Regards, Andrei. >>> >>> >>> Gavriloaie Eugen-Andrei wrote: >>>> >>>> On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: >>>> >>>>> I believe, though I may be wrong, that RTMPE only encrypts the >>>>> media not the shared objects and function calls. AKA, SSL is on >>>>> a NetConnection, and RTMPE is only for streams. If you want to >>>>> secure things such as passwords, function calls, shared objects, >>>>> or things along those lines you will want to use RTMPS with SSL. >>>> RTMPE encrypts everything after the RTMP handshake. That includes >>>> SO, invokes, streams, etc. >>>> RTMPE is much faster than RTMPS but is useless in terms of >>>> security. In fact I think RTMPE is useless in any filed of >>>> activity because it awfully misses his solely purpose: >>>> encryption. Anyone can decrypt a RTMPE connection if he/she >>>> caught the initial handshake (the exchange of keys) >>>> >>>> >>>>> >>>>> If you are only concerned with securing the media then RTMPE >>>>> might be alright, but it is also well know that is can be >>>>> susceptible to a man in the middle attack whereas SSL you are >>>>> working with a signed certificate and it is significantly harder >>>>> to become the man in the middle. So again, if you want real >>>>> security I would suggest investing in signed SSL certificates >>>>> and using native SSL. >>>>> >>>>> If people are concerned with the speed at which the connections >>>>> operate you can look into hardware based encryption accelerator >>>>> cards or systems that already have it built in. >>>>> >>>>> Regards, >>>>> Kevin Green >>>>> >>>>> JohnnyVoIP >>>>> 350 Legget Drive >>>>> Kanata, ON, Canada >>>>> K2K 2W7 >>>>> >>>>> Phone: 613 271 5993 >>>>> Fax: 613 271 9810 >>>>> >>>>> >>>>> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak >>>>> <walter@... <mailto:walter@...>> wrote: >>>>> >>>>> http://en.wikipedia.org/wiki/Protected_Streaming >>>>> >>>>> RTMPE sounds better than RTMPS but since Adobe is kindof >>>>> protecting it's protecting mechanism you might wonder how safe >>>>> it >>>>> really is. In fact it isn't since tools can still extract the >>>>> video-data at the client. >>>>> >>>>> You'd only want to use RTMPS or RTMPE when you don't want other >>>>> people (like spies from North Korea) to tune in on your >>>>> video-conference-call-of-the-new-weapon-grade-plutonium-factory >>>>> or webcam-stream-of-naked-women. >>>>> >>>>> W. >>>>> >>>>> ----- Original Message ----- From: "Thomas" <iamkenzo@... >>>>> <mailto:iamkenzo@...>> >>>>> To: <red5@... <mailto:red5@...>> >>>>> Sent: Monday, 09 November 2009 18:07 >>>>> Subject: Re: [Red5] RTMP over SSL - Solved >>>>> >>>>> >>>>> >>>>> Thank you very much Kevin for you contribution, >>>>> >>>>> But are the benefits (if any) of rtmps/ssl over rtmpe? >>>>> Because rtmpe >>>>> is extremely easy to set up when the server supports it >>>>> (like >>>>> wowza), >>>>> add 1 single letter in the netConnection, and you're done. >>>>> No >>>>> keystore, no certificates, no beans, nothing. >>>>> >>>>> >>>>> -- VOD & visioconference - http://www.digiprof.tv >>>>> <http://www.digiprof.tv/> >>>>> >>>>> _______________________________________________ >>>>> Red5 mailing list >>>>> Red5@... <mailto:Red5@...> >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Red5 mailing list >>>>> Red5@... <mailto:Red5@...> >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>>> >>>>> >>>>> _______________________________________________ >>>>> Red5 mailing list >>>>> Red5@... <mailto:Red5@...> >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>> >>> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... >>> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> >> </div> >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by rfkrocktk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Mondain :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I committed the modified code but I still need to do more testing; but don't let that stop you guys from testing it. I mainly tried to reuse a lot of the properties we already had. Paul On Mon, Nov 9, 2009 at 2:42 PM, Tyler Kocheran <rfkrocktk@...> wrote: AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/ _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by David Hogan-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message This is fantastic news. I will most certainly do some testing today! 2009/11/10 Mondain <mondain@...> I committed the modified code but I still need to do more testing; but don't let that stop you guys from testing it. I mainly tried to reuse a lot of the properties we already had. Paul On Mon, Nov 9, 2009 at 2:42 PM, Tyler Kocheran <rfkrocktk@...> wrote: AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/ _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by David Hogan-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Well done, it certainly works! However. It appears to me that the flash client doesn't bother to verify that the common name of the certificate matches the actual host that it tried to connect to - it just needs to be a trusted cert for ANY domain. This means that this connection method is vulnerable to a man in the middle attack .. all an attacker needs to do is to buy a cheap ssl certificate for any domain under their control and then a classic IP level man in the middle attack will work. So unless someone knows a way to get access to the server certificate common name in actionscript after connection, then this connection method serves only to obscure RTMP traffic from basic sniffing. I hope i'm wrong! Dave 2009/11/15 David Hogan <mr.david.hogan@...> This is fantastic news. I will most certainly do some testing today! 2009/11/10 Mondain <mondain@...> I committed the modified code but I still need to do more testing; but don't let that stop you guys from testing it. I mainly tried to reuse a lot of the properties we already had. Paul On Mon, Nov 9, 2009 at 2:42 PM, Tyler Kocheran <rfkrocktk@...> wrote: AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/ _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org

< Prev | 1 - 2 | Next >

	RTMP over SSL - Solved by Kevin Green-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have read a lot of discussions recently on whether or not it is possible to do RTMP over Native SSL not tunnelling through HTTPS. I've taken some time to figure this out and contribute it back before the release of Red5 0.9. The answer is YES is is possible to do RTMP over SSL without HTTPS. There a a few pieces to getting it to work and I hope the core Dev's will take my contribution and clean it up to fit in better. First, the attached class NativeRTMPSMinaIoHandler.java (MODIFIED FROM Red5 0.8) contains only one modified function "sessionOpened" in which I declare the SSL context, import the keystore, and apply the SSLFilter to the socket session. This is what does the actual SSL on the connection. NOTE: The keystore is currently hardcoded to a file and should be edited to be a part of the Spring framework. There is also likely an issue with this when used in client mode, I didn't have the chance to try that out. You then need to add this into the Spring configuration files similar to this: in red5-core.xml right above RTMPT stuff <!-- Native RTMPS over SSL --> <!-- Contributed by: Kevin Green (kevygreen at gmail dot com) --> <bean id="nativeRtmpsMinaIoHandler" class="org.red5.server.net.rtmp.NativeRTMPSMinaIoHandler"> <property name="handler" ref="rtmpHandler" /> <property name="codecFactory" ref="rtmpCodecFactory" /> <property name="rtmpConnManager" ref="rtmpMinaConnManager" /> </bean> <bean id="nativeRtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop"> <property name="ioHandler" ref="nativeRtmpsMinaIoHandler" /> <property name="connectors"> <list> <bean class="java.net.InetSocketAddress"> <constructor-arg index="0" type="java.lang.String" value="${native_rtmps.host}" /> <constructor-arg index="1" type="int" value="${native_rtmps.port}" /> </bean> <!-- You can now add additional ports and ip addresses <bean class="java.net.InetSocketAddress"> <constructor-arg index="0" type="java.lang.String" value="${native_rtmps.host}" /> <constructor-arg index="1" type="int" value="1936" /> </bean> --> </list> </property> <property name="receiveBufferSize" value="${native_rtmps.receive_buffer_size}" /> <property name="sendBufferSize" value="${native_rtmps.send_buffer_size}" /> <property name="eventThreadsCore" value="${native_rtmps.event_threads_core}" /> <property name="eventThreadsMax" value="${native_rtmps.event_threads_max}" /> <property name="eventThreadsQueue" value="${native_rtmps.event_threads_queue}" /> <property name="eventThreadsKeepalive" value="${native_rtmps.event_threads_keepalive}" /> <!-- This is the interval at which the sessions are polled for stats. If mina monitoring is not enabled, polling will not occur. --> <property name="jmxPollInterval" value="1000" /> <property name="tcpNoDelay" value="${native_rtmps.tcp_nodelay}" /> </bean> and in red5.properties # Native RTMPS # Contributed by: Kevin Green (kevygreen at gmail dot com) native_rtmps.host=0.0.0.0 native_rtmps.port=1936 native_rtmps.event_threads_core=16 native_rtmps.event_threads_max=64 # event threads queue: -1 unbounded, 0 direct (no queue), n bounded queue native_rtmps.event_threads_queue=0 native_rtmps.event_threads_keepalive=60 native_rtmps.send_buffer_size=271360 native_rtmps.receive_buffer_size=65536 native_rtmps.ping_interval=1000 native_rtmps.max_inactivity=60000 native_rtmps.tcp_nodelay=true In Flash, you must connect using *proxyType="best"* and with a *rtmps:\\* url. similiar to: var nc:NetConnection = new NetConnection(); nc.proxyType = "best"; nc.connect("rtmps:\\localhost\app"); With these pieces you should be able to get RTMP to work using native SSL. Remember not all systems may be capable of this and you can check in Flash by using flash.system.Capabilites.hasTLS(); If you have any questions about the workings of this code this please feel free to email me but please do not email asking how to create a proper keystore (that is something you can look up online and should learn on your own if you want to use this in production). If the core dev team could include this in the trunk with the couple changes that would be required to make it more configurable that would be greatly appreciated. Regards, Kevin Green JohnnyVoIP 350 Legget Drive Kanata, ON, Canada K2K 2W7 Phone: 613 271 5993 Fax: 613 271 9810 _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org NativeRTMPSMinaIoHandler.java (14K) Download Attachment
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by rfkrocktk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message RTMPE sucks. It's not encrypted. http://lkcl.net/rtmp/ However, RTMPS over native TLS... THANK YOU SO MUCH! This is EXACTLY what I've been looking forward to for a long time. Native TLS/SSL is amazing and the whole polled aspect of RTMPTS is unacceptable. Now, finally, we'll be able to have truly secure connections between FP and Red5! Kevin, thank you so much. To some, this might not mean much, but to me, RTMPS over native TLS/SSL is what I've been hoping for forever! So THANK YOU!!!!! - TK On Mon, Nov 9, 2009 at 9:07 AM, Thomas <iamkenzo@...> wrote: Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Walter Tak :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://en.wikipedia.org/wiki/Protected_Streaming RTMPE sounds better than RTMPS but since Adobe is kindof protecting it's protecting mechanism you might wonder how safe it really is. In fact it isn't since tools can still extract the video-data at the client. You'd only want to use RTMPS or RTMPE when you don't want other people (like spies from North Korea) to tune in on your video-conference-call-of-the-new-weapon-grade-plutonium-factory or webcam-stream-of-naked-women. W. ----- Original Message ----- From: "Thomas" <iamkenzo@...> To: <red5@...> Sent: Monday, 09 November 2009 18:07 Subject: Re: [Red5] RTMP over SSL - Solved > Thank you very much Kevin for you contribution, > > But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe > is extremely easy to set up when the server supports it (like wowza), > add 1 single letter in the netConnection, and you're done. No > keystore, no certificates, no beans, nothing. > > > -- > VOD & visioconference - http://www.digiprof.tv > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Kevin Green-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I believe, though I may be wrong, that RTMPE only encrypts the media not the shared objects and function calls. AKA, SSL is on a NetConnection, and RTMPE is only for streams. If you want to secure things such as passwords, function calls, shared objects, or things along those lines you will want to use RTMPS with SSL. If you are only concerned with securing the media then RTMPE might be alright, but it is also well know that is can be susceptible to a man in the middle attack whereas SSL you are working with a signed certificate and it is significantly harder to become the man in the middle. So again, if you want real security I would suggest investing in signed SSL certificates and using native SSL. If people are concerned with the speed at which the connections operate you can look into hardware based encryption accelerator cards or systems that already have it built in. Regards, Kevin Green JohnnyVoIP 350 Legget Drive Kanata, ON, Canada K2K 2W7 Phone: 613 271 5993 Fax: 613 271 9810 On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@...> wrote: http://en.wikipedia.org/wiki/Protected_Streaming RTMPE sounds better than RTMPS but since Adobe is kindof protecting it's protecting mechanism you might wonder how safe it really is. In fact it isn't since tools can still extract the video-data at the client. You'd only want to use RTMPS or RTMPE when you don't want other people (like spies from North Korea) to tune in on your video-conference-call-of-the-new-weapon-grade-plutonium-factory or webcam-stream-of-naked-women. W. ----- Original Message ----- From: "Thomas" <iamkenzo@...> To: <red5@...> Sent: Monday, 09 November 2009 18:07 Subject: Re: [Red5] RTMP over SSL - Solved Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm only concerned about people sniffing the conferences lines, I don't care about people extracting my video stream. So rtmpe should do the trick? -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: I believe, though I may be wrong, that RTMPE only encrypts the media not the shared objects and function calls. AKA, SSL is on a NetConnection, and RTMPE is only for streams. If you want to secure things such as passwords, function calls, shared objects, or things along those lines you will want to use RTMPS with SSL. RTMPE encrypts everything after the RTMP handshake. That includes SO, invokes, streams, etc. RTMPE is much faster than RTMPS but is useless in terms of security. In fact I think RTMPE is useless in any filed of activity because it awfully misses his solely purpose: encryption. Anyone can decrypt a RTMPE connection if he/she caught the initial handshake (the exchange of keys) If you are only concerned with securing the media then RTMPE might be alright, but it is also well know that is can be susceptible to a man in the middle attack whereas SSL you are working with a signed certificate and it is significantly harder to become the man in the middle. So again, if you want real security I would suggest investing in signed SSL certificates and using native SSL. If people are concerned with the speed at which the connections operate you can look into hardware based encryption accelerator cards or systems that already have it built in. Regards, Kevin Green JohnnyVoIP 350 Legget Drive Kanata, ON, Canada K2K 2W7 Phone: 613 271 5993 Fax: 613 271 9810 On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@...> wrote: http://en.wikipedia.org/wiki/Protected_Streaming RTMPE sounds better than RTMPS but since Adobe is kindof protecting it's protecting mechanism you might wonder how safe it really is. In fact it isn't since tools can still extract the video-data at the client. You'd only want to use RTMPS or RTMPE when you don't want other people (like spies from North Korea) to tune in on your video-conference-call-of-the-new-weapon-grade-plutonium-factory or webcam-stream-of-naked-women. W. ----- Original Message ----- From: "Thomas" <iamkenzo@...> To: <red5@...> Sent: Monday, 09 November 2009 18:07 Subject: Re: [Red5] RTMP over SSL - Solved Thank you very much Kevin for you contribution, But are the benefits (if any) of rtmps/ssl over rtmpe? Because rtmpe is extremely easy to set up when the server supports it (like wowza), add 1 single letter in the netConnection, and you're done. No keystore, no certificates, no beans, nothing. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > Anyone can decrypt a RTMPE connection if > he/she caught the initial handshake (the exchange of keys) Wow! Are you sure about that? That's an important issue for me. Therefore I'll stick to rtmps. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm very sure about it. On Nov 9, 2009, at 8:51 PM, Thomas wrote: >> Anyone can decrypt a RTMPE connection if >> he/she caught the initial handshake (the exchange of keys) > Wow! Are you sure about that? That's an important issue for me. > Therefore I'll stick to rtmps. > > > -- > VOD & visioconference - http://www.digiprof.tv > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by rfkrocktk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Yeah. I want to use Red5 as a data source, you know, sending users' passwords, usernames and other secure data back and forth across the wire. With RTMPE, there are huge security problems, and like mentioned above, if someone catches the handshake, he can basically listen in on the whole conversation. With RTMPS, it's not really easily possible to do this since everything is encrypted. On Mon, Nov 9, 2009 at 11:03 AM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: I'm very sure about it. On Nov 9, 2009, at 8:51 PM, Thomas wrote: Anyone can decrypt a RTMPE connection if he/she caught the initial handshake (the exchange of keys) Wow! Are you sure about that? That's an important issue for me. Therefore I'll stick to rtmps. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Thomas-128 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thank you a million times then. I will then forget about rtmpe. -- VOD & visioconference - http://www.digiprof.tv _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Andrei Sochirca :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Just curios how can you decrypt RTMPE if you have initial handshake bytes? can you provide the algorithm and its work time estimation? Regards, Andrei. Gavriloaie Eugen-Andrei wrote: > > On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: > >> I believe, though I may be wrong, that RTMPE only encrypts the >> media not the shared objects and function calls. AKA, SSL is on a >> NetConnection, and RTMPE is only for streams. If you want to secure >> things such as passwords, function calls, shared objects, or things >> along those lines you will want to use RTMPS with SSL. > RTMPE encrypts everything after the RTMP handshake. That includes SO, > invokes, streams, etc. > RTMPE is much faster than RTMPS but is useless in terms of security. > In fact I think RTMPE is useless in any filed of activity because it > awfully misses his solely purpose: encryption. Anyone can decrypt a > RTMPE connection if he/she caught the initial handshake (the exchange > of keys) > > >> >> If you are only concerned with securing the media then RTMPE might >> be alright, but it is also well know that is can be susceptible to a >> man in the middle attack whereas SSL you are working with a signed >> certificate and it is significantly harder to become the man in the >> middle. So again, if you want real security I would suggest investing >> in signed SSL certificates and using native SSL. >> >> If people are concerned with the speed at which the connections >> operate you can look into hardware based encryption accelerator cards >> or systems that already have it built in. >> >> Regards, >> Kevin Green >> >> JohnnyVoIP >> 350 Legget Drive >> Kanata, ON, Canada >> K2K 2W7 >> >> Phone: 613 271 5993 >> Fax: 613 271 9810 >> >> >> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@... >> <mailto:walter@...>> wrote: >> >> http://en.wikipedia.org/wiki/Protected_Streaming >> >> RTMPE sounds better than RTMPS but since Adobe is kindof >> protecting it's protecting mechanism you might wonder how safe it >> really is. In fact it isn't since tools can still extract the >> video-data at the client. >> >> You'd only want to use RTMPS or RTMPE when you don't want other >> people (like spies from North Korea) to tune in on your >> video-conference-call-of-the-new-weapon-grade-plutonium-factory >> or webcam-stream-of-naked-women. >> >> W. >> >> ----- Original Message ----- From: "Thomas" <iamkenzo@... >> <mailto:iamkenzo@...>> >> To: <red5@... <mailto:red5@...>> >> Sent: Monday, 09 November 2009 18:07 >> Subject: Re: [Red5] RTMP over SSL - Solved >> >> >> >> Thank you very much Kevin for you contribution, >> >> But are the benefits (if any) of rtmps/ssl over rtmpe? >> Because rtmpe >> is extremely easy to set up when the server supports it (like >> wowza), >> add 1 single letter in the netConnection, and you're done. No >> keystore, no certificates, no beans, nothing. >> >> >> -- >> VOD & visioconference - http://www.digiprof.tv >> <http://www.digiprof.tv/> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... <mailto:Red5@...> >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... <mailto:Red5@...> >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... <mailto:Red5@...> >> http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://code.google.com/p/blue5/wiki/HandshakeImplementations On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: > Just curios how can you decrypt RTMPE if you have initial handshake > bytes? can you provide the algorithm and its work time estimation? > > Regards, Andrei. > > > Gavriloaie Eugen-Andrei wrote: >> >> On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: >> >>> I believe, though I may be wrong, that RTMPE only encrypts the >>> media not the shared objects and function calls. AKA, SSL is on a >>> NetConnection, and RTMPE is only for streams. If you want to >>> secure things such as passwords, function calls, shared objects, >>> or things along those lines you will want to use RTMPS with SSL. >> RTMPE encrypts everything after the RTMP handshake. That includes >> SO, invokes, streams, etc. >> RTMPE is much faster than RTMPS but is useless in terms of >> security. In fact I think RTMPE is useless in any filed of activity >> because it awfully misses his solely purpose: encryption. Anyone >> can decrypt a RTMPE connection if he/she caught the initial >> handshake (the exchange of keys) >> >> >>> >>> If you are only concerned with securing the media then RTMPE >>> might be alright, but it is also well know that is can be >>> susceptible to a man in the middle attack whereas SSL you are >>> working with a signed certificate and it is significantly harder >>> to become the man in the middle. So again, if you want real >>> security I would suggest investing in signed SSL certificates and >>> using native SSL. >>> >>> If people are concerned with the speed at which the connections >>> operate you can look into hardware based encryption accelerator >>> cards or systems that already have it built in. >>> >>> Regards, >>> Kevin Green >>> >>> JohnnyVoIP >>> 350 Legget Drive >>> Kanata, ON, Canada >>> K2K 2W7 >>> >>> Phone: 613 271 5993 >>> Fax: 613 271 9810 >>> >>> >>> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@... <mailto:walter@... >>> >> wrote: >>> >>> http://en.wikipedia.org/wiki/Protected_Streaming >>> >>> RTMPE sounds better than RTMPS but since Adobe is kindof >>> protecting it's protecting mechanism you might wonder how safe it >>> really is. In fact it isn't since tools can still extract the >>> video-data at the client. >>> >>> You'd only want to use RTMPS or RTMPE when you don't want other >>> people (like spies from North Korea) to tune in on your >>> video-conference-call-of-the-new-weapon-grade-plutonium-factory >>> or webcam-stream-of-naked-women. >>> >>> W. >>> >>> ----- Original Message ----- From: "Thomas" <iamkenzo@... >>> <mailto:iamkenzo@...>> >>> To: <red5@... <mailto:red5@...>> >>> Sent: Monday, 09 November 2009 18:07 >>> Subject: Re: [Red5] RTMP over SSL - Solved >>> >>> >>> >>> Thank you very much Kevin for you contribution, >>> >>> But are the benefits (if any) of rtmps/ssl over rtmpe? >>> Because rtmpe >>> is extremely easy to set up when the server supports it (like >>> wowza), >>> add 1 single letter in the netConnection, and you're done. No >>> keystore, no certificates, no beans, nothing. >>> >>> >>> -- VOD & visioconference - http://www.digiprof.tv >>> <http://www.digiprof.tv/> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... <mailto:Red5@...> >>> http://osflash.org/mailman/listinfo/red5_osflash.org >>> >>> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... <mailto:Red5@...> >>> http://osflash.org/mailman/listinfo/red5_osflash.org >>> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... <mailto:Red5@...> >>> http://osflash.org/mailman/listinfo/red5_osflash.org >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: > Just curios how can you decrypt RTMPE if you have initial handshake > bytes? can you provide the algorithm and its work time estimation? Work time estimation? Is 100% deterministic. Requires milliseconds to complete :) _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Andrei Sochirca :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Can you explain what do you mean with the HandshakeImplementations link? It means that you can connect to the server using RTMPE protocol, but it doesn't mean that you can decrypt (in reasonable time) the client-server RTMPE stream if you have all bytes. Regards, Andrei. Gavriloaie Eugen-Andrei wrote: > <div class="moz-text-flowed" style="font-family: > -moz-fixed">http://code.google.com/p/blue5/wiki/HandshakeImplementations > > > On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: > >> Just curios how can you decrypt RTMPE if you have initial handshake >> bytes? can you provide the algorithm and its work time estimation? >> >> Regards, Andrei. >> >> >> Gavriloaie Eugen-Andrei wrote: >>> >>> On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: >>> >>>> I believe, though I may be wrong, that RTMPE only encrypts the >>>> media not the shared objects and function calls. AKA, SSL is on a >>>> NetConnection, and RTMPE is only for streams. If you want to >>>> secure things such as passwords, function calls, shared objects, or >>>> things along those lines you will want to use RTMPS with SSL. >>> RTMPE encrypts everything after the RTMP handshake. That includes >>> SO, invokes, streams, etc. >>> RTMPE is much faster than RTMPS but is useless in terms of security. >>> In fact I think RTMPE is useless in any filed of activity because it >>> awfully misses his solely purpose: encryption. Anyone can decrypt a >>> RTMPE connection if he/she caught the initial handshake (the >>> exchange of keys) >>> >>> >>>> >>>> If you are only concerned with securing the media then RTMPE >>>> might be alright, but it is also well know that is can be >>>> susceptible to a man in the middle attack whereas SSL you are >>>> working with a signed certificate and it is significantly harder to >>>> become the man in the middle. So again, if you want real security I >>>> would suggest investing in signed SSL certificates and using native >>>> SSL. >>>> >>>> If people are concerned with the speed at which the connections >>>> operate you can look into hardware based encryption accelerator >>>> cards or systems that already have it built in. >>>> >>>> Regards, >>>> Kevin Green >>>> >>>> JohnnyVoIP >>>> 350 Legget Drive >>>> Kanata, ON, Canada >>>> K2K 2W7 >>>> >>>> Phone: 613 271 5993 >>>> Fax: 613 271 9810 >>>> >>>> >>>> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak <walter@... >>>> <mailto:walter@...>> wrote: >>>> >>>> http://en.wikipedia.org/wiki/Protected_Streaming >>>> >>>> RTMPE sounds better than RTMPS but since Adobe is kindof >>>> protecting it's protecting mechanism you might wonder how safe it >>>> really is. In fact it isn't since tools can still extract the >>>> video-data at the client. >>>> >>>> You'd only want to use RTMPS or RTMPE when you don't want other >>>> people (like spies from North Korea) to tune in on your >>>> video-conference-call-of-the-new-weapon-grade-plutonium-factory >>>> or webcam-stream-of-naked-women. >>>> >>>> W. >>>> >>>> ----- Original Message ----- From: "Thomas" <iamkenzo@... >>>> <mailto:iamkenzo@...>> >>>> To: <red5@... <mailto:red5@...>> >>>> Sent: Monday, 09 November 2009 18:07 >>>> Subject: Re: [Red5] RTMP over SSL - Solved >>>> >>>> >>>> >>>> Thank you very much Kevin for you contribution, >>>> >>>> But are the benefits (if any) of rtmps/ssl over rtmpe? >>>> Because rtmpe >>>> is extremely easy to set up when the server supports it (like >>>> wowza), >>>> add 1 single letter in the netConnection, and you're done. No >>>> keystore, no certificates, no beans, nothing. >>>> >>>> >>>> -- VOD & visioconference - http://www.digiprof.tv >>>> <http://www.digiprof.tv/> >>>> >>>> _______________________________________________ >>>> Red5 mailing list >>>> Red5@... <mailto:Red5@...> >>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>> >>>> >>>> >>>> _______________________________________________ >>>> Red5 mailing list >>>> Red5@... <mailto:Red5@...> >>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>> >>>> >>>> _______________________________________________ >>>> Red5 mailing list >>>> Red5@... <mailto:Red5@...> >>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>> >> >> >> _______________________________________________ >> Red5 mailing list >> Red5@... >> http://osflash.org/mailman/listinfo/red5_osflash.org > > > > </div> > _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Gavriloaie Eugen-Andrei :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message No, that means you can easily do the following: FMS <---> MALLET_THE_BAD_SERVER <---> Flash Clients It means you just can impersonate as a FMS. This is opposite to SSL where you can't do that (You need the private key which is secret and not shared or know by any means by anybody else. Only the server knows it). In RTMPE the "server certificate private key" is a simple string: "Genuine bla bla bla...". Hence, you can impersonate as a server and do some "proxy-ing". The client and the legitimate FMS will never know what happened. That is really really bad. That is why I was saying that if you catch the initial handshake, you can do "wonders" On Nov 9, 2009, at 9:45 PM, Andrei Sochirca wrote: > Can you explain what do you mean with the HandshakeImplementations > link? > > It means that you can connect to the server using RTMPE protocol, > but it doesn't mean that you can decrypt (in reasonable time) the > client-server RTMPE stream if you have all bytes. > > Regards, Andrei. > > > Gavriloaie Eugen-Andrei wrote: >> <div class="moz-text-flowed" style="font-family: -moz-fixed">http:// >> code.google.com/p/blue5/wiki/HandshakeImplementations >> >> >> On Nov 9, 2009, at 9:22 PM, Andrei Sochirca wrote: >> >>> Just curios how can you decrypt RTMPE if you have initial >>> handshake bytes? can you provide the algorithm and its work time >>> estimation? >>> >>> Regards, Andrei. >>> >>> >>> Gavriloaie Eugen-Andrei wrote: >>>> >>>> On Nov 9, 2009, at 8:19 PM, Kevin Green wrote: >>>> >>>>> I believe, though I may be wrong, that RTMPE only encrypts the >>>>> media not the shared objects and function calls. AKA, SSL is on >>>>> a NetConnection, and RTMPE is only for streams. If you want to >>>>> secure things such as passwords, function calls, shared objects, >>>>> or things along those lines you will want to use RTMPS with SSL. >>>> RTMPE encrypts everything after the RTMP handshake. That includes >>>> SO, invokes, streams, etc. >>>> RTMPE is much faster than RTMPS but is useless in terms of >>>> security. In fact I think RTMPE is useless in any filed of >>>> activity because it awfully misses his solely purpose: >>>> encryption. Anyone can decrypt a RTMPE connection if he/she >>>> caught the initial handshake (the exchange of keys) >>>> >>>> >>>>> >>>>> If you are only concerned with securing the media then RTMPE >>>>> might be alright, but it is also well know that is can be >>>>> susceptible to a man in the middle attack whereas SSL you are >>>>> working with a signed certificate and it is significantly harder >>>>> to become the man in the middle. So again, if you want real >>>>> security I would suggest investing in signed SSL certificates >>>>> and using native SSL. >>>>> >>>>> If people are concerned with the speed at which the connections >>>>> operate you can look into hardware based encryption accelerator >>>>> cards or systems that already have it built in. >>>>> >>>>> Regards, >>>>> Kevin Green >>>>> >>>>> JohnnyVoIP >>>>> 350 Legget Drive >>>>> Kanata, ON, Canada >>>>> K2K 2W7 >>>>> >>>>> Phone: 613 271 5993 >>>>> Fax: 613 271 9810 >>>>> >>>>> >>>>> On Mon, Nov 9, 2009 at 12:56 PM, Walter Tak >>>>> <walter@... <mailto:walter@...>> wrote: >>>>> >>>>> http://en.wikipedia.org/wiki/Protected_Streaming >>>>> >>>>> RTMPE sounds better than RTMPS but since Adobe is kindof >>>>> protecting it's protecting mechanism you might wonder how safe >>>>> it >>>>> really is. In fact it isn't since tools can still extract the >>>>> video-data at the client. >>>>> >>>>> You'd only want to use RTMPS or RTMPE when you don't want other >>>>> people (like spies from North Korea) to tune in on your >>>>> video-conference-call-of-the-new-weapon-grade-plutonium-factory >>>>> or webcam-stream-of-naked-women. >>>>> >>>>> W. >>>>> >>>>> ----- Original Message ----- From: "Thomas" <iamkenzo@... >>>>> <mailto:iamkenzo@...>> >>>>> To: <red5@... <mailto:red5@...>> >>>>> Sent: Monday, 09 November 2009 18:07 >>>>> Subject: Re: [Red5] RTMP over SSL - Solved >>>>> >>>>> >>>>> >>>>> Thank you very much Kevin for you contribution, >>>>> >>>>> But are the benefits (if any) of rtmps/ssl over rtmpe? >>>>> Because rtmpe >>>>> is extremely easy to set up when the server supports it >>>>> (like >>>>> wowza), >>>>> add 1 single letter in the netConnection, and you're done. >>>>> No >>>>> keystore, no certificates, no beans, nothing. >>>>> >>>>> >>>>> -- VOD & visioconference - http://www.digiprof.tv >>>>> <http://www.digiprof.tv/> >>>>> >>>>> _______________________________________________ >>>>> Red5 mailing list >>>>> Red5@... <mailto:Red5@...> >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Red5 mailing list >>>>> Red5@... <mailto:Red5@...> >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>>> >>>>> >>>>> _______________________________________________ >>>>> Red5 mailing list >>>>> Red5@... <mailto:Red5@...> >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org >>>> >>> >>> >>> _______________________________________________ >>> Red5 mailing list >>> Red5@... >>> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> >> </div> >> > > > _______________________________________________ > Red5 mailing list > Red5@... > http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by rfkrocktk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by Mondain :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I committed the modified code but I still need to do more testing; but don't let that stop you guys from testing it. I mainly tried to reuse a lot of the properties we already had. Paul On Mon, Nov 9, 2009 at 2:42 PM, Tyler Kocheran <rfkrocktk@...> wrote: AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/ _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by David Hogan-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message This is fantastic news. I will most certainly do some testing today! 2009/11/10 Mondain <mondain@...> I committed the modified code but I still need to do more testing; but don't let that stop you guys from testing it. I mainly tried to reuse a lot of the properties we already had. Paul On Mon, Nov 9, 2009 at 2:42 PM, Tyler Kocheran <rfkrocktk@...> wrote: AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/ _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org
	Re: RTMP over SSL - Solved by David Hogan-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Well done, it certainly works! However. It appears to me that the flash client doesn't bother to verify that the common name of the certificate matches the actual host that it tried to connect to - it just needs to be a trusted cert for ANY domain. This means that this connection method is vulnerable to a man in the middle attack .. all an attacker needs to do is to buy a cheap ssl certificate for any domain under their control and then a classic IP level man in the middle attack will work. So unless someone knows a way to get access to the server certificate common name in actionscript after connection, then this connection method serves only to obscure RTMP traffic from basic sniffing. I hope i'm wrong! Dave 2009/11/15 David Hogan <mr.david.hogan@...> This is fantastic news. I will most certainly do some testing today! 2009/11/10 Mondain <mondain@...> I committed the modified code but I still need to do more testing; but don't let that stop you guys from testing it. I mainly tried to reuse a lot of the properties we already had. Paul On Mon, Nov 9, 2009 at 2:42 PM, Tyler Kocheran <rfkrocktk@...> wrote: AKA, "anything you want to do," "read all packets coming across the wire," and/or "throw an icepick at the server." On Mon, Nov 9, 2009 at 1:21 PM, Gavriloaie Eugen-Andrei <crtmpserver@...> wrote: you can do "wonders" -- ... and they stirred up the Nazarites who had completed their days and they cried aloud to Heaven, saying, "What shall we do with these? Where shall we take them?" _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/ _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list Red5@... http://osflash.org/mailman/listinfo/red5_osflash.org

RTMP over SSL - Solved

RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved

Re: RTMP over SSL - Solved