Refactor TLS names and flow; add RTMPS doc draft

Author: mondain

RTMPS.md

@@ -0,0 +1,74 @@
+# RTMPS
+
+RTMPS is a secure version of RTMP that uses TLS/SSL to encrypt the data. This is a guide to setting up RTMPS with Red5. An example keystore and truststore creation process will be explained as these files are required for the RTMPS feature. Examples will be provided for both the server and client side which will demonstrate how to use RTMPS and PKCS12 type keystores; JKS keystores can also be used, but are not covered here.
+
+## Configuration
+
+### Server
+
+On a server where RTMPS will be employed, two files in `conf` must be updated: `red5.properties` and `red5-core.xml`. This is in-addition to the keystore and truststore proceedure.
+
+* In `red5-core.xml` uncomment the beans named `rtmpsMinaIoHandler` and `rtmpsTransport` which may be updated as required, otherwise their values come from the `red5.properties` file. See [Advanced-configuration](#advanced-configuration) for more information.
+
+* In `red5.properties`, update these properties to utilize your values; especially for store passwords and locations:
+
+```properties
+# RTMPS
+rtmps.host=0.0.0.0
+rtmps.port=8443
+rtmps.ping_interval=5000
+rtmps.max_inactivity=60000
+rtmps.max_keep_alive_requests=-1
+rtmps.max_threads=8
+rtmps.acceptor_thread_count=2
+rtmps.processor_cache=20
+# RTMPS Key and Trust store parameters
+rtmps.keystorepass=password123
+rtmps.keystorefile=conf/server.p12
+rtmps.truststorepass=password123
+rtmps.truststorefile=conf/truststore.p12
+```
+
+### Client
+
+
+```java
+TLSFactory.setKeystorePath("/workspace/client/conf/rtmps_server.p12");
+TLSFactory.setTruststorePath("/workspace/client/conf/rtmps_truststore.p12");
+```
+
+## Testing
+
+Using ffplay issue the following, update for your server IP and stream name as needed: `ffplay rtmps://localhost:8443/live/stream1`
+
+
+### Useful System Properties
+
+
+`-Djavax.net.debug=SSL,handshake,verbose,trustmanager,keymanager,record,plaintext`
+
+## Advanced configuration
+
+* The ciphers and protocols can be modified in the  `rtmpsMinaIoHandler` bean in `red5-core.xml` to suit any special needs.
+
+```xml
+<bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
+    <property name="handler" ref="rtmpHandler" />
+    <property name="keystorePassword" value="${rtmps.keystorepass}" />
+    <property name="keystoreFile" value="${rtmps.keystorefile}" />
+    <property name="truststorePassword" value="${rtmps.truststorepass}" />
+    <property name="truststoreFile" value="${rtmps.truststorefile}" />
+    <property name="cipherSuites">
+        <array>
+            <value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
+            <value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
+        </array>
+    </property>
+    <property name="protocols">
+        <array>
+            <value>TLSv1.2</value>
+            <value>TLSv1.3</value>
+        </array>
+    </property>
+</bean>
+```

client/src/main/java/org/red5/client/net/rtmps/RTMPSClient.java

@@ -16,6 +16,7 @@
 import org.apache.mina.core.session.IoSession;
 import org.apache.mina.filter.ssl.SslFilter;
 import org.apache.mina.transport.socket.nio.NioSocketConnector;
+import org.red5.client.net.rtmp.ClientExceptionHandler;
 import org.red5.client.net.rtmp.RTMPClient;
 import org.red5.client.net.rtmp.RTMPMinaIoHandler;
 import org.red5.io.tls.TLSFactory;
@@ -39,7 +40,7 @@ public class RTMPSClient extends RTMPClient {
 
     private static final Logger log = LoggerFactory.getLogger(RTMPSClient.class);
 
-    private static String[] cipherSuites = new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" };
+    private static String[] cipherSuites;
 
     // I/O handler
     private final RTMPSClientIoHandler ioHandler;
@@ -59,11 +60,37 @@ public RTMPSClient() {
         protocol = "rtmps";
         ioHandler = new RTMPSClientIoHandler();
         ioHandler.setHandler(this);
+        setExceptionHandler(new ClientExceptionHandler() {
+            @Override
+            public void handleException(Throwable throwable) {
+                log.error("Exception", throwable);
+                try {
+                    ioHandler.exceptionCaught(null, throwable);
+                } catch (Exception e) {
+                    log.debug("Exception", e);
+                }
+            }
+        });
+    }
+
+    /**
+     * Creates a new RTMPSClient with the given keystore type and password.
+     *
+     * @param keyStoreType keystore type
+     * @param password keystore password
+     */
+    public RTMPSClient(String keyStoreType, String password) {
+        protocol = "rtmps";
+        this.keyStoreType = keyStoreType;
+        this.password = password.toCharArray();
+        ioHandler = new RTMPSClientIoHandler();
+        ioHandler.setHandler(this);
     }
 
     @SuppressWarnings({ "rawtypes" })
     @Override
     protected void startConnector(String server, int port) {
+        log.debug("startConnector - server: {} port: {}", server, port);
         socketConnector = new NioSocketConnector();
         socketConnector.setHandler(ioHandler);
         future = socketConnector.connect(new InetSocketAddress(server, port));
@@ -73,20 +100,17 @@ public void operationComplete(IoFuture future) {
                 try {
                     // will throw RuntimeException after connection error
                     future.getSession();
-                } catch (Throwable e) {
-                    //if there isn't an ClientExceptionHandler set, a
-                    //RuntimeException may be thrown in handleException
-                    handleException(e);
+                } catch (Throwable t) {
+                    try {
+                        ioHandler.exceptionCaught(null, t);
+                    } catch (Exception e) {
+                        // no-op
+                    }
                 }
             }
         });
-        // Do the close requesting that the pending messages are sent before
-        // the session is closed
-        //future.getSession().close(false);
         // Now wait for the close to be completed
         future.awaitUninterruptibly(CONNECTOR_WORKER_TIMEOUT);
-        // We can now dispose the connector
-        //socketConnector.dispose();
     }
 
     /**
@@ -107,34 +131,47 @@ public void setKeyStoreType(String keyStoreType) {
         this.keyStoreType = keyStoreType;
     }
 
+    public static void setCipherSuites(String[] cipherSuites) {
+        RTMPSClient.cipherSuites = cipherSuites;
+    }
+
     private class RTMPSClientIoHandler extends RTMPMinaIoHandler {
 
         /** {@inheritDoc} */
         @Override
         public void sessionOpened(IoSession session) throws Exception {
-            // START OF NATIVE SSL STUFF
+            log.debug("RTMPS sessionOpened: {}", session);
+            // do tls stuff
             SSLContext context = TLSFactory.getTLSContext(keyStoreType, password);
             SslFilter sslFilter = new SslFilter(context);
             if (sslFilter != null) {
                 // we are a client
                 sslFilter.setUseClientMode(true);
                 // set the cipher suites
-                //sslFilter.setEnabledCipherSuites(cipherSuites);
+                if (cipherSuites != null) {
+                    sslFilter.setEnabledCipherSuites(cipherSuites);
+                }
                 session.getFilterChain().addFirst("sslFilter", sslFilter);
             }
-            // END OF NATIVE SSL STUFF
             super.sessionOpened(session);
         }
 
+        @Override
+        public void sessionClosed(IoSession session) throws Exception {
+            log.debug("RTMPS sessionClosed: {}", session);
+            super.sessionClosed(session);
+        }
+
         /** {@inheritDoc} */
         @Override
         public void exceptionCaught(IoSession session, Throwable cause) throws Exception {
-            log.warn("Exception caught {}", cause.getMessage());
-            if (log.isDebugEnabled()) {
-                log.error("Exception detail", cause);
+            log.warn("Exception caught: {}", cause.getMessage());
+            log.debug("Exception detail", cause);
+            // if there are any errors using ssl, kill the session
+            if (session != null) {
+                session.closeNow();
             }
-            //if there are any errors using ssl, kill the session
-            session.closeNow();
+            socketConnector.dispose(false);
         }
 
     }

io/src/main/java/org/red5/io/tls/TLSFactory.java

@@ -22,8 +22,9 @@ public class TLSFactory {
 
     private static final Logger log = LoggerFactory.getLogger(TLSFactory.class);
 
-    private static final boolean isDebug = log.isDebugEnabled();
+    private static final boolean isDebug = log.isDebugEnabled(), isTrace = log.isTraceEnabled();
 
+    // shared thread-safe random
     private static final SecureRandom RANDOM = new SecureRandom();
 
     public static final int MAX_HANDSHAKE_LOOPS = 200;
@@ -44,20 +45,19 @@ public class TLSFactory {
      */
     private static String storeType = "PKCS12"; // JKS or PKCS12
 
-    private static String keyStoreFile = String.format("server.%s", "PKCS12".equals(storeType) ? "p12" : "jks");
+    private static String keyStoreFile = String.format("server.%s", "PKCS12".equals(storeType) ? "p12" : "jks"), trustStoreFile = String.format("truststore.%s", "PKCS12".equals(storeType) ? "p12" : "jks");
 
-    private static String trustStoreFile = String.format("truststore.%s", "PKCS12".equals(storeType) ? "p12" : "jks");
+    private static String keystorePath = Paths.get(System.getProperty("user.dir"), "conf", keyStoreFile).toString(), truststorePath = Paths.get(System.getProperty("user.dir"), "conf", trustStoreFile).toString();
 
     private static String passwd = "password123";
 
-    private static String keyFilename = Paths.get(System.getProperty("user.dir"), "conf", keyStoreFile).toString();
-
-    private static String trustFilename = Paths.get(System.getProperty("user.dir"), "conf", trustStoreFile).toString();
-
     static {
         if (isDebug) {
-            //System.setProperty("javax.net.debug", "all");
-            System.setProperty("javax.net.debug", "SSL,handshake,verbose,trustmanager,keymanager,record,plaintext");
+            if (isTrace) {
+                System.setProperty("javax.net.debug", "SSL,handshake,verbose,trustmanager,keymanager,record,plaintext");
+            } else {
+                System.setProperty("javax.net.debug", "all");
+            }
         }
         // set unlimited crypto policy
         Security.setProperty("crypto.policy", "unlimited");
@@ -79,27 +79,27 @@ public class TLSFactory {
     }
 
     public static SSLContext getTLSContext() throws Exception {
-        log.info("Creating SSL context with keystore: {} and truststore: {} using {}", keyFilename, trustFilename, storeType);
+        log.info("Creating SSL context with keystore: {} and truststore: {} using {}", keystorePath, truststorePath, storeType);
         KeyStore ks = KeyStore.getInstance(storeType);
         KeyStore ts = KeyStore.getInstance(storeType);
         char[] passphrase = passwd.toCharArray();
-        try (FileInputStream fis = new FileInputStream(keyFilename)) {
+        try (FileInputStream fis = new FileInputStream(keystorePath)) {
             ks.load(fis, passphrase);
         } catch (Exception e) {
-            log.error("Failed to load keystore: {}", keyFilename, e);
+            log.error("Failed to load keystore: {}", keystorePath, e);
             throw e;
         }
-        try (FileInputStream fis = new FileInputStream(trustFilename)) {
+        try (FileInputStream fis = new FileInputStream(truststorePath)) {
             ts.load(fis, passphrase);
         } catch (Exception e) {
-            log.error("Failed to load truststore: {}", trustFilename, e);
+            log.error("Failed to load truststore: {}", truststorePath, e);
             throw e;
         }
         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
         try {
             kmf.init(ks, passphrase);
         } catch (UnrecoverableKeyException e) {
-            log.error("Failed to initialize KeyManagerFactory with keystore: {}", keyFilename, e);
+            log.error("Failed to initialize KeyManagerFactory with keystore: {}", keystorePath, e);
             throw e;
         }
         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
@@ -110,21 +110,21 @@ public static SSLContext getTLSContext() throws Exception {
     }
 
     public static SSLContext getTLSContext(String storeType, char[] passphrase) throws Exception {
-        log.info("Creating SSL context with keystore: {} and truststore: {} using {}", keyFilename, trustFilename, storeType);
-        log.debug("Keystore - file name: {} password: {}", keyFilename, passphrase);
-        log.debug("Truststore - file name: {} password: {}", trustFilename, passphrase);        
+        log.info("Creating SSL context with keystore: {} and truststore: {} using {}", keystorePath, truststorePath, storeType);
+        log.debug("Keystore - file: {} password: {}", keystorePath, passphrase);
+        log.debug("Truststore - file: {} password: {}", truststorePath, passphrase);
         KeyStore ks = KeyStore.getInstance(storeType);
         KeyStore ts = KeyStore.getInstance(storeType);
-        try (FileInputStream fis = new FileInputStream(keyFilename)) {
+        try (FileInputStream fis = new FileInputStream(keystorePath)) {
             ks.load(fis, passphrase);
         } catch (Exception e) {
-            log.error("Failed to load keystore: {}", keyFilename, e);
+            log.error("Failed to load keystore: {}", keystorePath, e);
             throw e;
         }
-        try (FileInputStream fis = new FileInputStream(trustFilename)) {
+        try (FileInputStream fis = new FileInputStream(truststorePath)) {
             ts.load(fis, passphrase);
         } catch (Exception e) {
-            log.error("Failed to load truststore: {}", trustFilename, e);
+            log.error("Failed to load truststore: {}", truststorePath, e);
             throw e;
         }
         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
@@ -133,7 +133,7 @@ public static SSLContext getTLSContext(String storeType, char[] passphrase) thro
             log.debug("Private key: {}", privateKey);
             kmf.init(ks, passphrase);
         } catch (UnrecoverableKeyException e) {
-            log.error("Failed to initialize KeyManagerFactory with keystore: {}", keyFilename, e);
+            log.error("Failed to initialize KeyManagerFactory with keystore: {}", keystorePath, e);
             throw e;
         }
         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
@@ -143,18 +143,18 @@ public static SSLContext getTLSContext(String storeType, char[] passphrase) thro
         return sslCtx;
     }
 
-    public static SSLContext getTLSContext(String storeType, String keystorePassword, String keyFilename, String truststorePassword, String trustFilename) throws Exception {
-        log.info("Creating SSL context with keystore: {} and truststore: {} using {}", keyFilename, trustFilename, storeType);
-        log.debug("Keystore - file name: {} password: {}", keyFilename, keystorePassword);
-        log.debug("Truststore - file name: {} password: {}", trustFilename, truststorePassword);
+    public static SSLContext getTLSContext(String storeType, String keystorePassword, String keystorePath, String truststorePassword, String truststorePath) throws Exception {
+        log.info("Creating SSL context with keystore: {} and truststore: {} using {}", keystorePath, truststorePath, storeType);
+        log.debug("Keystore - file: {} password: {}", keystorePath, keystorePassword);
+        log.debug("Truststore - file: {} password: {}", truststorePath, truststorePassword);
         KeyStore ks = KeyStore.getInstance(storeType);
         KeyStore ts = KeyStore.getInstance(storeType);
         char[] keyStrorePassphrase = keystorePassword.toCharArray();
         char[] trustStorePassphrase = truststorePassword.toCharArray();
-        try (FileInputStream fis = new FileInputStream(keyFilename)) {
+        try (FileInputStream fis = new FileInputStream(keystorePath)) {
             ks.load(fis, keyStrorePassphrase);
         }
-        try (FileInputStream fis = new FileInputStream(trustFilename)) {
+        try (FileInputStream fis = new FileInputStream(truststorePath)) {
             ts.load(fis, trustStorePassphrase);
         }
         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
@@ -208,20 +208,20 @@ public static void setPasswd(String passwd) {
         TLSFactory.passwd = passwd;
     }
 
-    public static String getKeyFilename() {
-        return keyFilename;
+    public static String getKeystorePath() {
+        return keystorePath;
     }
 
-    public static void setKeyFilename(String keyFilename) {
-        TLSFactory.keyFilename = keyFilename;
+    public static void setKeystorePath(String keystorePath) {
+        TLSFactory.keystorePath = keystorePath;
     }
 
-    public static String getTrustFilename() {
-        return trustFilename;
+    public static String getTruststorePath() {
+        return truststorePath;
     }
 
-    public static void setTrustFilename(String trustFilename) {
-        TLSFactory.trustFilename = trustFilename;
+    public static void setTruststorePath(String truststorePath) {
+        TLSFactory.truststorePath = truststorePath;
     }
 
 }