How-To Guide for RTMPS over TLS with a self-signed certificate?

Tyler_Kocheran · September 9, 2020, 7:59pm

Is there a simple walkthrough on how to get RTMPS over TLS working with a self-signed certificate? I’m having problems generating the self-signed certificate.

Richard_Lanham · September 9, 2020, 10:00pm

Take a look at this guide:

https://www.wowza.com/docs/how-to-request-an-ssl-certificate-from-a-certificate-authority

Richard

Charlie_Good · September 9, 2020, 8:36pm

Getting an SSL certificate setup is really hard and hard to debug. Be sure you have imported all the root certificates from the certificate authority into your keystore. The problem is there is just not a good way to debug. The info that is logged and loggable just does not help. I am not sure what to suggest.

Charlie

Charlie_Good · September 9, 2020, 8:36pm

Richard pointed you to the documentation that we have. Self-signed certificates are not going to work very well. You really need to get a certificate from a certificate authority to make it work in a more general sense.

Charlie

Richard_Lanham · September 9, 2020, 8:39pm

I’m not sure how to do that, but this article came to the top of a search:

http://www.akadia.com/services/ssh_test_certificate.html

Richard

Tyler_Kocheran · September 9, 2020, 8:49pm

Thanks, that gets me all the way up to self-signing the certificate, but it doesn’t say how to do that. Can you help me take that example and simply self-sign the certificate?

Tyler_Kocheran · September 9, 2020, 8:49pm

Ok, I guess I’ll keep looking around then.

Tyler_Kocheran · September 9, 2020, 8:49pm

I have things somewhat working here, but whenever I try to connect, I get NetConnection.Connect.Failed.

Here’s my server log:

DEBUG server comment - null doHandshake()
DEBUG server comment - null  handshakeStatus=NEED_UNWRAP
DEBUG server comment - null unwrapHandshake()
DEBUG server comment - null   inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
DEBUG server comment - null   appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
DEBUG server comment - null Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
DEBUG server comment - null Data Read: org.apache.mina.filter.support.SSLHandler@7979a49f (HeapBuffer[pos=0 lim=57 cap=24000: 80 37 01 03 01 00 1E 00 00 00 10 00 00 04 00 FE FF 00 00 0A 00 FE FE 00 00 09 00 00 64 00 00 62 00 00 03 00 00 06 00 00 FF A0 B5 EB 4B 2C 80 47 D2
 5B 11 C5 8E 11 D6 6E CB])
DEBUG server comment - null doHandshake()
DEBUG server comment - null  handshakeStatus=NEED_UNWRAP
DEBUG server comment - null unwrapHandshake()
DEBUG server comment - null   inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=57 cap=16665]
DEBUG server comment - null   appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
DEBUG server comment - null Unwrap res:Status = OK HandshakeStatus = NEED_TASK
bytesConsumed = 57 bytesProduced = 0
DEBUG server comment - null  handshakeStatus=NEED_TASK
DEBUG server comment - null   doTasks()
DEBUG server comment - null    doTask: sun.security.ssl.Handshaker$DelegatedTask@6ec5122f
DEBUG server comment - null   doTasks(): NEED_WRAP
DEBUG server comment - null  handshakeStatus=NEED_WRAP
DEBUG server comment - null Wrap res:Status = OK HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 725
DEBUG server comment - null write outNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=725 cap=16665]
DEBUG server comment - null session write: HeapBuffer[pos=0 lim=725 cap=725: 16 03 01 02 D0 02 00 00 4D 03 01 4C E4 75 AB 5E 72 A9 35 04 7E 1A 0F D2 4A 22 A2 84 A4 D6 02 F6 57 1B BF 78 DE 66 6C 5D 7B E0 8C 20 4C E4 75 AB 4B 1C 74 76 F8 EB 9B A6 B3 EB 16 EC 18 65 2F A0 2E 15 02 6D E5 62 B9 B9 75 AE 4E 67 00 04 00 00 05 FF 01 00 01 00 0B 00 02 77 00 02 74 00 02 71 30 82 02 6D 30 82 01 D6 A0 03 02 01 02 02 04 4C E4 63 89 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 7B 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 13 09 53 61 6E 20 44 69 65 67 6F 31 16 30 14 06 03 55 04 0A 13 0D 54 4B 2C 20 41 73 73 65 6D 62 6C 65 64 31 12 30 10 06 03 55 04 0B 13 09 44 65 76 65 6C 6F 70 65 72 31 17 30 15 06 03 55 04 03 13 0E 54 79 6C 65 72 20 4B 6F 63 68 65 72 61 6E 30 1E 17 0D 31 30 31 31 31 37 32 33 32 31 34 35 5A 17 0D 31 31 30 32 31 35 32 33 32 31 34 35 5A 30 7B 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 13 09 53 61 6E 20 44 69 65 67 6F 31 16 30 14 06 03 55 04 0A 13 0D 54 4B 2C 20 41 73 73 65 6D 62 6C 65 64 31 12 30 10 06 03 55 04 0B 13 09 44 65 76 65 6C 6F 70 65 72 31 17 30 15 06 03 55 04 03 13 0E 54 79 6C 65 72 20 4B 6F 63 68 65 72 61 6E 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 90 1C 1C B9 F2 0B 10 28 8F 9D F7 21 AF 5E 5C 17 81 FC B9 DB 42 76 45 59 5F 37 A2 A5 60 F2 27 FC 2C 2E 7A A0 31 BA 7C 49 95 F2 BF 98 0C 1A 22 84 55 8F 96 13 F3 93 57 E8 4E 2D B5 AE F8 3D 5F D3 41 F6 9E 45 9F E2 AE 4B E0 C9 DC 0B 4F AA 59 A7 52 74 04 0B 1A 17 61 1B 02 E1 A4 C2 C1 8E B5 FB 56 36 D8 88 CB CE B2 A1 47 89 B9 6B BF A1 B6 60 E1 28 63 F4 E8 7F AB 47 80 C4 99 7A 6B 21 B9 CF 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 48 A2 F6 D5 BB 12 2B 94 A5 0B 6A D0 72 E7 5C 63 73 81 EA ED EB E3 3D D9 AD D0 C0 23 A6 2A DD 51 52 DC 3A 9D 2F 30 1F A4 09 F4 7A 1D 6A 14 C1 AE FF 46 4B DB B5 C3 F2 E7 33 5D 50 18 A6 2C 22 AC 6C 46 D3 8C 2A 51 70 8A 20 49 59 79 09 77 45 A3 E0 80 4C 5D CD 60 C3 95 8F 54 36 FB EE DB DC F7 EB BA EF 35 87 BE E6 82 2A EF 02 4D 6C EE 86 55 CA 95 37 5C 0E 96 CB 91 D1 B4 57 2E AA 50 CF A1 0E 00 00 00]
DEBUG server comment - null Filtered Write: org.apache.mina.filter.support.SSLHandler@7979a49f
DEBUG server comment - null   already encrypted: HeapBuffer[pos=0 lim=725 cap=725: 16 03 01 02 D0 02 00 00 4D 03 01 4C E4 75 AB 5E 72 A9 35 04 7E 1A 0F D2 4A 22 A2 84 A4 D6 02 F6 57 1B BF 78 DE 66 6C 5D 7B E0 8C 20 4C E4 75 AB 4B 1C 74 76 F8 EB 9B A6 B3 EB 16 EC 18 65 2F A0 2E 15 02 6D E5 62 B9 B9 75 AE 4E 67 00 04 00 00 05 FF 01 00 01 00 0B 00 02 77 00 02 74 00 02 71 30 82 02 6D 30 82 01 D6 A0 03 02 01 02 02 04 4C E4 63 89 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 7B 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 13 09 53 61 6E 20 44 69 65 67 6F 31 16 30 14 06 03 55 04 0A 13 0D 54 4B 2C 20 41 73 73 65 6D 62 6C 65 64 31 12 30 10 06 03 55 04 0B 13 09 44 65 76 65 6C 6F 70 65 72 31 17 30 15 06 03 55 04 03 13 0E 54 79 6C 65 72 20 4B 6F 63 68 65 72 61 6E 30 1E 17 0D 31 30 31 31 31 37 32 33 32 31 34 35 5A 17 0D 31 31 30 32 31 35 32 33 32 31 34 35 5A 30 7B 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 13 09 53 61 6E 20 44 69 65 67 6F 31 16 30 14 06 03 55 04 0A 13 0D 54 4B 2C 20 41 73 73 65 6D 62 6C 65 64 31 12 30 10 06 03 55 04 0B 13 09 44 65 76 65 6C 6F 70 65 72 31 17 30 15 06 03 55 04 03 13 0E 54 79 6C 65 72 20 4B 6F 63 68 65 72 61 6E 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 90 1C 1C B9 F2 0B 10 28 8F 9D F7 21 AF 5E 5C 17 81 FC B9 DB 42 76 45 59 5F 37 A2 A5 60 F2 27 FC 2C 2E 7A A0 31 BA 7C 49 95 F2 BF 98 0C 1A 22 84 55 8F 96 13 F3 93 57 E8 4E 2D B5 AE F8 3D 5F D3 41 F6 9E 45 9F E2 AE 4B E0 C9 DC 0B 4F AA 59 A7 52 74 04 0B 1A 17 61 1B 02 E1 A4 C2 C1 8E B5 FB 56 36 D8 88 CB CE B2 A1 47 89 B9 6B BF A1 B6 60 E1 28 63 F4 E8 7F AB 47 80 C4 99 7A 6B 21 B9 CF 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 48 A2 F6 D5 BB 12 2B 94 A5 0B 6A D0 72 E7 5C 63 73 81 EA ED EB E3 3D D9 AD D0 C0 23 A6 2A DD 51 52 DC 3A 9D 2F 30 1F A4 09 F4 7A 1D 6A 14 C1 AE FF 46 4B DB B5 C3 F2 E7 33 5D 50 18 A6 2C 22 AC 6C 46 D3 8C 2A 51 70 8A 20 49 59 79 09 77 45 A3 E0 80 4C 5D CD 60 C3 95 8F 54 36 FB EE DB DC F7 EB BA EF 35 87 BE E6 82 2A EF 02 4D 6C EE 86 55 CA 95 37 5C 0E 96 CB 91 D1 B4 57 2E AA 50 CF A1 0E 00 00 00]
DEBUG server comment - null  handshakeStatus=NEED_UNWRAP
DEBUG server comment - null unwrapHandshake()
DEBUG server comment - null   inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
DEBUG server comment - null   appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
DEBUG server comment - null Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
DEBUG server comment - null Data Read: org.apache.mina.filter.support.SSLHandler@7979a49f (HeapBuffer[pos=0 lim=7 cap=24000: 15 03 01 00 02 02 2A])
DEBUG server comment - null doHandshake()
DEBUG server comment - null  handshakeStatus=NEED_UNWRAP
DEBUG server comment - null unwrapHandshake()
DEBUG server comment - null   inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
DEBUG server comment - null   appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
INFO server comment - ServerHandler.exceptionCaught[[any]:443:0:0:0:0:0:0:0:1]: javax.net.ssl.SSLHandshakeException: SSL handshake failed.
DEBUG server comment - null Closed: org.apache.mina.filter.support.SSLHandler@7979a49f
- - - - -
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1430)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1398)
        at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1337)
        at org.apache.mina.filter.support.SSLHandler.destroy(Unknown Source)
        at org.apache.mina.filter.SSLFilter.sessionClosed(Unknown Source)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(Unknown Source)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$600(Unknown Source)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(Unknown Source)
        at org.apache.mina.common.support.AbstractIoFilterChain$1.sessionClosed(Unknown Source)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(Unknown Source)
        at org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(Unknown Source)
        at org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(Unknown Source)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(Unknown Source)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$800(Unknown Source)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(Unknown Source)
        at org.apache.mina.util.NamePreservingRunnable.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:636)

Is there something I’m doing wrong here? I’m on Linux.

Tyler_Kocheran · September 9, 2020, 8:49pm

Could you maybe write up a step-by-step tutorial on how to get a self-signed certificate generated and hooked up with Wowza? I’m just not sure how to get it self-signed. If I had step-by-step instructions, it would be much easier to see if there was a problem, but since I’m shooting in the dark with self signing, I don’t know what I’m doing wrong.

Wowza Community

How-To Guide for RTMPS over TLS with a self-signed certificate?

Popular Video Topics

Video Resources

Partners

Company

Stay Connected

Stay Up to Date with the Blog