I believe this is standard behavior for Windows systems On Tue, Aug 22, 2017 at 6:37 PM, Yakovlev N. <yakovlev...@krvostok.ru> wrote:
> After adding CA into windows system store entering into rooms works good. > > Does FF use not only own ca-store but ca-store in system?! Or it’s not > FF? > > > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Tuesday, August 22, 2017 2:05 PM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > ERR_UNKNOWN_ISSUER most probably caused by the fact > > 1) server cert was added to trusted > > 2) CA was not added > > > > in case of Windows it worth to add CA at system level AND to the browser > (CA tab with permission to verify sites code etc. I would check all > checkboxes) > > > > On Tue, Aug 22, 2017 at 4:41 PM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Yes, the ca certificate was added as trusted. > > I found one difference in behavior of FF when it connected to https-sites > with the self-signed certificates. > > Typically, the first connection prompts you to add the site to an > exception but OM server does not give us this option. > > See pls two screenshots. > > This occurs before the СA is added to the Trusted CAs lists. If first an > root certificate is added to the CAs list then we can access to an OM > cabinet with green lock icon but will have the errors in the rooms as I > wrote before. > > There is something in OM webserver….. > > > > Nik > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Tuesday, August 22, 2017 11:54 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > I guess CA was added to trusted CA's of FF? > > > > On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > This is the issue of "self-signed" certificate. > > "Real" certificate provides the way to ensure it wasn't revoked. > > > > I would recommend to set up one of the free real certificates to prod > system > > > > On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Hi Maxim, > > you was right when suggested to add a ca certificate into client machine > with screensharing. I added the root certificate not correctly via "java > control panel->security->manage certificates". It's wrong and not neсessary. > The certificate must be inserted into java/keystore with keytool utility. > > Now screen sharing works as expected. > > But... > > I tried to connect from another machines to the machine with > screensharing and all worked fine with remote desktop if IE used but not > Firefox. > > The error screenshots are attached and the errors take place when entering > into any rooms. > > Do you know how to resolve it? And why only FF ? > > The latest version of FF and Adobe Flash Player for FF is used. > > > > Nik > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Monday, August 21, 2017 11:46 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > I guess first thing to do is to ensure > > jre is used by javaws > > and > > jre containing cacert > > > > is the same jre > > > > can be checked using by inspecting PATH > > and checking which binaries are actually started using system task manager > > > > On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > First i tried to add only one CA certificate to java on a client machine. > > Than the site certificate was added for additional checking. > > Both cases are unsuccessful. > > What I should make the next? > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Monday, August 21, 2017 9:51 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Works for me > > > > What were your steps? > > > > BTW no need to add site certificate to trusted certs in case you are > having Root CA. Verified Root CA will successfully validate site cert > > > > On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > No, > > It did not help. > > The client machine is Windows, the CA root certificate (crt) and the > client self-signed certificate (p12) have been added into java via java > control panel->security->manage certificates. > > > > The full error log is : > > > > ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > at sun.security.validator.PKIXValidator.doBuild(Unknown > Source) > > at sun.security.validator.PKIXValidator.engineValidate(Unknown > Source) > > at sun.security.validator.Validator.validate(Unknown > Source) > > at sun.security.ssl.X509TrustManagerImpl.validate(Unknown > Source) > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown > Source) > > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > Source) > > at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown > Source) > > at sun.security.ssl.ClientHandshaker.processMessage(Unknown > Source) > > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > > at sun.security.ssl.Handshaker.process_record(Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown > Source) > > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > > at org.apache.http.conn.ssl.SSLConnectionSocketFactory. > createLayeredSocket(SSLConnectionSocketFactory.java:396) > > at org.apache.http.conn.ssl.SSLConnectionSocketFactory. > connectSocket(SSLConnectionSocketFactory.java:355) > > at org.apache.http.impl.conn. > DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOpe > rator.java:142) > > at org.apache.http.impl.conn. > PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionMan > ager.java:359) > > at org.apache.http.impl.execchain.MainClientExec. > establishRoute(MainClientExec.java:381) > > at org.apache.http.impl.execchain.MainClientExec. > execute(MainClientExec.java:237) > > at org.apache.http.impl.execchain.ProtocolExec. > execute(ProtocolExec.java:185) > > at org.apache.http.impl.execchain.RetryExec.execute( > RetryExec.java:89) > > at org.apache.http.impl.client.In > ternalHttpClient.doExecute(InternalHttpClient.java:185) > > at org.apache.http.impl.client.Cl > oseableHttpClient.execute(CloseableHttpClient.java:118) > > at org.apache.http.impl.client.Cl > oseableHttpClient.execute(CloseableHttpClient.java:56) > > at org.red5.client.net.rtmps.RTMPTSClientConnector. > openConnection(RTMPTSClientConnector.java:139) > > at org.red5.client.net.rtmps.RTMPTSClientConnector.run( > RTMPTSClientConnector.java:64) > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at > sun.security.provider.certpath.SunCertPathBuilder.build(Unknown > Source) > > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown > Source) > > at java.security.cert.CertPathBuilder.build(Unknown > Source) > > ... 27 common frames omitted > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > No context named default was found!! > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Monday, August 21, 2017 8:45 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > You can fix it by adding self-signed CA to the java/cacerts at the > "client" machine (The machine Screen-sharing web-app is started) > > > > On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Tunneling RTMPS > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Monday, August 21, 2017 5:56 AM > > > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > What type of SSL are you checking? "native" of "tunneled" ? > > > > On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Hi Maxim, > > Screensharing with SSL does not work. > > > > Java outputs the next errors: > > ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > > > Where can be place the datastore for screensharing and what its file name? > > /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? > > Where should be assigned the password for this keystore? > > > > The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties > files contain the following parameters: > > > > key="keystoreFile" value=...... > > key="keystorePass" value=...... > > key="truststoreFile" value=...... > > key="truststorePass" value=...... > > > > rtmps.keystorepass=xxxxx > > rtmps.keystorefile=conf/keystore.jks > > rtmps.truststorepass=xxxxx > > rtmps.truststorefile=conf/truststore.jks > > > > But for screensharing I could not find relevant information. > > > > Best regards, > > Nik > > > > *From:* Yakovlev N. [mailto:yakovlev...@krvostok.ru] > *Sent:* Saturday, August 19, 2017 8:23 AM > *To:* user@openmeetings.apache.org > *Subject:* RE: [ANNOUNCE] HTTPS is now required > > > > Hi Maxim, > > SSL is working fine. > > I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html > manual: > > All keytool commands must have the filename keystore.jks but none > keystore without extension. J > > This also applies to the filename truststore: it should be truststore.jks. > > > > Otherwise the names of kestore and truststore should be changed in > /opt/red5/conf/red5.properties. > > > > Nik > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com > <solomax...@gmail.com>] > *Sent:* Saturday, August 19, 2017 7:23 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > I'll try to check steps with self-signed cert and will report back > > > > On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Hello Ramon, > > All the hope of Maxim….:) > > > > Nik > > > > *From:* Ramón Zárate Moedano [mailto:hor...@gmail.com] > *Sent:* Saturday, August 19, 2017 2:22 AM > > > *To:* user@openmeetings.apache.org > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Hello everyone ... > > > > i just cannot install SSL (from namecheap) ... this is beyond my skills. > > > > Is there someone who can help me with the installation in exchange for > some money???? > > > > Thanks in advance. > > > > > > > > 2017-08-18 1:23 GMT-05:00 Yakovlev N. <yakovlev...@krvostok.ru>: > > Hi Maxim, > > Thanks for reply. > > I've reinstalled two times certificates but ssl does not work. > > 1. Both certificates root-CA and client one were added into > /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) with > commands: > > keytool -import -keystore cacerts -file red5.crt -alias red5 > > keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root > > 2. As you recommend OM was started with red5-debug + option > "-Djavax.net.debug=all" > > Logs have nothing while a ssl session was established. > > To exclude the impact of browsers, I tried to start up a session using > telnet. > > Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 > did not. > > In this case, the netstat command shows ESTABLISHED status to port 5443. > > Firewall is off. > > According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two config > files have to be changed: > > 1. Edit red5/conf/jee-container.xml file: > > Comment Tomcat without SSL enabled section > > UNComment Tomcat with SSL enabled section > > 2. Edit red5/webapps/openmeetings/public/config.xml and set > > <protocol>https</protocol> > > <red5httpport>5443</red5httpport> > > Are these changes enough or need more? > > > > Best regards, > > Nik > > > > *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] > *Sent:* Thursday, August 17, 2017 10:28 AM > *To:* Openmeetings user-list > > > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Here is useful link > > I'm using these scripts (with some modifications) Chrome shows green icon > :) > > https://stackoverflow.com/questions/7580508/getting- > chrome-to-accept-self-signed-localhost-certificate/43666288#43666288 > > > > On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > The steps on the site are for the "real" certificates ... > > 1) add certificate to trusted certs of Java > > > > means Java need to know about your certificate I'm using self-signed CA > for testing and I'm adding it to > > /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts > > > > Additionally I would recommend to run red5 using red5-debug and modify it > by adding "*-Djavax.net.debug=all*" to see all SSL messages > > > > On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Hello Maxim, > Don't worry that my question was missed because we all understand how much > work you do. > Your message made me return to the question of HTTPS for OM. > > So... > > 1) add certificate to trusted certs of Java > > Lets see an output of command keytool: > > cd /opt/red5/conf > keytool -list -keystore keystore > Enter keystore password: > xxxxx > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries > > vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, > Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: > 99:67:D5:1C:B8:25:1A:D9:88:0F > root, Aug 16, 2017, trustedCertEntry, > Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: > 6E:2F:1F:9A:83:F9:B0:1F:E1:45 > > Is it OK? > > 2) add certificate to trusted certs of browser (icon should be green) > Done > > 3) correctly create red5 keystore/truststore > Done according to the reference http://openmeetings.apache. > org/RTMPSAndHTTPS.html > truststore is a copy of keystore > OK? > > Maxim, I would like to draw on one detail. > A simple way to test of a SSL-connection is to use the next command: > openssl s_client -connect FQDN:port > For example, > openssl s_client -connect www.mail.ru:443, > openssl s_client -connect www.ya.ru:443 > and so on. > This way does not use browsers and allows to test ssl-connections at a > lower level than using browsers. > This command does not work and hangs for my OM as I wrote before and I > think that the question is not in the types of certificates (trusted or > selfsigned ones). > But where is the problem? I don't now yet... > > Nik > > -----Original Message----- > From: Maxim Solodovnik [mailto:solomax...@gmail.com] > > Sent: Wednesday, August 16, 2017 5:51 PM > To: Openmeetings user-list > Subject: Re: [ANNOUNCE] HTTPS is now required > > Hello Nik, > > I'm trying to answer all emails, sorry if I missed yours :( To make > self-signed certificate work with red5 you MUST > 1) add certificate to trusted certs of Java > 2) add certificate to trusted certs of browser (icon should be green) > 3) correctly create red5 keystore/truststore > > to provide thurther help I need you detailed steps > > On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <yakovlev...@krvostok.ru> > wrote: > > Hi Andreas, > > OK, your opinion is your opinion and I respect it. > > We speak about an internal OM service but not about the world one... > > I understand the trusted certificates are more preferable but in my case > unnecessary I think. > > I'm not sure blacklists are my cases... > > > > Nik > > > > -----Original Message----- > > From: df...@gmx.de [mailto:df...@gmx.de] > > Sent: Wednesday, August 16, 2017 4:18 PM > > To: user@openmeetings.apache.org > > Subject: Re: [ANNOUNCE] HTTPS is now required > > > > Hi Nik, > > > > sorry - I cannot agree to your "I cannot agree". Most email client > programs do check certificates and deny connections if certificate is not > trusted. May be 5% will work - but 95% will not (and tomorrow percentage is > higher than today). I can not recommend to use any self-signed certificate > (except for internal tasks). Additionally maybe you are added to blacklists > if you are "on the air" using a self-signed certificate. > > > > Best regards > > Andreas > > > > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: > >> I don't agree. > >> I use selfsigned certiticates on other corporate services successfully > (mail, cloud and so on). > >> Yes, browsers ask questions but this is no problem. In this case such > certificates must be added as trusted ones. > >> > >> Nik > >> > >> -----Original Message----- > >> From: df...@gmx.de [mailto:df...@gmx.de] > >> Sent: Wednesday, August 16, 2017 3:44 PM > >> To: user@openmeetings.apache.org > >> Subject: Re: [ANNOUNCE] HTTPS is now required > >> > >> Self-signed will not be accepted by most browsers and will not work. > The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... > >> > >> Try certificates from lets encrypt - they are free ;) > >> > >> Best regards > >> Andreas > >> > >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: > >> > Hi, Maxim! > >> > I have some problems with SSL and no ideas to solve them. > >> > Five months ago I asked community how to install SSL on OM but > nobody answered. > >> > (http://mail-archives.apache.org/mod_mbox/openmeetings- > user/201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 > 08:30:40 GMT ) > >> > The manual listed on page http://openmeetings.apache. > org/RTMPSAndHTTPS.html did not help me. > >> > No any errors in logs, browser hangs and shows an empty page. > >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on > the left bottom side. > >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command > hangs also and outputs only one line: CONNECTED(00000003). > >> > Firewall is off, tcp-5443 port is listening on the OM host. > >> > > >> > Is there any roadmap of using selfsigned serfificates for OM? > >> > > >> > Best regards > >> > Nik > >> > > >> > -----Original Message----- > >> > From: Maxim Solodovnik [mailto:solomax...@gmail.com] > >> > Sent: Wednesday, August 16, 2017 7:23 AM > >> > To: Openmeetings user-list > >> > Subject: [ANNOUNCE] HTTPS is now required > >> > > >> > Hello All, > >> > > >> > Google developers are trying to move WWW to HTTPS To force this > transition they restrict features available to HTTP sites in > Chrome/Chromium Latest restriction is: Camera and microphone will not be > available to JS/Flash code for HTTP sites: proof: > >> > > >> > "Microphone and Camera access no longer works on insecure origins. To > use this feature, you should consider switching your application to a > secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details." > >> > > >> > So please set up HTTPS for your OM site to prevent camera/microphone > issues. > >> > > >> > -- > >> > WBR > >> > Maxim aka solomax > >> > > >> > > >> > >> > >> > > > > > > > > -- > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
