On Sun, 19 Jul 2020 at 12:41, Online Use <foronlineuseem...@yahoo.com> wrote:
> I used WebRTC Internals (about:webrtc in Firefox) to log WebRTC activity, > but nothing got logged when I opened an audio & video session using OM. > Why, if WebRTC is actually utilized? > just have checked using latest FF at Ubuntu 20.04 about:webrtc and demo-next https://om.alteametasoft.com:8443/next/ WebRTC info is displayed as expected > > > بتاريخ الأحد، 19 تموز 2020 3:00:25 ص غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > Will do top posting > > It seems I wasn't clear enough while describing how everything works > Here is the diagram > https://doc-kurento.readthedocs.io/en/stable/user/writing_applications.html#application-architecture > (the > beautiful one) > As you can see OM is only "control server" > All streams goes directly to/via KMS > > I'll try to set up secured KMS, but unfortunately have no ETA > I do remember I have difficulties with certificate .... > > On Sun, 19 Jul 2020 at 01:23, Online Use <foronlineuseem...@yahoo.com> > wrote: > > Encryption > > Encryption is mandatory part of WebRTC and is enforced on all aspects of > establishing and maintaining a connection. It makes it effectively > impossible for someone to gain access to the contents of a communication > stream because all media streams are securely encrypted through > standardized and time-tested encryption protocols. Only those applications > with the secret encryption key are able to decode the streams. > > The best practice for this is to use perfect forward secrecy (PFS) ciphers > in a DTLS (Datagram Transport Layer Security) handshake to securely > exchange key data (this is the method Frozen Mountain uses). For audio and > video, key data can then be used to generate AES (Advanced Encryption > Standard) keys which are in turn used by SRTP (Secure Real-time Transport > Protocol) to encrypt and decrypt the media. This acronym-rich stack of > technologies translates to extremely secure connections that are impossible > to break with current technology. Both WebRTC and ORTC mandate this > particular stack, which is backwards-compatible and interoperable with VoIP > systems. > > https://www.frozenmountain.com/developers/blog/what-you-need-to-know-about-webrtc-security > > > Does this apply to the OM system? because you said you guess audio and > video are not encrypted, but since WebRTC is used already in OM, wouldn't > that mean encryption is effective already, or it there something missing? > > > > > بتاريخ السبت، 18 تموز 2020 8:14:03 م غرينتش+2، Online Use < > foronlineuseem...@yahoo.com> كتب: > > > I have been able to use TLS port and certificates with TURN in the > applicationContext.xml file without a problem, but the TURN url doesn't > include protocol (https or wss) only the TLS port number. I have actually > commented out the non-secure port setting in coturn conf. file. It's > working fine, but I'm not sure if the url should contain protocol directive > https or wss or none? When I used the https directive I got an error > message NS_ERROR_UNEXPECTED. Any comments? > > My problem now is with the KMS url, I have specified the TLS port and > certificates, but when I use the wss:// protocol I get the error of media > server is not accessible. Could someone try to use this secure setting and > confirm if it's working properly or not to make sure what is the issue at > my end? > > > > بتاريخ السبت، 18 تموز 2020 7:54:31 م غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > > > On Sun, 19 Jul 2020 at 00:26, Online Use <foronlineuseem...@yahoo.com> > wrote: > > Can you please share with me the architecture of the OM system, showing > components and interfaces? > > > we don't have such diagram ATM > > > > I don't understand how https is secure while the KMS socket is not secure? > And what is the role of TURN in securing the connection? What should TURN > be used in case of https protocol? > > > Out-of-the-box OM provides HTTPS which ensures login and all UI actions > are secured > KMS out-of-the-box is NOT secured, and it is OM-server-admin task to > secure it > > TURN is used to be able to negotiate connection with users without real IP > It tries to resolve user IP so direct connection can be established > established > OR > bypass all WebRTC traffic like SOCKS proxy if IT is NOT resolvable > (I believe you can easily Google above info with much more details) > > So if you want fully secured system you have to ensure both KMS and TURN > are secured as well > > > > I think security of the system is questionable. Did you try to use wss:// > in KMS url to test it before release? > > > I see no need in such test > We are using KMS API to control connections (drop, create recording chains > etc.) > We are not working with audio/video streams directly this is the task of > media server > > > > > بتاريخ السبت، 18 تموز 2020 6:21:15 م غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > > On Fri, 17 Jul 2020 at 15:29, Online Use <foronlineuseem...@yahoo.com> > wrote: > > I also used cert and key files for TLS in COTURN, I used https in turnurl > in the applicationContext.xml file, but I got and NS_ERROR_UNEXPECTED. > > Probably the application itself is not designed to use TLS for Kurento and > COTURN? > > > Not sure which application are you talking about :( > OM doesn't use TURN, WebRTC in browser uses TURN .... > > > > > بتاريخ الخميس، 16 تموز 2020 12:34:11 م غرينتش+2، Online Use < > foronlineuseem...@yahoo.com> كتب: > > > I found this note in Kurento documentation: > https://doc-kurento.readthedocs.io/en/stable/features/security.html > > *Keep in mind that serving your application through HTTPS, forces you to > use WebSockets Secure (WSS) if you are using websockets to control your > application server.* > > So how the OM system is working while the applicationContext.xml used > ws:// connection url? > > > I would check the traffic with some sniffer and the ask KMS devs > From my point of view right now everything works as expected > OM uses HTTPS and wss for internal websocket messages > AND it has KMS at ws URL .... > > > > Is it secure enough to use https in the browser without using wss > connection? Are all media streams including audio and video encrypted this > way? > > > I guess audio/video is NOT encrypted > this is why i wrote you need to secure KMS .... > > > > > Moreover, I edited the kurento.conf.json file to include path to the > certificate file, and edited the applicationContext.xml file to use > wss:// with secure port, but the OM raised an error message saying the > media server is inaccessible. What is the porblem? > > > I can't say from this description > you have to check > 1) KMS logs > 2) KMS URL (i guess port will be different in case of wss) > 3) OM logs > 4) browser console logs and/or browser's WebRTC debugging tools > > > > > > > بتاريخ الخميس، 16 تموز 2020 3:26:25 ص غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > > > On Tue, 14 Jul 2020 at 13:31, Online Use <foronlineuseem...@yahoo.com> > wrote: > > I installed KMS using podman not docker, I can't find the configuration > file path you mentioned, where could it be located? > > > Unfortunately I can't help here > I neve use podman > > > > So the steps are to edit the kurento.conf.json to enable secure > connection, then to edit the applicatonContext.xml file to use wss// > instead of ws:// in Kurento url, right? > > > most probably you will need to create certificate for KMS (never did it > myself, so you will have to experiment here) > > > > > In a previous reply you mentioned that: > In WebRTC tunneling is made by front-end proxy (the config is not trivial) > OR with TURN server if user is behind strict FW > > So how to enable WebRTC tunneling with TURN server? > > > TURN server was designed fo unhide user IP address (so tunneling is not > necessary) > Or to proxy WebRTC > So it will work out-of-the-box > > > > بتاريخ الثلاثاء، 14 تموز 2020 4:21:54 ص غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > > > On Mon, 13 Jul 2020 at 14:11, Online Use <foronlineuseem...@yahoo.com> > wrote: > > I tried using wss:// protocol in Kurento url in the ApplicationContext.xml > file, but in this case the media server wasn't accessible. So how the wss > protocol is supposed to be used? > > > You have to configure KMS to be secured BEFORE you you will made changes > to applicationContext.xml > > please check /etc/kurento/kurento.conf.json > And official KMS documentation > > > > Also how to configure tunneling with the TURN sever? > > Thank you. > > > بتاريخ الاثنين، 13 تموز 2020 6:55:48 ص غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > > > On Sun, 12 Jul 2020 at 23:46, Online Use <foronlineuseem...@yahoo.com> > wrote: > > Excuse me, but what is wss? > > > You can easily google this > WSS is secured version of WS > both WS and WSS are protocol prefix for WebSockets > > > > Will SSL and wss provide tunneling of audio and video streaming like RTMPS? > > > RTMPS doesn't provide tunneling, you need RTMPTS for tunneling > And NO > In WebRTC tunneling is made by front-end proxy (the config is not trivial) > OR with TURN server if user is behind strict FW > > > > Don't you have any plans for including red5 and RTMPS in future releases? > What is the alternative technology? > > > NO > RTMP if part of Adobe Flash which is discontinued > This is why we have moved from RTMP to WebRTC > > > Thanks. > > > بتاريخ الأحد، 12 تموز 2020 3:36:57 م غرينتش+2، Maxim Solodovnik < > solomax...@gmail.com> كتب: > > > RTMP/RTMPT/RTMPS is for 4.0.x only > for 5.0.x+ you need to secure KMS i.e. set up certificate and use wss :)) > > On Sun, 12 Jul 2020 at 13:48, Online Use <foronlineuseem...@yahoo.com> > wrote: > > Hello, > > Is RTMPS enabled by default once SSL is implemented? > > I know red5 is not supported for M4 release, but how to enable RTMPS for > audio/video encryption? > > I understand red5 is only needed for IP telephone not for PC voip, is that > correct? > > > > -- > Best regards, > > Maxim > > > > -- > Best regards, > Maxim > > > > -- > Best regards, > Maxim > > > > -- > Best regards, > Maxim > > > > -- > Best regards, > Maxim > > > > -- > Best regards, > Maxim > > > > -- > Best regards, > Maxim > -- Best regards, Maxim
