Native SSL support for RTMPS (no HTTP wrapping)

[mr.david.hogan@…]

The ActionScript documentation claims that it is possible to have an RTMPS connection that uses a native SSL/TLS connection rather than using HTTPS tunneling. This is achieved by setting the proxyType property to "best" on the NetConnection object before calling connect().

The documentation states:

"The default value for this property is "none"; if you do not change this value, the application uses HTTPS tunneling for RTMPS. If the property is set to "best", the client attempts to connect using native SSL."

There also exists a usingTLS readonly property on the NetConnection object, which is set to true when "a secure connection was made using native Transport Layer Security (TLS) rather than HTTPS."

Given that the HTTP POST based RTMPT and (regular) RTMPS protocols perform quite badly over connections with latency (my test case is a 300ms round trip), a significant benefit to such users would be delivered by the implementing of a native SSL RTMPS mode.

Cheers,
Dave

[mr.david.hogan@…]

Relevant documentation:

 http://help.adobe.com/en_US/AS3LCR/Flash_10.0/flash/net/NetConnection.html#proxyType

[aclarke]

Hi David,

This is a great feature request, and you're right that Red5 doesn't support it today. However, we're unlikely to add it soon due to, well, we're focusing on other things. I just want to ask for your patience on this, as Red5 is all-volunteers working in their (increasingly limited) spare time.

That said, patches are very welcome for this. If you were able to patch, and create some unit tests, we'd consider adding this feature sooner.

Thanks,

- Art

[electroteque]

I believe it would be using this guys, so directly via mina correct ? So a similar setup to rtmp but it is encoding / decoding information on the fly :)

 http://www.oschina.net/uploads/doc/mina-2.0.0-M3/org/apache/mina/filter/ssl/SslFilter.html

[mr.david.hogan@…]

Sorry if I sounded pushy!

[paul]

In the beginning I had started implementing the feature in this mode via Mina. I later found out that the default was via tunneling and didnt know there was a non-tunneled mode. I probably have the code around here some where but I doubt I'll have time to work on this in the near future. A client or unit test will certainly speed up the process.

[electroteque]

what kind of client do you need.

[mr.david.hogan@…]

I'd be happy to put together a simple client that attempts to make the connection and reports on whether native SSL mode was achieved upon connection. That said it's as simple as setting the proxyType property on the NetConnection to "best" before calling connect(), and then checking the using TLS property after successful connection.

One thing I did notice, was that if you are using a cert trusted by the flash player and you set proxyType to "best", the connection never establishes - it just hangs. Oddly if you use a cert that isn't trusted by the flash player and the player issues a security warning to the user, the player successfully connects once the user dismisses the warning. At any rate. the client certainly appears to be doing something different when the proxyType is changed.

[mr.david.hogan@…]

Does anyone have any detail about what the protocol is in native SSL mode? I don't think it's quite as simple just RTMP over SSL as if it were then RTMP + stunnel would have worked.

[electroteque]

Have a look here, it seems to plugin ssl directly into the tcp connection when making an rtmp connection, would this be rtmpt + ssl still though ?

 http://mammoth.svn.sourceforge.net/viewvc/mammoth/trunk/src/core/net/rtmp_connection.cpp?view=markup

[mondain]

Fixed in 0.9 RC3