Skip navigation
Up to Documents in Red5
Currently Being Moderated

Spark client secure audio/video with Red5 plugin

VERSION 5  Click to view document history
Created on: Sep 18, 2008 5:55 AM by klogger - Last Modified:  Sep 18, 2008 6:19 AM by klogger

Disclaimer

I cannot guarantee that this tutorial is faultless as I spend a lot of time setting up openfire to work with red5 via Spark over rtmps using Linux as a client. I do not want to destroy my now working installation in order to test this tutorial but I have written this the day after getting everything working so it is fresh in my mind. If you have a problem getting it going then leave a message below and I will modify this document:

 

Known bugs

  • When you place a call to someone they must also place a call back to you! They will not be notified that a call is waiting for them;

 

  • The chat window will also open but it will open a new chat window each time you place a call, even if that call is to the same person. You will therefore wind up with several tabs to the same person if you make multiple calls to them without closing the chat window in between. You can simply close the additional windows manually;


  • The other person will not get a notification asking 'Do you want to accept this call' but their camera will not be turned on until they place a call back to you;


  • Each person who you want to be able to call must have the same modifications applied to the Spark client;


  • If you call a second person then I am ot sure what will happen if you have not closed the first call window. It may work, but to be on the safe side you will be better of closing the first call window before placing a second call;


Sorry, but I couldn't figure out the openfire API sufficiently to make the above work without introducing additional bugs which I thought were worse! If someone with a better knowledge of the openfire API wants to let me know how to fix these problems then I will happily fix them. I am sure it is just a couple of lines of code but I could not find an example.

 

Description

This document describes how to set up Openfire, the Red5 plugin and Spark for secure video messaging. It will not cover how to set up SparkWeb for secure audio/video but you may be able to work out how to do it after reading this. This document is more focused on getting things to work on both Windows and Linux (I am using Debian etch for the server and Debian Lenny for the client, tested on Windows XP and Vista for Spark client integration). If you do not need Linux support then you can skip several of the steps. I have made several changes to the red5-plugin.jar file in order to make opening a browser possible under Linux (It should also work on the mac). All the files you need should be attached except for XULRunner but that is described later on.

 

Requirements

  • Openfire (3.6.0a);


  • Spark (2.5.8);


  • Apache 2;


  • On Linux (and possible windows) you will need a valid SSL certificate (not self signed). This is because of the  use of MozSwing and XULRunner. MozSwing will not prompt you  if you are using a self signed certificate. You can pick one up for £15 at www.godaddy.com but I found there customer service to be somewhat lacking;


  • On Linux you will need to use the Flash Player version 10 which is a beta release. It is the only version that can handle web camera integration.


  • XULRunner will be required but you MUST use the version from the MozSwing project as it has been modified to work with MozSwing. Mozswing is used to open a web browser in order to play the Flash Movie.


Modified files

I found that I had to modify a few files in order to make things work. You may find your distance with the existing openfire.jar varies but I could not make it work without editing. The modifications I made were:

  • openfire.jar was modified:

    org.jivesoftware.openfire.http.HttpBindManager – has been edited to hard code the SSL port as 8443. I found that I could not set the SSL port and it was always '0' with the build of  openfire I used; You do not strictly need this modification if you do not mind the initial http request being unencrypted. The Flash movie will still send its data stream in an encrypted format;

 

  • red5.war was modified:

    /video/320x240.lzx – This is the video file that is used to show the audio and video. It is compiled into a .swf file using OpenLaszlo. You must use version 3 (I used 3.2) of OpenLaszlo as it will not compile on more recent versions;

 

  • red5-plugin.jar was modified:

    This can be found inside of the red5.war/spark folder but you must use the one attached to this document. I have modified Red5Plugin.java so that it will read the Red5.properties file (it was looking in the wrong place previously) and added a class SparkBrowser which replaces      BareBonesBrowserLauncher.

 

The above compiled versions of the files are attached.

 

How the sep-up links together

A request from the Spark client using audio/video is sent to the apache server which will act as a proxy server. This request will go to apache which will then forward that request onto the Red5 server. This allows apache to handle the SSL encryption/decryption which I am not certain that the version of Red 5 in the red5-plugin can do (see http://gregoire.org/2008/05/26/rtmps-in-red5/). Hence I use apache to handle this functionality.

 

Request cycle

Spark (rtmps – ssl encrypted) => Apache 2 (decrypts) => Red 5 (unencrypted)

Response cycle

Red 5 (unencrypted) => Apache 2 (Encrypts) => Spark (decrypts)

 

The above is a basic description of the request/response cycle. In actuality Spark is using a web browser which plays the flash movie and handles SSL encryption/decryption. RTMPS (Real Time Media Protocol Secure) is the protocol used by flash to talk with Red 5. RTMPS is simply RTMPT (Real Time Media Protocol Tunneled) done over SSL, RTMPT is RTMP over HTTP.

 

So ... all communication is RTMP but in this case we will do it over HTTP and encrypt it using SSL. That is why we need Apache and why Spark uses a web browser. They are required to encode/decode the SSL streams.

 

Set up

  1. Install openfire on your server:

    sudo dpkg -i openfire_3.6.0a_deb_all.deb


  2. Install the red5 plugin:

    Download the Red 5 plugin which is currently in the beta plugins section. You can currently get it from here      http://www.igniterealtime.org/projects/openfire/plugins-beta.jsp


  3. Shutdown the openfire server:

    sudo /etc/init.d/openfire stop


  4. Copy the red5 plugin that you downloaded to the openfire plugins directory at /usr/share/openfire/plugins;


  5. Startup openfire:

    sudo /etc/init.d/openfire start

    You will see the red5 war file expand into a folder called red5;


  6. Shutdown openfire again;


  7. There are some files attached to this  document, download them and do the following:

    Copy the openfire-https-8443.jar to /usr/share/openfire/lib/openfire-https-8443.jar and DELETE the existing openfire.jar. The new jar file forces HTTP_BIND ssl to work on port 8443. Without it I found that HTTP_BIND with ssl does not work.

    This step is not strictly necessary but it will allow you to call the HTML page containing the flash movie over SSL. The movie will be encrypted whether or not you do this as it uses HTTPS to apache. How you call the HTML page containing the movie is irrelevant, it is how the movie in the HTML page connects to Red 5 that is critical. Therefore you may not need this step.


  8. Copy the file video320x240.lzx.swf to /usr/share/openfire/plugins/red5/video. It contains a modification that allows us to pass a parameter 'url' containing the rtmps protocol necessary for SSL encryption. Without this modification the movie uses a hard coded string of 'rtmp:/oflaDemo' and will not be encrypted;


  9. Restart openfire;


  10. Setup your apache virtual host. You will need to use a valid SSL certificate (not self signed) so bear this in mind when you do this. If you are trying to set this up as a subdomain and your SSL certificate is not for the subdomain then it will fail. Luckily, integrating red5 into your existing main default host should cause 99% of people no problems. This is because we only need to proxy for URLS of the following form:

    /open
    /close
    /idle
    /send

    I have attached a copy of a virtual host that you can use as a template;


  11. Copy the folders /usr/share/openfire/plugins/red5/video and /usr/share/openfire/plugins/red5/screen to your apache document root red5 folder (you will need to create the red5 folder). This may be /var/www/YOUR_DOMAIN_NAME/red5;


  12. Restart Apache;


  13. Download the attached red5-plugin.jar file and place it in your client side Spark user plugins folder. On Linux this is located at /home/USER_NAME/.Spark/plugins. you could also place it in the main Spark folder which for me is at /usr/local/Spark/plugins, it will then be automatically copied for each user to their own folder. You MUST use the attached version as it has the 'Call' option added back into the right click menu. For some reason it seemed to vanish on the latest downloaded version from:

    http://demo.free-solutions.ch/clearspace/docs/DOC-1066

    which was dated the 8th September when this document was written.


  14. As this document will only allow attachments of 20Meg you will now need to manually install XULRunner as it can not be included in the red5-plugin.jar file due to its download size.

    YOU MUST INSTALL XULRunner FROM THE MOZSWING PROJECT AS IT IS PATCHED TO WORK WITH MOZSWING!

    Download it from here http://sourceforge.net/projects/mozswing


  15. Copy the folder moszswing-x.x/native/YOUR_OS_VARIENT/xulrunner to /home/YOUR_USER_NAME/.Spark/plugins/red5-plugin/xulrunner


  16. Modify the file /home/YOUR_USER_NAME/.Spark/plugins/red5-plugin/Red5.properties so that it points to your server.


Proving it is encrypted

Download Wireshark and use it to analyse the packets being send from the flash movie. To do this on Linux (it should be the same on Windows):

  1. Press the 'List available capture devices' button which is the first button on the toolbar;


  2. Stop all activity that may be talking from your computer to your server on port 443! This would generally mean that you should not have any web pages open to your Apache over HTTPS.


  3. Press Start for your current interface (I am on wlan1 but you may be on eth0 or eth1). It should have numbers changing next to it which indicates that packets are traversing the interface;


  4. Start your call from Spark by right clicking on a user and selecting call (you do not need another user to test this – just call someone on your list even if they are not online and do not have their client modified yet);


  5. Wait a few seconds while Wireshark captures the data;


  6. Press the 'Stop' button on Wireshark, it is the 4th button on the toolbar;


  7. In the Filter, type 'tcp.port==443'. You should see some packets listed, if you don't then your setup was not communicating via port 443 and was therefore NOT encrypted. If this is the case then delete the filter and look at the packets manually. If it is using port 1935 (the default rtmp unencrypted port or port 80 then you are not secured by SSL).

 

FINISHED

 

Start Spark and try to place a call to a user who has the same red5-plugin.jar and XULRunner setup as you.

 

Hopefully in the future this functionality will be built into the Red5-plugin and Spark to make this easier. It has  already been added to the 'todo' list.

 

I found the above complicated to set up and what I have works for me. If you know of a better way to do it then I am all ears!

 

If you find that this document needs to be modified due to an error then let me know.

     

     

Attachments:
9547 Views Tags: spark, video, openfire, linux, red5, ssl, secure, videomessage, audio, rtmps, rtmpt
Comments (3)

Bookmarked By (0)

More Like This

  • Retrieving data ...

More by klogger

View klogger's profile