Refactor SSL in Tomcat for 11+ and update version to 2.0.10

Red5 · Dec 18, 2024 · a61cda1 · a61cda1
1 parent 3576532
commit a61cda1
Show file tree

Hide file tree

Showing 11 changed files with 88 additions and 21 deletions.
diff --git a/client/pom.xml b/client/pom.xml
@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.red5</groupId>
         <artifactId>red5-parent</artifactId>
-        <version>2.0.9</version>
+        <version>2.0.10</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>red5-client</artifactId>

diff --git a/client/src/main/java/org/red5/client/Red5Client.java b/client/src/main/java/org/red5/client/Red5Client.java
@@ -18,7 +18,7 @@ public final class Red5Client {
     /**
      * Current server version with revision
      */
-    public static final String VERSION = "Red5 Client 2.0.9";
+    public static final String VERSION = "Red5 Client 2.0.10";
 
     /**
      * Create a new Red5Client object using the connection local to the current thread A bit of magic that lets you access the red5 scope

diff --git a/common/pom.xml b/common/pom.xml
@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.red5</groupId>
         <artifactId>red5-parent</artifactId>
-        <version>2.0.9</version>
+        <version>2.0.10</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>red5-server-common</artifactId>
@@ -105,7 +105,7 @@
         <dependency>
             <groupId>net.engio</groupId>
             <artifactId>mbassador</artifactId>
-            <version>2.0.9</version>
+            <version>2.0.10</version>
         </dependency> -->
         <dependency>
             <groupId>junit</groupId>

diff --git a/common/src/main/java/org/red5/server/api/Red5.java b/common/src/main/java/org/red5/server/api/Red5.java
@@ -57,12 +57,12 @@ public final class Red5 {
     /**
      * Server version with revision
      */
-    public static final String VERSION = "Red5 Server 2.0.9";
+    public static final String VERSION = "Red5 Server 2.0.10";
 
     /**
      * Server version for fmsVer requests
      */
-    public static final String FMS_VERSION = "RED5/2,0,9,0";
+    public static final String FMS_VERSION = "RED5/2,0,10,0";
 
     /**
      * Server capabilities

diff --git a/io/pom.xml b/io/pom.xml
@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.red5</groupId>
         <artifactId>red5-parent</artifactId>
-        <version>2.0.9</version>
+        <version>2.0.10</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>red5-io</artifactId>

diff --git a/pom.xml b/pom.xml
@@ -24,7 +24,7 @@
     <name>Red5</name>
     <description>The Red5 server</description>
     <groupId>org.red5</groupId>
-    <version>2.0.9</version>
+    <version>2.0.10</version>
     <url>https://github.com/Red5/red5-server</url>
     <inceptionYear>2005</inceptionYear>
     <organization>

diff --git a/server/pom.xml b/server/pom.xml
@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.red5</groupId>
         <artifactId>red5-parent</artifactId>
-        <version>2.0.9</version>
+        <version>2.0.10</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>red5-server</artifactId>

diff --git a/server/src/main/java/org/red5/server/tomcat/TomcatConnector.java b/server/src/main/java/org/red5/server/tomcat/TomcatConnector.java
@@ -13,11 +13,12 @@
 import java.util.Map.Entry;
 
 import org.apache.catalina.connector.Connector;
-import org.apache.catalina.core.AprLifecycleListener;
 import org.apache.coyote.ProtocolHandler;
 import org.apache.coyote.http11.Http11Nio2Protocol;
 import org.apache.coyote.http11.Http11NioProtocol;
 import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.red5.logging.Red5LoggerFactory;
 import org.slf4j.Logger;
 
@@ -72,26 +73,89 @@ public void init() {
             // set connection properties
             if (connectionProperties != null) {
                 for (String key : connectionProperties.keySet()) {
+                    // skip ssl related properties
+                    if (key.startsWith("keystore") || key.startsWith("truststore") || key.startsWith("certificate") || key.equals("clientAuth") || key.equals("allowUnsafeLegacyRenegotiation")) {
+                        continue;
+                    }
                     connector.setProperty(key, connectionProperties.get(key));
                 }
             }
             // turn off native apr support
-            AprLifecycleListener listener = new AprLifecycleListener();
-            listener.setSSLEngine("off");
-            connector.addLifecycleListener(listener);
-            // determine if https support is requested
-            if (secure) {
-                // set connection properties
-                connector.setSecure(true);
-                connector.setScheme("https");
-            }
+            //AprLifecycleListener listener = new AprLifecycleListener();
+            //listener.setSSLEngine("off");
+            //connector.addLifecycleListener(listener);
             // apply the bind address to the handler
             ProtocolHandler handler = connector.getProtocolHandler();
             if (handler instanceof Http11Nio2Protocol) {
                 ((Http11Nio2Protocol) handler).setAddress(address.getAddress());
             } else if (handler instanceof Http11NioProtocol) {
                 ((Http11NioProtocol) handler).setAddress(address.getAddress());
             }
+            // Reference https://tomcat.apache.org/tomcat-11.0-doc/ssl-howto.html#SSL_and_Tomcat
+            // determine if https support is requested
+            if (secure) {
+                // set connection properties
+                connector.setSecure(true);
+                connector.setScheme("https");
+                connector.setProperty("SSLEnabled", "true");
+                // create a new ssl host config
+                SSLHostConfig sslHostConfig = new SSLHostConfig();
+                /*
+                    <entry key="sslProtocol" value="TLS" />
+                    <entry key="keystoreFile" value="${rtmps.keystorefile}" />
+                    <entry key="keystorePass" value="${rtmps.keystorepass}" />
+                    <entry key="truststoreFile" value="${rtmps.truststorefile}" />
+                    <entry key="truststorePass" value="${rtmps.truststorepass}" />
+                    <entry key="clientAuth" value="false" />
+                    <entry key="allowUnsafeLegacyRenegotiation" value="true" />
+                 */
+                sslHostConfig.setSslProtocol("TLS");
+                sslHostConfig.setTruststoreFile(connectionProperties.get("truststoreFile"));
+                sslHostConfig.setTruststorePassword(connectionProperties.get("truststorePass"));
+                if (connectionProperties.containsKey("truststoreType")) {
+                    sslHostConfig.setTruststoreType(connectionProperties.get("truststoreType"));
+                } else {
+                    sslHostConfig.setTruststoreType("JKS");
+                }
+                // set the protocols
+                if (connectionProperties.containsKey("protocols")) {
+                    String[] protocols = connectionProperties.get("protocols").split(",");
+                    //sslHostConfig.setProtocols(protocols);
+                    sslHostConfig.setEnabledProtocols(protocols);
+                } else {
+                    sslHostConfig.setProtocols("TLSv1.2");
+                    sslHostConfig.setEnabledProtocols(new String[] { "TLSv1.2" });
+                }
+                // set the ciphers
+                if (connectionProperties.containsKey("ciphers")) {
+                    String[] ciphers = connectionProperties.get("ciphers").split(",");
+                    //sslHostConfig.setCiphers(ciphers);
+                    sslHostConfig.setEnabledCiphers(ciphers);
+                } else {
+                    //sslHostConfig.setCiphers("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
+                }
+                // dont allow unsafe renegotiation
+                sslHostConfig.setInsecureRenegotiation(!secure);
+                // create a new ssl host config certificate
+                SSLHostConfigCertificate sslHostConfigCert = new SSLHostConfigCertificate(sslHostConfig, SSLHostConfigCertificate.Type.RSA);
+                sslHostConfigCert.setCertificateKeystoreFile(connectionProperties.get("keystoreFile"));
+                sslHostConfigCert.setCertificateKeystorePassword(connectionProperties.get("keystorePass"));
+                if (connectionProperties.containsKey("keystoreType")) {
+                    sslHostConfigCert.setCertificateKeystoreType(connectionProperties.get("keystoreType"));
+                } else {
+                    sslHostConfigCert.setCertificateKeystoreType("JKS");
+                }
+                // set the certificate key alias
+                if (connectionProperties.containsKey("certificateKeyAlias")) {
+                    sslHostConfigCert.setCertificateKeyAlias(connectionProperties.get("certificateKeyAlias"));
+                } else {
+                    //sslHostConfigCert.setCertificateKeyAlias("red5");
+                }
+                // add the ssl host config certificate to the ssl host config
+                sslHostConfig.addCertificate(sslHostConfigCert);
+                // add the ssl host config to the handler
+                handler.addSslHostConfig(sslHostConfig);
+            }
             // set initialized flag
             initialized = true;
         } catch (Throwable t) {

diff --git a/server/src/main/server/conf/jee-container.xml b/server/src/main/server/conf/jee-container.xml
@@ -72,6 +72,7 @@
                         <map>
                             <entry key="port" value="${https.port}" />
                             <entry key="redirectPort" value="${http.port}" />
+
                             <entry key="SSLEnabled" value="true" />
                             <entry key="sslProtocol" value="TLS" />
                             <entry key="keystoreFile" value="${rtmps.keystorefile}" />
@@ -80,9 +81,11 @@
                             <entry key="truststorePass" value="${rtmps.truststorepass}" />
                             <entry key="clientAuth" value="false" />
                             <entry key="allowUnsafeLegacyRenegotiation" value="true" />
+
                             <entry key="maxHttpHeaderSize" value="${http.max_headers_size}"/>
                             <entry key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
                             <entry key="keepAliveTimout" value="-1"/>
+
                             <entry key="useExecutor" value="true"/>
                             <entry key="maxThreads" value="${http.max_threads}"/>
                             <entry key="acceptorThreadCount" value="${http.acceptor_thread_count}"/>

diff --git a/service/pom.xml b/service/pom.xml
@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.red5</groupId>
         <artifactId>red5-parent</artifactId>
-        <version>2.0.9</version>
+        <version>2.0.10</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>red5-service</artifactId>

diff --git a/servlet/pom.xml b/servlet/pom.xml
@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.red5</groupId>
         <artifactId>red5-parent</artifactId>
-        <version>2.0.9</version>
+        <version>2.0.10</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>red5-servlet</artifactId>