Discover the new easier way to develop Kurento video applications

Securing Kurento Applications

[TODO full review]

Starting with Chrome 47, WebRTC is only allowed from SECURE ORIGINS (HTTPS or localhost). Check their release notes for further information about this issue.

Note

Keep in mind that serving your application through HTTPS, forces you to use WebSockets Secure (WSS) if you are using websockets to control your application server.

Securing Application Servers

Configure a Java server to use HTTPS

  • The application needs a certificate in order to enable HTTPS:

    • Request a certificate from a local certification authority.

    • Create an self-signed certificate.

      keytool -genkey -keyalg RSA -alias selfsigned -keystore \
      keystore.jks -storepass password -validity 360 -keysize 2048
      
  • Use the certificate in your application:

    • Include a valid keystore in the jar file:

      File keystore.jks must be in the project’s root path, and a file named application.properties must exist in src/main/resources/, with the following content:

      server.port: 8443
      server.ssl.key-store: keystore.jks
      server.ssl.key-store-password: yourPassword
      server.ssl.keyStoreType: JKS
      server.ssl.keyAlias: yourKeyAlias
      
    • You can also specify the location of the properties file. When launching your Spring-Boot based app, issue the flag -Dspring.config.location=<path-to-properties> .
  • Start application

mvn -U clean spring-boot:run -Dkms.url=ws://kms_host:kms_port/kurento

Note

If you plan on using a webserver as proxy, like Nginx or Apache, you’ll need to setAllowedOrigins when registering the handler. Please read the official Spring documentation entry for more info.

Configure a Node server to use HTTPS

  • The application requires a valid SSL certificate in order to enable HTTPS:

    • Request a certificate from a local certification authority.
    • Create your own self-signed certificate as explained here. This will show you how to create the required files: server.crt, server.key and server.csr.

Add the following changes to server.js in order to enable HTTPS:

...
var express = require('express');
var ws = require('ws');
var fs    = require('fs');
var https = require('https');
...

var options =
{
  key:  fs.readFileSync('key/server.key'),
  cert: fs.readFileSync('keys/server.crt')
};

var app = express();

var server = https.createServer(options, app).listen(port, function() {
...
});
...

var wss = new ws.Server({
 server : server,
 path : '/'
});

wss.on('connection', function(ws) {

....
  • Start application
npm start

Configure Javascript applications to use HTTPS

  • You’ll need to provide a valid SSL certificate in order to enable HTTPS:

    • Request a certificate from a local certification authority.
    • Create your own self-signed certificate as explained here. This will show you how to create the required files: server.crt, server.key and server.csr.
  • Start the application using the certificates:

http-server -p 8443 -S -C keys/server.crt -K keys/server.key

Securing server applications

Configure Kurento Media Server to use Secure WebSocket (WSS)

First, you need to change the configuration file of Kurento Media Server, i.e. /etc/kurento/kurento.conf.json, uncommenting the following lines:

"secure": {
  "port": 8433,
  "certificate": "defaultCertificate.pem",
  "password": ""
},

If this PEM certificate is a signed certificate (by a Certificate Authority such as Verisign), then you are done. If you are going to use a self-signed certificate (suitable for development), then there is still more work to do.

You can generate a self signed certificate by doing this:

certtool --generate-privkey --outfile defaultCertificate.pem
echo 'organization = your organization name' > certtool.tmpl
certtool --generate-self-signed --load-privkey defaultCertificate.pem \
   --template certtool.tmpl >> defaultCertificate.pem
sudo chown kurento defaultCertificate.pem

Due to the fact that the certificate is self-signed, applications will reject it by default. For this reason, you’ll need to force them to accept it.

  • Browser applications: You’ll need to manually accept the certificate as trusted one before secure WebSocket connections can be established. By default, this can be done by connecting to connecting to https://localhost:8433/kurento and accepting the certificate in the browser.
  • Java applications, follow the instructions of this link (get InstallCert.java from here). You’ll need to instruct the KurentoClient needs to be configured to allow the use of certificates. For this purpose, we need to create our own JsonRpcClient:
SslContextFactory sec = new SslContextFactory(true);
sec.setValidateCerts(false);
JsonRpcClientWebSocket rpcClient = new JsonRpcClientWebSocket(uri, sec);
KurentoClient kuretoClient = KurentoClient.createFromJsonRpcClient(rpcClient);
  • Node applications, please take a look to this page.

Second, you have to change the WebSocket URI in your application logic. For instance, in the hello-world application within the tutorials, this would be done as follows:

  • Java: Changing this line in HelloWorldApp.java:

    final static String DEFAULT_KMS_WS_URI = "wss://localhost:8433/kurento";
    
  • Browser JavaScript: Changing this line in index.js:

    const ws_uri = 'wss://' + location.hostname + ':8433/kurento';
    
  • Node.js: Changing this line in server.js:

    const ws_uri = "wss://localhost:8433/kurento";