search

ossrs / srs

SRS is a simple, high-efficiency, real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181.
https://ossrs.io
MIT License
24.79k stars 5.28k forks source link

Supporting EC SSL Crypto #3802

Closed agg23 closed 3 months ago

agg23 commented 9 months ago

Note: Please read FAQ before file an issue, see #2716

Description

Please description your issue here

  1. SRS Version: 6.0.72

  2. SRS Log:

[2023-09-15 23:19:59.878][ERROR][1][6028y584][2] serve error code=4045(HttpsSslFile)(Failed to load SSL key or crt file for HTTPS) : start : handshake : use cert ./conf/watch.crt
thread [1][6028y584]: do_cycle() [./src/app/srs_app_http_conn.cpp:155][errno=2]
thread [1][6028y584]: on_start() [./src/app/srs_app_http_conn.cpp:388][errno=2]
thread [1][6028y584]: handshake() [./src/app/srs_app_conn.cpp:776][errno=2](No such file or directory)
  1. SRS Config:
listen              1935;
max_connections     1000;
daemon              off;
srs_log_tank        console;

http_server {
    enabled         on;
    listen          8080;
    dir             ./objs/nginx/html;
    https {
        enabled on;
        listen 8088;
        key ./conf/watch.key;
        cert ./conf/watch.crt;
    }
}

http_api {
    enabled         on;
    listen          1985;
    https {
        enabled on;
        listen 1986;
        key ./conf/watch.key;
        cert ./conf/watch.crt;
    }
}
stats {
    network         0;
}
rtc_server {
    enabled on;
    listen 8000; # UDP port
    # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#config-candidate
    candidate $CANDIDATE;
}

vhost __defaultVhost__ {
    rtc {
        enabled     on;
        # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#rtmp-to-rtc
        rtmp_to_rtc on;
    }
}

Replay

Please describe how to replay the bug?

Step 1: Create an elliptic curve SSL cert (Let's Encrypt works for this) Step 2: Provide that to SRS Step 3: Hit a HTTPS endpoint

Expect

Expect the server to be able to apply encryption to WebRTC streams using Let's Encrypt and elliptic curve cryptography. It appears the server is hardcoded to only accept RSA:

https://github.com/ossrs/srs/blob/develop/trunk/src/app/srs_app_conn.cpp#L779-L781

hskent commented 9 months ago

Got same issue with 5.0.176, this is my temporary solution. I obtained a certificate with the parameter "--key-type rsa" in Certbot, and it works well.