search

ossrs / srs

SRS is a simple, high-efficiency, real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181.
https://ossrs.io
MIT License
24.72k stars 5.28k forks source link

Bug: SrsHttpxConn SSL Key&Cert config problem. #4025

Open suzp1984 opened 2 months ago

suzp1984 commented 2 months ago

Describe the bug https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/src/app/srs_app_http_conn.cpp#L382-L387

SrsHttpxConn can be used as HTTP API and HTTP Server, for both plain and SSL connection. For the SSL connection, we can config the SSL key & cert in this way.

https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/conf/https.srs.conf#L7-L28

And SrsConfig has apis to get the key & cert.

https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/src/app/srs_app_config.hpp#L1052-L1053 https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/src/app/srs_app_config.hpp#L1074-L1075

But SrsHttpxConn only calling get_https_stream_ssl_cert & get_https_stream_ssl_key even for the Https API connections.

Version All SRS version.

To Reproduce Steps to reproduce the behavior:

  1. config https api and https stream with different key & cert pair.
  2. boot the srs.

Expected behavior http_api.https.key | cert should be loaded correctly.

Additional context I found this bug when try to do #3701, found this bug and also #4024

winlinvip commented 2 months ago

Nice work, your work clearly describe how this bug occurs. You are correct, it's really a bug for HTTPS API, the get_https_api_ssl_key is not used. Could you please file an pullrequest to fix this issue?

suzp1984 commented 2 months ago

Nice work, your work clearly describe how this bug occurs. You are correct, it's really a bug for HTTPS API, the get_https_api_ssl_key is not used. Could you please file an pullrequest to fix this issue?

yes, I will try.

suzp1984 commented 2 months ago

Another problem of SSL Key&Cert config is that to config the key&cert for SSL or SSL_CTX.

https://www.openssl.org/docs/manmaster/man3/SSL_use_certificate_file.html

the SSL is generated from SSL_CTX. https://github.com/ossrs/srs/blob/5eb802dacac4e685989446e51d0ed5c594f86258/trunk/src/app/srs_app_conn.cpp#L743-L754

In general, a SSL map to a tcp connection. So each tcp connection can custom its SSL certificate, that's what the SRS did. https://github.com/ossrs/srs/blob/5eb802dacac4e685989446e51d0ed5c594f86258/trunk/src/app/srs_app_conn.cpp#L775-L779

But it's overkill. the tcp connections shared same listen port at server side, have same SSL key&Cert, that's the usual case. So the more general solution is the config Key&Cert for a SSL_CTX, by api SSL_CTX_use_certificate_chain_file & SSL_CTX_use_PrivateKey_file, and shared this SSL_CTX for all the SrsTcpConnections generated from the same SrsTcpListener.