Open suzp1984 opened 2 months ago
Nice work, your work clearly describe how this bug occurs. You are correct, it's really a bug for HTTPS API, the get_https_api_ssl_key
is not used. Could you please file an pullrequest to fix this issue?
Nice work, your work clearly describe how this bug occurs. You are correct, it's really a bug for HTTPS API, the
get_https_api_ssl_key
is not used. Could you please file an pullrequest to fix this issue?
yes, I will try.
Another problem of SSL Key&Cert config is that to config the key&cert for SSL
or SSL_CTX
.
https://www.openssl.org/docs/manmaster/man3/SSL_use_certificate_file.html
the SSL
is generated from SSL_CTX
.
https://github.com/ossrs/srs/blob/5eb802dacac4e685989446e51d0ed5c594f86258/trunk/src/app/srs_app_conn.cpp#L743-L754
In general, a SSL map to a tcp connection. So each tcp connection can custom its SSL certificate, that's what the SRS did. https://github.com/ossrs/srs/blob/5eb802dacac4e685989446e51d0ed5c594f86258/trunk/src/app/srs_app_conn.cpp#L775-L779
But it's overkill. the tcp connections shared same listen port at server side, have same SSL key&Cert, that's the usual case.
So the more general solution is the config Key&Cert for a SSL_CTX
, by api SSL_CTX_use_certificate_chain_file
& SSL_CTX_use_PrivateKey_file
, and shared this SSL_CTX
for all the SrsTcpConnection
s generated from the same SrsTcpListener
.
Describe the bug https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/src/app/srs_app_http_conn.cpp#L382-L387
SrsHttpxConn
can be used as HTTP API and HTTP Server, for both plain and SSL connection. For the SSL connection, we can config the SSL key & cert in this way.https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/conf/https.srs.conf#L7-L28
And
SrsConfig
has apis to get the key & cert.https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/src/app/srs_app_config.hpp#L1052-L1053 https://github.com/ossrs/srs/blob/427104f1dab86f5afc7d7b49b02ed27d03ef9346/trunk/src/app/srs_app_config.hpp#L1074-L1075
But
SrsHttpxConn
only callingget_https_stream_ssl_cert
&get_https_stream_ssl_key
even for theHttps API
connections.Version All SRS version.
To Reproduce Steps to reproduce the behavior:
Expected behavior http_api.https.key | cert should be loaded correctly.
Additional context I found this bug when try to do #3701, found this bug and also #4024