# Direct connections configuration

The following configuration items define how Liberator handles direct connections with clients.

Liberator can accept direct persistent RTTP connections from StreamLink clients via TCP/IP, rather than via HTTP or HTTPS. The client connects to Liberator via a TCP/IP socket, and the Liberator streams data directly to the client across this connection. Direct connections can also use the Secure Sockets Layer (SSL) to provide greater security.

 Liberator’s supplied with a built-in Config blade called DirectConnection that’s automatically activated when you install the Liberator (see Built-in blades). However, it only provides basic (non-secure) connectivity for direct connections. In the CaplinPlatform Deployment Framework release 6.2 and later, Liberator has a built-in Config blade called DirectSSLConnection that implements secure direct connections using the OpenSSL implementation of SSL. To set up secure direct connections in a production environment, you’ll need to provide the appropriate certificate and key files, and set up or modify some of the direct SSL configuration items that are described on this page. For details of how to set up and modify both basic and secure direct connections using the DirectConnection and DirectSSLConnection blades, see How can I…​ Configure how Liberator handles direct client connections.
 You may also need to set ssl-random-seed, which configures the seeding of the OpenSSL random number generator that the Liberator uses for direct secure and HTTPS connections.

## direct-interface

`direct-interface` specifies the network interfaces that Liberator listens on for direct connection requests.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Wildcard support
Configuration Liberator 6.2 Liberator 7.0

`direct-interface`

Default. A single IPv4 server socket that listens on all IPv4 interface addresses.

Default. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.

`direct-interface *`

A single IPv4 server socket that listens on all IPv4 interface addresses.

A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.

`direct-interface 0.0.0.0`

A single IPv4 server socket that listens on all IPv4 interface addresses.

A single IPv4 server socket that listens on all IPv4 interface addresses.

`direct-interface ::`

Not supported

A single IPv6 server socket that listens on all IPv6 interface addresses.

`direct-interface 0.0.0.0 ::`

Not supported

A single IPv4 server socket that listens on all IPv4 interface addresses, and a single IPv6 server socket that listens on all IPv6 interface addresses.

Supported from Liberator 7.0.2

`direct-interface :: 0.0.0.0`

Not supported

A single IPv6 server socket that listens on all IPv6 interface addresses, and a single IPv4 server socket that listens on all IPv4 interface addresses.

Supported from Liberator 7.0.2

 In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTINTERFACE` to specify Liberator’s `direct-interface`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items. Macros cannot be assigned more than one value. To create more than one direct interface, assign one address to the macro and assign all additional addresses to new `direct-interface` configuration items in the configuration override file `/global_config/overrides/servers/Liberator/etc/rttpd.conf`. Syntax: `direct-interface <space-separated-list-of-interface-ip-addresses>` Type: array of strings Default value: [all available network interfaces] ## direct-max-line-length `direct-max-line-length` specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection. Syntax: `direct-max-line-length <max-length-in-bytes>` Type: integer Default value: `65536` ## direct-port `direct-port` specifies the network port that Liberator listens on for direct connection requests.  In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTPORT` to specify Liberator’s `direct-port`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: `direct-port <network-port>`

Type: integer

Default value: `15000`

## direct-refuse-time

`direct-refuse-time` specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: `direct-refuse-time <time-in-seconds>`

Type: float

Default value: `5.0` seconds

## direct-tcp-nodelay-off

`direct-tcp-nodelay-off` specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is `FALSE`, which means TCP_NODELAY is enabled. Setting this configuration item to `TRUE` disables TCP_NODELAY.

Syntax: `direct-tcp-nodelay-off <boolean>`

Type: boolean

Default value: `FALSE` (TCP_NODELAY is enabled)

## directssl-certificate

`directssl-certificate` specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `directssl-certificate` setting. See Configuration macros and items. The certificate filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.pem. This certificate file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pem file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `directssl-certificate <PEM-filename-and-path>`

Type: string

Default value: `cert.pem`

The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

## directssl-cipher-list

`directssl-cipher-list` specifies a colon separated list of cipher strings. These cipher strings select, in preferred order, the various SSL ciphers (cryptographic algorithms) that Liberator can use for its direct SSL connections with clients. The ciphers are selected from the set available in the version of OpenSSL built into Liberator. The format of the cipher list is as defined for the `cipherlist` argument of the OpenSSL `ciphers` tool; for details see the OpenSSL ciphers(1) manual page, which includes a list of the available cipher suite names. At run time, Liberator passes the cipher list as a control string to the OpenSSL function `SSL_CTX_set_cipher_list()`; this function uses the control string to set up the list of available SSL ciphers.

You should regularly review your cipher list under guidance from security professionals.

 In Liberator 7, the protocols SSLv2, SSLv3, and TLSv1 are disabled by default. This configuration is not compatible with older client libraries that don’t support TLSv1.1 and TLSv1.2, for example the .NET Framework v4.0. To re-enable TLSv1 in Liberator 7, set the value for directssl_ssl_options to `SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3`, and check that the value of directssl-cipher-list contains ciphers from the TLSv1 cipher suite.

Syntax: `directssl-cipher-list <openSSL-ciphers(1)-cipherlist>`

Type: string

Default value (Liberator 6): `DEFAULT`

Default value (Liberator 7): `DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA`

Example:

`directssl-cipher-list HIGH+TLSv1.2:!RC4:!DES:!3DES:!MD5:!aNULL:!eNULL:!NULL`

## directssl-dhparams

`directssl-dhparams` specifies the path to a Diffie-Hellman parameter file, which is required by ciphers that support forward secrecy (FS).

For instructions on how to generate a DH parameter file, see Additional requirements for ciphers that support forward secrecy.

Availability: Liberator 6.2.14+, Liberator 7.0.1+

Syntax: `directssl-dhparams <filepath>`

Type: string

Default value: <empty string>

Example:

`directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem` ## directssl-disable-renegotiation `directssl-disable-renegotiation` when set to `TRUE`, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate. Syntax: `directssl-disable-renegotiation <boolean>` Type: boolean Default value: `FALSE` (client renegotiation is allowed) ## directssl-enable `directssl-enable` switches on support for direct connections using SSL when set to `TRUE`. Syntax: `directssl-enable <boolean>` Type: boolean Default value: `FALSE` (Direct connections via SSL not supported) ## directssl-interface `directssl-interface` specifies the network interfaces to listen on for direct connections using SSL.  In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE` to specify Liberator’s `directssl-interface`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: `directssl-interface <space-separated-list-of-interface-ip-addresses>`

Type: array of strings

Default value: [all available network interfaces]

## directssl-ssl-options

`directssl-ssl-options` changes the protocols accepted by the OpenSSL library packaged with Liberator. Use `directssl-ssl-options` to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.

 In Liberator 7, the protocols SSLv2, SSLv3, and TLSv1 are disabled by default. This configuration is not compatible with older client libraries that don’t support TLSv1.1 and TLSv1.2, for example the .NET Framework v4.0. To re-enable TLSv1 in Liberator 7, set the value for directssl_ssl_options to `SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3`, and check that the value of directssl-cipher-list contains ciphers from the TLSv1 cipher suite.

Syntax: `directssl-ssl-options <supported-SSL-levels>`

Type: string

Default value (Liberator 6): `SSL_OP_NO_SSLv2`

Default value (Liberator 7): `SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1`

Values accepted:

VALUE MEANING

`SSL_OP_ALL`

Enable all of OpenSSL’s workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website.

`SSL_OP_NO_SSLv3`

Disable support for SSLv3.

`SSL_OP_NO_SSLv2`

Disable support for SSLv2.

`SSL_OP_NO_TLSv1`

Disable support for TLSv1.

`SSL_OP_NO_TLSv1_1`

Disable support for TLSv1.1.

`SSL_OP_NO_TLSv1_2`

Disable support for TLSv1.2.

You can specify multiple values using the `|` operator. In the example below, support for SSLv2, SSLv3, and TLSv1 has been disabled:

`direct-ssl-options SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1`

`directssl-passwordfile` specifies the filename and directory path of the file containing the SSL certificate passphrase used for direct connections. The directory path is optional and can be in relative or absolute format.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `directssl-passwordfile` setting. See Configuration macros and items. The password filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.pwd This password file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pwd file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `directssl-passwordfile <password-filename-and-path>`

Type: string

Default value: `rttpd.directssl.pass`

## directssl-port

`directssl-port` specifies the network port that Liberator listens on for direct connection requests using SSL.

 In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR\${THIS_LEG}_DIRECTSSLPORT` to specify Liberator’s `directssl-port`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: `directssl-port <network-port>`

Type: integer

Default value: `15001`

## directssl-privatekey

`directssl-privatekey` specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `directssl-privatekey` setting. See Configuration macros and items. The key filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.key This private key file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.key file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `directssl-privatekey <private-key-filename-and-path>`

Type: string

Default value: `cert.pem`

The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.