Direct connections configuration

The following configuration items define how Liberator handles direct connections with clients.

Liberator can accept direct persistent RTTP connections from StreamLink clients via TCP/IP, rather than via HTTP or HTTPS. The client connects to Liberator via a TCP/IP socket, and the Liberator streams data directly to the client across this connection. Direct connections can also use the Secure Sockets Layer (SSL) to provide greater security.

Liberator’s supplied with a built-in Config blade called DirectConnection that’s automatically activated when you install the Liberator (see Built-in blades). However, it only provides basic (non-secure) connectivity for direct connections. In the CaplinPlatform Deployment Framework release 6.2 and later, Liberator has a built-in Config blade called DirectSSLConnection that implements secure direct connections using the OpenSSL implementation of SSL.

To set up secure direct connections in a production environment, you’ll need to provide the appropriate certificate and key files, and set up or modify some of the direct SSL configuration items that are described on this page.

For details of how to set up and modify both basic and secure direct connections using the DirectConnection and DirectSSLConnection blades, see How can I…​ Configure how Liberator handles direct client connections.

You may also need to set ssl-random-seed, which configures the seeding of the OpenSSL random number generator that the Liberator uses for direct secure and HTTPS connections.

direct-interface

direct-interface specifies the network interfaces that Liberator listens on for direct connection requests.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTINTERFACE to specify Liberator’s direct-interface. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: direct-interface <space-separated-list-of-interface-ip-addresses>

Type: array of strings

Default value: [all available network interfaces]

direct-max-line-length

direct-max-line-length specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.

Syntax: direct-max-line-length <max-length-in-bytes>

Type: integer

Default value: 65536

direct-port

direct-port specifies the network port that Liberator listens on for direct connection requests.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator’s direct-port. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: direct-port <network-port>

Type: integer

Default value: 15000

direct-refuse-time

direct-refuse-time specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: direct-refuse-time <time-in-seconds>

Type: float

Default value: 5.0 seconds

direct-tcp-nodelay-off

direct-tcp-nodelay-off specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE disables TCP_NODELAY.

Syntax: direct-tcp-nodelay-off <boolean>

Type: boolean

Default value: FALSE (TCP_NODELAY is enabled)

directssl-certificate

directssl-certificate specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

In the Caplin Platform Deployment Framework, a configuration macro SSLCERT_PATH is used to specify the directory path in the Liberator’s directssl-certificate setting. See Configuration macros and items.

The certificate filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.pem. This certificate file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pem file that’s automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: https-certificate <PEM-filename-and-path>

Type: string

Default value: cert.pem

The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

directssl-cipher-list

directssl-cipher-list specifies a colon separated list of cipher strings. These cipher strings select, in preferred order, the various SSL ciphers (cryptographic algorithms) that Liberator can use for its direct SSL connections with clients. The ciphers are selected from the set available in the version of OpenSSL built into Liberator. The format of the cipher list is as defined for the cipherlist argument of the OpenSSL ciphers tool; for details see the OpenSSL ciphers(1) manual page, which includes a list of the available cipher suite names. At run time, Liberator passes the cipher list as a control string to the OpenSSL function SSL_CTX_set_cipher_list(); this function uses the control string to set up the list of available SSL ciphers.

Syntax: directssl-cipher-list <openSSL-ciphers(1)-cipherlist>

Type: string

Default value: DEFAULT (The default list of OpenSSL ciphers. This may vary according to the version of OpenSSL built into Liberator.)

Example:

directssl-cipher-list HIGH:MEDIUM

directssl-disable-renegotiation

https-disable-renegotiation when set to TRUE, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.

Syntax: directssl-disable-renegotiation <boolean>

Type: boolean

Default value: FALSE (client renegotiation is allowed)

directssl-enable

directssl-enable switches on support for direct connections using SSL when set to TRUE.

Syntax: directssl-enable <boolean>

Type: boolean

Default value: FALSE (Direct connections via SSL not supported)

directssl-interface

directssl-interface specifies the network interfaces to listen on for direct connections using SSL.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE to specify Liberator’s directssl-interface. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: directssl-interface <space-separated-list-of-interface-ip-addresses>

Type: array of strings

Default value: [all available network interfaces]

directssl-ssl-options

directssl-ssl-options specifies the levels of the SSL protocol that are supported for direct connections using SSL.

Syntax: directssl-ssl-options <supported-SSL-levels>

Type: string

Default value: SSL_OP_NO_SSLv2

Values accepted:

vALUE MEANING

SSL_OP_ALL

All SSL protocol levels are supported.

SSL_OP_NO_SSLv3

The SSLv3 protocol is not supported.

SSL_OP_NO_SSLv2

The SSLv2 protocol is not supported.

SSL_OP_NO_TLSv1

The SSLv1 protocol is not supported.

You can specify multiple values using the | operator, as in this example:

direct-ssl-options SSL_OP_NO_TLSV1|SSL_OP_NO_SSLV2

SSL_OP_NO_TLSV1|SSL_OP_NO_SSLV2 means that all protocol levels are supported except SSLv1 and SSLv2.

directssl-passwordfile

directssl-passwordfile specifies the filename and directory path of the file containing the SSL certificate passphrase used for direct connections. The directory path is optional and can be in relative or absolute format.

In the Caplin Platform Deployment Framework, a configuration macro SSLCERT_PATH is used to specify the directory path in the Liberator’s directssl-passwordfile setting. See Configuration macros and items. The password filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.pwd This password file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pwd file that’s automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: directssl-passwordfile <password-filename-and-path>

Type: string

Default value: rttpd.directssl.pass

directssl-port

directssl-port specifies the network port that Liberator listens on for direct connection requests using SSL.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator’s directssl-port. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: directssl-port <network-port>

Type: integer

Default value: 15001

directssl-privatekey

directssl-privatekey specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

In the Caplin Platform Deployment Framework, a configuration macro SSLCERT_PATH is used to specify the directory path in the Liberator’s directssl-privatekey setting. See Configuration macros and items.

The key filename and path set up by default in the Liberator supplied with the Framework is

<Framework-root>/global_config/ssl/rttpd_https.key This private key file is shared between HTTPS and Direct SSL connections.

Liberator is supplied with an rttpd_https.key file that’s automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: directssl-privatekey <private-key-filename-and-path>

Type: string

Default value: cert.pem

The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.