# Direct connections configuration

The following configuration items define how Liberator handles direct connections with clients.

Liberator can accept direct persistent RTTP connections from StreamLink clients via TCP/IP, rather than via HTTP or HTTPS. The client connects to Liberator via a TCP/IP socket, and the Liberator streams data directly to the client across this connection. Direct connections can also use the Secure Sockets Layer (SSL) to provide greater security.

 Liberator’s supplied with a built-in Config blade called DirectConnection that’s automatically activated when you install the Liberator (see Built-in blades). However, it only provides basic (non-secure) connectivity for direct connections. In the CaplinPlatform Deployment Framework release 6.2 and later, Liberator has a built-in Config blade called DirectSSLConnection that implements secure direct connections using the OpenSSL implementation of SSL. To set up secure direct connections in a production environment, you’ll need to provide the appropriate certificate and key files, and set up or modify some of the direct SSL configuration items that are described on this page. For details of how to set up and modify both basic and secure direct connections using the DirectConnection and DirectSSLConnection blades, see How can I…​ Configure how Liberator handles direct client connections.
 You may also need to set ssl-random-seed, which configures the seeding of the OpenSSL random number generator that the Liberator uses for direct secure and HTTPS connections.

## direct-interface

`direct-interface` specifies the network interfaces that Liberator listens on for direct connection requests.

 In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTINTERFACE` to specify Liberator’s `direct-interface`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items. Syntax: `direct-interface <space-separated-list-of-interface-ip-addresses>` Type: array of strings Default value: [all available network interfaces] ## direct-max-line-length `direct-max-line-length` specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection. Syntax: `direct-max-line-length <max-length-in-bytes>` Type: integer Default value: `65536` ## direct-port `direct-port` specifies the network port that Liberator listens on for direct connection requests.  In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTPORT` to specify Liberator’s `direct-port`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: `direct-port <network-port>`

Type: integer

Default value: `15000`

## direct-refuse-time

`direct-refuse-time` specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: `direct-refuse-time <time-in-seconds>`

Type: float

Default value: `5.0` seconds

## direct-tcp-nodelay-off

`direct-tcp-nodelay-off` specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is `FALSE`, which means TCP_NODELAY is enabled. Setting this configuration item to `TRUE` disables TCP_NODELAY.

Syntax: `direct-tcp-nodelay-off <boolean>`

Type: boolean

Default value: `FALSE` (TCP_NODELAY is enabled)

## directssl-certificate

`directssl-certificate` specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `directssl-certificate` setting. See Configuration macros and items. The certificate filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.pem. This certificate file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pem file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `https-certificate <PEM-filename-and-path>`

Type: string

Default value: `cert.pem`

The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

## directssl-cipher-list

`directssl-cipher-list` specifies a colon separated list of cipher strings. These cipher strings select, in preferred order, the various SSL ciphers (cryptographic algorithms) that Liberator can use for its direct SSL connections with clients. The ciphers are selected from the set available in the version of OpenSSL built into Liberator. The format of the cipher list is as defined for the `cipherlist` argument of the OpenSSL `ciphers` tool; for details see the OpenSSL 1.0.2 ciphers(1) manual page, which includes a list of the available cipher suite names. At run time, Liberator passes the cipher list as a control string to the OpenSSL 1.0.2 function `SSL_CTX_set_cipher_list()`; this function uses the control string to set up the list of available SSL ciphers.

Syntax: `directssl-cipher-list <openSSL-ciphers(1)-cipherlist>`

Type: string

Default value: `DEFAULT` (The default list of OpenSSL ciphers. This may vary according to the version of OpenSSL built into Liberator.)

Example:

`directssl-cipher-list HIGH:MEDIUM`

## directssl-disable-renegotiation

`https-disable-renegotiation` when set to `TRUE`, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.

Syntax: `directssl-disable-renegotiation <boolean>`

Type: boolean

Default value: `FALSE` (client renegotiation is allowed)

## directssl-enable

`directssl-enable` switches on support for direct connections using SSL when set to `TRUE`.

Syntax: `directssl-enable <boolean>`

Type: boolean

Default value: `FALSE` (Direct connections via SSL not supported)

## directssl-interface

`directssl-interface` specifies the network interfaces to listen on for direct connections using SSL.

 In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE` to specify Liberator’s `directssl-interface`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items. Syntax: `directssl-interface <space-separated-list-of-interface-ip-addresses>` Type: array of strings Default value: [all available network interfaces] ## directssl-ssl-options `directssl-ssl-options` specifies the levels of the SSL protocol that are supported for direct connections using SSL. Syntax: `directssl-ssl-options <supported-SSL-levels>` Type: string Default value: `SSL_OP_NO_SSLv2` Values accepted: vALUE MEANING `SSL_OP_ALL` All SSL protocol levels are supported. `SSL_OP_NO_SSLv3` The SSLv3 protocol is not supported. `SSL_OP_NO_SSLv2` The SSLv2 protocol is not supported. `SSL_OP_NO_TLSv1` The SSLv1 protocol is not supported. You can specify multiple values using the `|` operator, as in this example: `direct-ssl-options SSL_OP_NO_TLSV1|SSL_OP_NO_SSLV2` `SSL_OP_NO_TLSV1|SSL_OP_NO_SSLV2` means that all protocol levels are supported except SSLv1 and SSLv2. ## directssl-passwordfile `directssl-passwordfile` specifies the filename and directory path of the file containing the SSL certificate passphrase used for direct connections. The directory path is optional and can be in relative or absolute format.  In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `directssl-passwordfile` setting. See Configuration macros and items. The password filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.pwd This password file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pwd file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory. Syntax: `directssl-passwordfile <password-filename-and-path>` Type: string Default value: `rttpd.directssl.pass` ## directssl-port `directssl-port` specifies the network port that Liberator listens on for direct connection requests using SSL.  In the Caplin Platform Deployment Framework, you use a configuration macro `LIBERATOR${THIS_LEG}_DIRECTSSLPORT` to specify Liberator’s `directssl-port`. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: `directssl-port <network-port>`

Type: integer

Default value: `15001`

## directssl-privatekey

`directssl-privatekey` specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `directssl-privatekey` setting. See Configuration macros and items. The key filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.key This private key file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.key file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `directssl-privatekey <private-key-filename-and-path>`

Type: string

Default value: `cert.pem`

The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.