Direct connections configuration

direct-interface specifies the network interfaces that Liberator listens on for direct connection requests.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Syntax: direct-interface <interface address> …​

Type: array of strings

Default value: [all available network interfaces]

direct-max-line-length specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.

Syntax: direct-max-line-length <max-length-in-bytes>

Type: integer

Default value: 65536

direct-port specifies the network port that Liberator listens on for direct connection requests.

Syntax: direct-port <network-port>

Type: integer

Default value: 15000

direct-refuse-time specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: direct-refuse-time <time-in-seconds>

Type: float

Default value: 5.0 seconds

direct-tcp-nodelay-off specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE disables TCP_NODELAY.

Syntax: direct-tcp-nodelay-off <boolean>

Type: boolean

Default value: FALSE (TCP_NODELAY is enabled)

directssl-certificate specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

For more information on setting directssl-certificate, see Installing keys and certificates.

The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

Syntax: directssl-certificate <PEM-filename-and-path>

Type: string

Default value: cert.pem

directssl-cipher-list specifies the TLS ciphers supported by Liberator’s Direct SSL interface, formatted as an OpenSSL cipher list.

The order of ciphers in directssl-cipher-list does not influence Liberator’s choice of cipher for a TLS connection. In accordance with the TLS specification, given a choice of mutually-supported ciphers for a TLS connection, Liberator chooses the client’s most preferred cipher. To log the cipher lists of connecting clients, see directssl-log-hello-ciphers.

Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-dhparams (required for DHE ciphers).

For detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.

Syntax: directssl-cipher-list <openssl_cipher_list>

Type: string

Default:

Examples: See Example TLS protocol and cipher configuration.

directssl-dhparams specifies the path to a Diffie-Hellman parameter file, which is required by ephemeral Diffie-Hellman ciphers (DHE).

Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-cipher-list (SSL/TLS ciphers).

For instructions on how to generate a Diffie-Helmman (DH) parameters file, see Generating a Diffie-Hellman parameters file for DHE ciphers.

Availability: Liberator 6.2.14+, Liberator 7.0.1+

Syntax: directssl-dhparams <filepath>

Type: string

Default value: <empty string>

Example:

directssl-disable-renegotiation when set to TRUE, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.

Syntax: directssl-disable-renegotiation <boolean>

Type: boolean

Default value: FALSE (client renegotiation is allowed)

directssl-enable switches on support for direct connections using SSL when set to TRUE.

Syntax: directssl-enable <boolean>

Type: boolean

Default value: FALSE (Direct connections via SSL not supported)

directssl-interface specifies the network interfaces to listen on for direct connections using SSL.

For a Liberator deployed within a Caplin Deployment Framework, directssl-interface is normally set indirectly by specifying a value for the Deployment Framework configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE. Only one HTTPS interface can be specified in the variable; to add extra interfaces, append new directssl-interface items to the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Syntax: directssl-interface <ip-addresses> …​

Type: array of strings

Default value: [all available network interfaces]

Enables logging of the cipher list presented by TLS clients in the TLS handshake with Liberator.

Client cipher lists for successful connections are logged at DEBUG level. Client cipher lists for unsuccessful connections are logged at INFO level.

This is an option for debugging purposes only. We don’t recommend that it is permanently enabled in production environments, and it should be disabled as soon as the investigation is complete.

Since: Liberator 7.1.23

Syntax: directssl-log-hello-ciphers <boolean>

Type: boolean

Default value: FALSE

directssl-ssl-options configures the SSL/TLS protocols accepted by Liberator’s direct SSL interface.

Configure this item in conjunction with directssl-cipher-list (SSL/TLS ciphers) and directssl-dhparams (required for DHE ciphers).

Use directssl-ssl-options to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.

This configuration item takes one parameter: a pipe-separated list of OpenSSL options from the table below.

For a detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.

Syntax: directssl-ssl-options <option>[|<option>]…​

Type: string

Default value:

Examples: See Example TLS protocol and cipher configuration

directssl-passwordfile specifies the filename and directory path of the file containing the passphrase for the encrypted SSL/TLS key used for direct connections. The directory path is optional and can be in relative or absolute format.

If the TLS key is unencrypted, then the password file must be empty.

From Liberator 7.1.9: If the TLS key is unencrypted and you don’t want to deploy an empty password file, then set the configuration variable DIRECTSSL_PASSWORD_FILE_REQUIRED to NO in the Deployment Framework file global_config/environment.conf.

For information on setting directssl-passwordfile, see Installing keys and certificates.

Syntax: directssl-passwordfile <password-filename-and-path>

Type: string

Default value: rttpd.directssl.pass

directssl-port specifies the network port that Liberator listens on for direct connection requests using SSL.

Syntax: directssl-port <network-port>

Type: integer

Default value: 15001

directssl-privatekey specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

For information on setting the private key, see Installing keys and certificates.

The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.

Syntax: directssl-privatekey <private-key-filename-and-path>

Type: string

Default value: cert.pem

See ssl-random-seed in DataSource Secure Sockets Layer (SSL) configuration.

See also: