Direct connections configuration

The following configuration items define how Liberator handles direct connections from StreamLink clients as opposed to StreamLink connections tunnelled over HTTP, HTTPS, and WebSocket protocols.

Direct connections are supported by all StreamLink libraries except for StreamLink JS. For more information on connection types, see StreamLink connection types.

To enable support for direct connections over SSL, see Configure how Liberator handles direct client connections.

add-direct-virtual-host

add-direct-virtual-host, available from Liberator 8.0.1+, defines a name-based or IP-based virtual host. Each virtual-host definition overrides some or all of the global configuration options directssl-certificate, directssl-privatekey, directssl-passwordfile, and directssl-dhparams for a specific IP address or hostname.

To configure Liberator to present a different TLS certificate for each of the alternative hostnames by which a Liberator server is known, define an add-direct-virtual-host block for each alternative hostname.

Syntax:

add-direct-virtual-host
   name         [string]
   addr         [string]
   certificate  [string]
   passwordfile [string]
   privatekey   [string]
   dhparams     [string]
end-virtual-host
Options for add-direct-virtual-host
Options Type Default Description

addr

string

[none]

The IP address or hostname of this virtual host. If the address is invalid, Liberator will fail to start.

certificate

string

Value of directssl-certificate

The filename and directory path of the SSL (secure sockets layer) certificate used for direct connections to this virtual host. The file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This option overrides for this virtual host the certificate filename and path defined in the global configuration item directssl-certificate.

passwordfile

string

Value of directssl-passwordfile

The filename and directory path of the file containing the passphrase for the privatekey. The file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This option overrides for this virtual host the password filename and path defined in the global configuration item directssl-passwordfile.

privatekey

string

Value of directssl-privatekey

The filename and directory path of the SSL (secure sockets layer) private key used for direct connections to this virtual host. The file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This option overrides for this virtual host the private key filename and path defined in the global configuration item directssl-privatekey.

dhparams

string

[none]

The path to a Diffie-Hellman (DH) parameters file, which is required by ephemeral Diffie-Hellman ciphers (DHE). For instructions on how to generate a DH parameters file, see Generating a Diffie-Hellman parameters file for DHE ciphers.

This option overrides for this virtual host the path to the DH parameters file defined in the global configuration item directssl-dhparams.

name

string

Value of the addr option

A name for this virtual host.

Example:

In this example, a Liberator server, host1.example.com, also has DNS entries for the host names host2.example.com and host3.example.com at the same IP address. The example configuration below uses add-direct-virtual-host blocks to define the TLS certificates to use for host1.example.com and host2.example.com.

# TLS certificate for host2.example.com
add-direct-virtual-host
    addr                host2.example.com
    certificate   ${SSLCERT_PATH}/host2.example.com.cert.pem
    privatekey    ${SSLCERT_PATH}/host2.example.com.key.pem
    passwordfile  ${SSLCERT_PATH}/host2.example.com.key.pwd
end-virtual-host

# TLS certificate for host3.example.com
add-direct-virtual-host
    addr                host3.example.com
    certificate   ${SSLCERT_PATH}/host3.example.com.cert.pem
    privatekey    ${SSLCERT_PATH}/host3.example.com.key.pem
    passwordfile  ${SSLCERT_PATH}/host3.example.com.key.pwd
end-virtual-host

direct-interface

direct-interface specifies the network interfaces that Liberator listens on for direct connection requests.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Wildcard support
Configuration Liberator 6.2 Liberator 7.0

direct-interface

Default. A single IPv4 server socket that listens on all IPv4 interface addresses.

Default. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.

direct-interface *

A single IPv4 server socket that listens on all IPv4 interface addresses.

A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.

direct-interface 0.0.0.0

A single IPv4 server socket that listens on all IPv4 interface addresses.

A single IPv4 server socket that listens on all IPv4 interface addresses.

direct-interface ::

Not supported

A single IPv6 server socket that listens on all IPv6 interface addresses.

direct-interface 0.0.0.0 ::

Not supported

A single IPv4 server socket that listens on all IPv4 interface addresses, and a single IPv6 server socket that listens on all IPv6 interface addresses.

Supported from Liberator 7.0.2

direct-interface :: 0.0.0.0

Not supported

A single IPv6 server socket that listens on all IPv6 interface addresses, and a single IPv4 server socket that listens on all IPv4 interface addresses.

Supported from Liberator 7.0.2

In the Caplin Platform Deployment Framework, you use a configuration variable LIBERATOR${THIS_LEG}_DIRECTINTERFACE to specify Liberator’s direct-interface. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Variables cannot be assigned multiple values. To create more than one direct interface, assign one address to the macro and assign all additional addresses to new direct-interface configuration items in the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.

Syntax: direct-interface <interface address> …​

Type: array of strings

Default value: [all available network interfaces]

direct-max-line-length

direct-max-line-length specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.

Syntax: direct-max-line-length <max-length-in-bytes>

Type: integer

Default value: 65536

direct-port

direct-port specifies the network port that Liberator listens on for direct connection requests.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator’s direct-port. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: direct-port <network-port>

Type: integer

Default value: 15000

direct-refuse-time

direct-refuse-time specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: direct-refuse-time <time-in-seconds>

Type: float

Default value: 5.0 seconds

direct-tcp-nodelay-off

direct-tcp-nodelay-off specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE disables TCP_NODELAY.

Syntax: direct-tcp-nodelay-off <boolean>

Type: boolean

Default value: FALSE (TCP_NODELAY is enabled)

directssl-certificate

directssl-certificate specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

For more information on setting directssl-certificate, see Installing keys and certificates.

The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

Syntax: directssl-certificate <PEM-filename-and-path>

Type: string

Default value: cert.pem

directssl-ciphersuites (TLS 1.3)

directssl-ciphersuites specifies the TLS 1.3 ciphers supported by Liberator’s Direct SSL interface, formatted as an OpenSSL cipher list. To set the TLS 1.0–1.2 ciphers supported by Liberator, see directssl-cipher-list.

This is an advanced TLS 1.3 configuration option for specific use cases only. You do not need to set this option to enable TLS 1.3 support in Liberator. TLS 1.3 support is enabled by default from Liberator 7.1.5.

When directssl-ciphersuites is not specified, Liberator uses OpenSSL’s default TLS 1.3 cipher list.

In accordance with the TLS specification, Liberator ignores the priority order of ciphers in directssl-ciphersuites and favours the TLS client’s cipher priority order. To reverse this default behaviour, set the SSL_OP_CIPHER_SERVER_PREFERENCE flag in directssl-ssl-options. To log the cipher lists of connecting clients, see directssl-log-hello-ciphers.

Since: Liberator 7.1.25

Syntax: directssl-ciphersuites <openssl_cipher_list>

Type: string

Default value: OpenSSL default

directssl-cipher-list

directssl-cipher-list specifies the TLS 1.0–1.2 ciphers supported by Liberator’s Direct SSL interface, formatted as an OpenSSL cipher list.

In accordance with the TLS specification, when choosing a cipher for a connection, Liberator chooses the client’s most preferred cipher from among the ciphers they have in common. To reverse this default behaviour, set the SSL_OP_CIPHER_SERVER_PREFERENCE flag in directssl-ssl-options. To define Liberator’s cipher preference, order ciphers in directssl-cipher-list in descending order of preference, most preferred cipher first.

To log the cipher lists of connecting TLS clients, see directssl-log-hello-ciphers.

Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-dhparams (required for DHE ciphers).

The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter.

For detailed information on how to set ciphers for Liberator’s direct SSL interface, see Configuring supported TLS ciphers.

Syntax: directssl-cipher-list <openssl_cipher_list>

Type: string

Default:

  • Liberator 7.1.25: TLSv1.2+ECDHE+AESGCM:TLSv1.2+ECDHE+AESCCM:TLSv1.2+ECDHE+CHACHA20:TLSv1.2+DHE+AESGCM:TLSv1.2+DHE+AESCCM:TLSv1.2+DHE+CHACHA20

  • Liberator 7.1.5: ECDHE:DHE:!SSLv3:!SSLv2:@STRENGTH

  • Liberator 7.0: DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA

  • Liberator 6.0: DEFAULT

directssl-dhparams

directssl-dhparams specifies the path to a Diffie-Hellman parameter file, which is required by ephemeral Diffie-Hellman ciphers (DHE).

Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-cipher-list (SSL/TLS ciphers).

The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter.

For instructions on how to generate a Diffie-Helmman (DH) parameters file, see Generating a Diffie-Hellman parameters file for DHE ciphers.

Availability: Liberator 6.2.14+, Liberator 7.0.1+

Syntax: directssl-dhparams <filepath>

Type: string

Default value: <empty string>

Example:

directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem

directssl-disable-renegotiation

directssl-disable-renegotiation when set to TRUE, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.

Syntax: directssl-disable-renegotiation <boolean>

Type: boolean

Default value: FALSE (Liberator 6.2), TRUE (Liberator 7)

directssl-enable

directssl-enable switches on support for direct connections using SSL when set to TRUE.

Syntax: directssl-enable <boolean>

Type: boolean

Default value: FALSE (Direct connections via SSL not supported)

directssl-interface

directssl-interface specifies the network interfaces to listen on for direct connections using SSL.

For a Liberator deployed within a Caplin Deployment Framework, directssl-interface is normally set indirectly by specifying a value for the Deployment Framework configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE. Only one Direct SSL interface can be specified in the variable; to add extra interfaces, append new directssl-interface items to the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Syntax: directssl-interface <ip-addresses> …​

Type: array of strings

Default value: [all available network interfaces]

directssl-log-hello-ciphers

Enables logging of the cipher list presented by TLS clients in the TLS handshake with Liberator.

From Liberator 7.1.25, client cipher lists are logged at INFO level and require the SSL.Detail log category to be enabled (see log-category-filter):

directssl-log-hello-ciphers
log-category-filter SSL.Detail

For Liberator 7.1.23 and 7.1.24, client cipher lists for successful connections are logged at DEBUG level. Client cipher lists for unsuccessful connections are logged at INFO level.

Since: Liberator 7.1.23

Syntax: directssl-log-hello-ciphers <boolean>

Type: boolean

Default value: FALSE

directssl-ssl-options

directssl-ssl-options configures the SSL/TLS protocols accepted by Liberator’s direct SSL interface.

Configure this item in conjunction with directssl-cipher-list (SSL/TLS ciphers) and directssl-dhparams (required for DHE ciphers).

The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter.

Use directssl-ssl-options to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.

This configuration item takes one parameter: a pipe-separated list of OpenSSL options from the table below.

Supported OpenSSL options
Option Description

SSL_OP_ALL

Enable all of OpenSSL’s workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website.

SSL_OP_NO_SSLv2

Disable support for SSL 2

SSL_OP_NO_SSLv3

Disable support for SSL 3

SSL_OP_NO_TLSv1

Disable support for TLS 1

SSL_OP_NO_TLSv1_1

Disable support for TLS 1.1. Available from Liberator 7.1.3.

SSL_OP_NO_TLSv1_2

Disable support for TLS 1.2. Available from Liberator 7.1.3.

SSL_OP_NO_TLSv1_3

Disable support for TLS 1.3. Available from Liberator 7.1.5.

SSL_OP_CIPHER_SERVER_PREFERENCE

In a TLS handshake, the TLS client presents Liberator with a list of the ciphers it supports in priority order, and Liberator chooses a cipher from the list.

By default, and in accordance with the TLS specification, Liberator chooses the client’s most preferred cipher from the ciphers they have in common.

When SSL_OP_CIPHER_SERVER_PREFERENCE is set, Liberator chooses its most preferred cipher from the ciphers they have in common. This breaks with the TLS specification.

Liberator’s cipher preferences are determined by the order of ciphers in directssl-cipher-list. Ciphers are listed in descending order of preference, most preferred cipher first.

Available from Liberator 7.1.25.

For more information on setting TLS protocol versions for Liberator’s direct SSL interface, see Configuring supported TLS protocol versions.

Syntax: directssl-ssl-options <option>[|<option>]…​

Type: string

Default value:

  • Liberator 7.1.25: SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1

  • Liberator 7.1.5: SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3

    This option string supports older browser versions by retaining support for TLS 1.0 and TLS 1.1, which were recommended for deprecation in 2018 and formally deprecated in March 2021 (IETF RFC 8996). Review this configuration for compliance with your security policy before deploying to production. For an example of configuration restricted to modern direct clients only, see Configuring supported TLS protocol versions.
  • Liberator 7.0: SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1

  • Liberator 6.0: SSL_OP_NO_SSLv2

directssl-passwordfile

directssl-passwordfile specifies the filename and directory path of the file containing the passphrase for the encrypted SSL/TLS key used for direct connections. The directory path is optional and can be in relative or absolute format.

If the TLS key is unencrypted, then the password file must be empty.

From Liberator 7.1.9: If the TLS key is unencrypted and you don’t want to deploy an empty password file, then set the configuration variable DIRECTSSL_PASSWORD_FILE_REQUIRED to NO in the Deployment Framework file global_config/environment.conf.

For information on setting directssl-passwordfile, see Installing keys and certificates.

Syntax: directssl-passwordfile <password-filename-and-path>

Type: string

Default value: rttpd.directssl.pass

directssl-port

directssl-port specifies the network port that Liberator listens on for direct connection requests using SSL.

In the Caplin Platform Deployment Framework, you use a configuration variable LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator’s directssl-port. See How can I …​ Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: directssl-port <network-port>

Type: integer

Default value: 15001

directssl-privatekey

directssl-privatekey specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

For information on setting the private key, see Installing keys and certificates.

The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.

Syntax: directssl-privatekey <private-key-filename-and-path>

Type: string

Default value: cert.pem