Direct connections configuration

The following configuration items define how Liberator handles direct connections with clients.

Liberator can accept direct persistent RTTP connections from StreamLink clients via TCP/IP, rather than via HTTP or HTTPS.  The client connects to Liberator via a TCP/IP socket, and the Liberator streams data directly to the client across this connection. Direct connections can also use the Secure Sockets Layer (SSL) to provide greater security.

Tip: Liberator’s supplied with a built-in Config blade called DirectConnection that's automatically activated when you install the Liberator (see Built-in blades). However, it only provides basic (non-secure) connectivity for direct connections. In the CaplinPlatform Deployment Framework release 6.2 and later, Liberator has a built-in Config blade called DirectSSLConnection that implements secure direct connections using the OpenSSL implementation of SSL.

To set up secure direct connections in a production environment, you'll need to provide the appropriate certificate and key files, and set up or modify some of the direct SSL configuration items that are described on this page.

For details of how to set up and modify both basic and secure direct connections using the DirectConnection and DirectSSLConnection blades, see How can I...  Configure how Liberator handles direct client connections.

Tip: You may also need to set ssl-random-seed, which configures the seeding of the OpenSSL random number generator that the Liberator uses for direct secure and HTTPS connections.

Contents:

direct-interface

direct-interface specifies the network interfaces that Liberator listens on for direct connection requests.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Wildcard support
Configuration Liberator 6.2 Liberator 7.0
direct-interface Default. A single IPv4 server socket that listens on all IPv4 interface addresses. Default. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.
direct-interface * A single IPv4 server socket that listens on all IPv4 interface addresses. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.
direct-interface 0.0.0.0 A single IPv4 server socket that listens on all IPv4 interface addresses. A single IPv4 server socket that listens on all IPv4 interface addresses.
direct-interface :: Not supported A single IPv6 server socket that listens on all IPv6 interface addresses.
direct-interface 0.0.0.0 :: Not supported

A single IPv4 server socket that listens on all IPv4 interface addresses, and a single IPv6 server socket that listens on all IPv6 interface addresses.

Supported from Liberator 7.0.2

direct-interface :: 0.0.0.0 Not supported

A single IPv6 server socket that listens on all IPv6 interface addresses, and a single IPv4 server socket that listens on all IPv4 interface addresses.

Supported from Liberator 7.0.2

Note: In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTINTERFACE to specify Liberator's direct-interface. See How can I ... Configure how Liberator handles direct client connections and Configuration macros and items.

Macros cannot be assigned more than one value. To create more than one direct interface, assign one address to the macro and assign all additional addresses to new direct-interface configuration items in the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.

Syntax: direct-interface <space-separated-list-of-interface-ip-addresses>

Type: array of strings

Default value: [all available network interfaces]

direct-max-line-length

direct-max-line-length specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.

Syntax: direct-max-line-length <max-length-in-bytes>

Type: integer

Default value: 65536

direct-port

direct-port specifies the network port that Liberator listens on for direct connection requests.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator's direct-port. See How can I ... Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: direct-port <network-port>

Type: integer

Default value: 15000

direct-refuse-time

direct-refuse-time specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: direct-refuse-time <time-in-seconds>

Type: float

Default value: 5.0 seconds

direct-tcp-nodelay-off

direct-tcp-nodelay-off specifies whether Liberator's direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE disables TCP_NODELAY.

Syntax: direct-tcp-nodelay-off <boolean>

Type: boolean

Default value: FALSE (TCP_NODELAY is enabled)

directssl-certificate

directssl-certificate specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections.  This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

In the Caplin Platform Deployment Framework, a configuration macro SSLCERT_PATH is used to specify the directory path in the  Liberator's directssl-certificate setting. See Configuration macros and items. The certificate filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.pem. This certificate file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pem file that's automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you've previously put your own version of this file in the directory.

Syntax: directssl-certificate <PEM-filename-and-path>

Type: string

Default value: cert.pem

The default filename for the certificate is the same as the private key's default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

directssl-cipher-list

directssl-cipher-list specifies a colon separated list of cipher strings. These cipher strings select, in preferred order, the various SSL ciphers (cryptographic algorithms) that Liberator can use for its direct SSL connections with clients. The ciphers are selected from the set available in the version of OpenSSL built into Liberator. The format of the cipher list is as defined for the cipherlist argument of the OpenSSL ciphers tool; for details see the OpenSSL ciphers(1) manual page, which includes a list of the available cipher suite names. At run time, Liberator passes the cipher list as a control string to the OpenSSL function SSL_CTX_set_cipher_list(); this function uses the control string to set up the list of available SSL ciphers.

You should regularly review your cipher list under guidance from security professionals.

Note: In Liberator 7, the protocols SSLv2, SSLv3, and TLSv1 are disabled by default. This configuration is not compatible with older client libraries that don't support TLSv1.1 and TLSv1.2, for example the .NET Framework v4.0. To re-enable TLSv1 in Liberator 7, set the value for directssl_ssl_options to SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, and check that the value of directssl-cipher-list contains ciphers from the TLSv1 cipher suite.

Syntax: directssl-cipher-list <openSSL-ciphers(1)-cipherlist>

Type: string

Default value (Liberator 6): DEFAULT

Default value (Liberator 7): DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA

Example:

directssl-cipher-list HIGH+TLSv1.2:!RC4:!DES:!3DES:!MD5:!aNULL:!eNULL:!NULL

directssl-dhparams

directssl-dhparams specifies the path to a Diffie-Hellman parameter file, which is required by ciphers that support forward secrecy (FS).

For instructions on how to generate a DH parameter file, see Additional requirements for ciphers that support forward secrecy.

Availability: Liberator 6.2.14+, Liberator 7.0.1+

Syntax: directssl-dhparams <filepath>

Type: string

Default value: <empty string>

Example:

directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem

directssl-disable-renegotiation

directssl-disable-renegotiation when set to TRUE, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate. 

Syntax: directssl-disable-renegotiation <boolean>

Type: boolean

Default value: FALSE (client renegotiation is allowed)

directssl-enable

directssl-enable switches on support for direct connections using SSL when set to TRUE.

Syntax: directssl-enable <boolean>

Type: boolean

Default value: FALSE (Direct connections via SSL not supported)

directssl-interface

directssl-interface specifies the network interfaces to listen on for direct connections using SSL.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE to specify Liberator's directssl-interface. See How can I ... Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: directssl-interface <space-separated-list-of-interface-ip-addresses>

Type: array of strings

Default value: [all available network interfaces]

directssl-ssl-options

directssl-ssl-options changes the protocols accepted by the OpenSSL library packaged with Liberator. Use directssl-ssl-options to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.

Note: In Liberator 7, the protocols SSLv2, SSLv3, and TLSv1 are disabled by default. This configuration is not compatible with older client libraries that don't support TLSv1.1 and TLSv1.2, for example the .NET Framework v4.0. To re-enable TLSv1 in Liberator 7, set the value for directssl_ssl_options to SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, and check that the value of directssl-cipher-list contains ciphers from the TLSv1 cipher suite.

Syntax: directssl-ssl-options <supported-SSL-levels>

Type: string

Default value (Liberator 6): SSL_OP_NO_SSLv2

Default value (Liberator 7)SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1

Values accepted:

VALUE MEANING
SSL_OP_ALL Enable all of OpenSSL's workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website.
SSL_OP_NO_SSLv3 Disable support for SSLv3.
SSL_OP_NO_SSLv2 Disable support for SSLv2.
SSL_OP_NO_TLSv1 Disable support for TLSv1.
SSL_OP_NO_TLSv1_1 Disable support for TLSv1.1.
SSL_OP_NO_TLSv1_2 Disable support for TLSv1.2.

You can specify multiple values using the | operator. In the example below, support for SSLv2, SSLv3, and TLSv1 has been disabled:

direct-ssl-options SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1

directssl-passwordfile

directssl-passwordfile specifies the filename and directory path of the file containing the SSL certificate passphrase used for direct connections. The directory path is optional and can be in relative or absolute format.

In the Caplin Platform Deployment Framework, a configuration macro SSLCERT_PATH is used to specify the directory path in the Liberator's directssl-passwordfile setting. See Configuration macros and items.
The password filename and path set up by default in the Liberator supplied with the Framework is
<Framework-root>/global_config/ssl/rttpd_https.pwd This password file is shared between HTTPS and Direct SSL connections.
Liberator is supplied with an rttpd_https.pwd file that's automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you've previously put your own version of this file in the directory.

Syntax: directssl-passwordfile <password-filename-and-path>

Type: string

Default value: rttpd.directssl.pass

directssl-port

directssl-port specifies the network port that Liberator listens on for direct connection requests using SSL.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator's directssl-port. See How can I ... Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: directssl-port <network-port>

Type: integer

Default value: 15001

directssl-privatekey

directssl-privatekey specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

In the Caplin Platform Deployment Framework,  a configuration macro SSLCERT_PATH is used to specify the directory path in the Liberator's directssl-privatekey setting. See Configuration macros and items.

The key filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.key This private key file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.key file that's automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you've previously put your own version of this file in the directory.

Syntax: directssl-privatekey <private-key-filename-and-path>

Type: string

Default value: cert.pem

The default filename for the private key is the same as the certificate's default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.

ssl-random-seed

See ssl-random-seed in DataSource Secure Sockets Layer (SSL) configuration.


See also: