Deskshare TLS over Stunnel
Deskshare TLS over Stunnel Anchor link for: Deskshare_TLS_over_Stunnel_
OverviewAnchor link for: overview
Sending the deskshare stream over TLS to the server, will allow for added security that will make it harder for someone eavesdrop over the stream sent to the server. Note: This will not work if you setup HTTPS on BigBlueButton as they will conflict with port 443.
To achieve this, a new SSL termination proxy (Stunnel) needs to be added.
ArchitectureAnchor link for: architecture
You can also setup stunnel to terminate an RTMPS connection
Client ChangesAnchor link for: client changes
In the client config.xml
file, locate the DeskShareModule
module block First change useTLS
to be equal to true
. Then make the publishURI
parameter point to your stunnel server ip. We will go over how to install the stunnel and configure it later in this page.
StunnelAnchor link for: stunnel
Stunnel is an open-source multi-platform computer program, used to provide universal TLS/SSL tunneling service.
Installing StunnelAnchor link for: installing stunnel
apt-get update
apt-get upgrade
Then install the actual server
apt-get install stunnel4 -y
Configuring Stunnel ServerAnchor link for: configuring stunnel server
To enable automatic startup
nano /etc/default/stunnel4
And change ENABLED to 1
ENABLED=1
Navigate to the stunnel directory
cd /etc/stunnel/
Then create the config file
touch stunnel.conf
We then edit the file and make it look like this. Don’t worry about the cert for now, we will get to that later.
; Log level: info = 6, debug = 7
debug = 7
output = stunnel.log
[deskShare-01]
accept=STUNNEL_HOST:443
connect=BIGBLUEBUTTON_HOST:9123
cert = /etc/stunnel/stunnel.pem
The first 3 line will enable your logging. accept
should point the stunnel server it self and connect
should point to your BigBlueButton server. Do not change the ports if you did not change them on your BigBlueButton server.
Keys and CertsAnchor link for: keys and certs
If you have your own key and cert, then please use that and you will need to start stunnel then you will be ready, else jump to Starting Stunnel
Start by creating the private key for your stunnel.
openssl genrsa -out key.pem 2048
Then using that cert, we will create a pubic cert
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
Then we need to combine the content of these 2 files into one that stunnel will use.
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
You might have a permission issue, in that case just copy the files manually.
touch stunnel.pem
cat key.pem cert.pem
Then past the output in to the file stunnel.pem
Starting StunnelAnchor link for: starting stunnel
To start the Stunnel
/etc/init.d/stunnel4 restart
Adding the keystore to our machineAnchor link for: adding the keystore to our machine
First we convert the cert.pem to a cert.crt
openssl x509 -outform der -in cert.pem -out bbb-deskshare.crt
And move the output vert to your personal machine.
Now we need to add this cert to the JAVA key store on every machine that wants to share deskshare over TLS.
For a windows machine. Navigate to you keytools
cd C:\Program Files (x86)\Java\jre1.8.0_45\bin
Please note that you might be using a different java version.
And add the cert to your cacerts
keytool -import -alias "DeskshareCert" -file CERT_LOCATION -keystore ..\lib\security\cacerts
Replace CERT_LOCATION
with the location of the cert on your machine