Deskshare TLS over Stunnel

OverviewAnchor link for: overview

Sending the deskshare stream over TLS to the server, will allow for added security that will make it harder for someone eavesdrop over the stream sent to the server. Note: This will not work if you setup HTTPS on BigBlueButton as they will conflict with port 443.

To achieve this, a new SSL termination proxy (Stunnel) needs to be added.

ArchitectureAnchor link for: architecture

Architecture Overview

You can also setup stunnel to terminate an RTMPS connection

Client ChangesAnchor link for: client changes

In the client config.xml file, locate the DeskShareModule module block First change useTLS to be equal to true. Then make the publishURI parameter point to your stunnel server ip. We will go over how to install the stunnel and configure it later in this page.

StunnelAnchor link for: stunnel

Stunnel is an open-source multi-platform computer program, used to provide universal TLS/SSL tunneling service.

Installing StunnelAnchor link for: installing stunnel

apt-get update
apt-get upgrade

Then install the actual server

apt-get install stunnel4 -y

Configuring Stunnel ServerAnchor link for: configuring stunnel server

To enable automatic startup

nano /etc/default/stunnel4

And change ENABLED to 1

ENABLED=1

Navigate to the stunnel directory

cd /etc/stunnel/

Then create the config file

touch stunnel.conf

We then edit the file and make it look like this. Don’t worry about the cert for now, we will get to that later.

; Log level: info = 6, debug = 7
debug = 7
output = stunnel.log

[deskShare-01]
accept=STUNNEL_HOST:443
connect=BIGBLUEBUTTON_HOST:9123
cert = /etc/stunnel/stunnel.pem

The first 3 line will enable your logging. accept should point the stunnel server it self and connect should point to your BigBlueButton server. Do not change the ports if you did not change them on your BigBlueButton server.

Keys and CertsAnchor link for: keys and certs

If you have your own key and cert, then please use that and you will need to start stunnel then you will be ready, else jump to Starting Stunnel

Start by creating the private key for your stunnel.

openssl genrsa -out key.pem 2048

Then using that cert, we will create a pubic cert

openssl req -new -x509 -key key.pem -out cert.pem -days 1095

Then we need to combine the content of these 2 files into one that stunnel will use.

cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

You might have a permission issue, in that case just copy the files manually.

touch stunnel.pem
cat key.pem cert.pem

Then past the output in to the file stunnel.pem

Starting StunnelAnchor link for: starting stunnel

To start the Stunnel

/etc/init.d/stunnel4 restart

Adding the keystore to our machineAnchor link for: adding the keystore to our machine

First we convert the cert.pem to a cert.crt

openssl x509 -outform der -in cert.pem -out bbb-deskshare.crt

And move the output vert to your personal machine.

Now we need to add this cert to the JAVA key store on every machine that wants to share deskshare over TLS.

For a windows machine. Navigate to you keytools

cd C:\Program Files (x86)\Java\jre1.8.0_45\bin

Please note that you might be using a different java version.

And add the cert to your cacerts

keytool -import -alias "DeskshareCert" -file CERT_LOCATION -keystore ..\lib\security\cacerts

Replace CERT_LOCATION with the location of the cert on your machine

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Tip: SSD and Linux. Enable TRIM and check if it works
Viewed 1684 times since Fri, May 15, 2020
RHEL: Change system’s hostname
Viewed 1783 times since Sun, May 27, 2018
ubuntu How to Reset Forgotten Passwords in Ubuntu 16.04
Viewed 542 times since Tue, Dec 8, 2020
Using grep to find string in files
Viewed 738 times since Fri, May 15, 2020
Tcpdump Examples Linux
Viewed 4089 times since Fri, Nov 16, 2018
8 Vim Tips And Tricks That Will Make You A Pro User
Viewed 1472 times since Fri, Apr 19, 2019
OEL 7 – How to disable IPv6 on Oracle Linux 7 – Follow Up
Viewed 7753 times since Wed, Jul 25, 2018
List usernames instead of uids with the ps command for long usernames
Viewed 983 times since Wed, Jul 25, 2018
How to use yum-cron to automatically update RHEL/CentOS Linux
Viewed 1069 times since Wed, Oct 17, 2018
Linux Audit The Linux security blog about Auditing, Hardening, and Compliance lynis
Viewed 921 times since Thu, Jan 16, 2020