Bug: SrsHttpxConn SSL Key&Cert config problem.
suzp1984 opened this issue · comments
Describe the bug
srs/trunk/src/app/srs_app_http_conn.cpp
Lines 382 to 387 in 427104f
SrsHttpxConn
can be used as HTTP API and HTTP Server, for both plain and SSL connection. For the SSL connection, we can config the SSL key & cert in this way.
Lines 7 to 28 in 427104f
And SrsConfig
has apis to get the key & cert.
srs/trunk/src/app/srs_app_config.hpp
Lines 1052 to 1053 in 427104f
srs/trunk/src/app/srs_app_config.hpp
Lines 1074 to 1075 in 427104f
But SrsHttpxConn
only calling get_https_stream_ssl_cert
& get_https_stream_ssl_key
even for the Https API
connections.
Version
All SRS version.
To Reproduce
Steps to reproduce the behavior:
- config https api and https stream with different key & cert pair.
- boot the srs.
Expected behavior
http_api.https.key | cert should be loaded correctly.
Additional context
I found this bug when try to do #3701, found this bug and also #4024
Nice work, your work clearly describe how this bug occurs. You are correct, it's really a bug for HTTPS API, the get_https_api_ssl_key
is not used. Could you please file an pullrequest to fix this issue?
Nice work, your work clearly describe how this bug occurs. You are correct, it's really a bug for HTTPS API, the
get_https_api_ssl_key
is not used. Could you please file an pullrequest to fix this issue?
yes, I will try.
Another problem of SSL Key&Cert config is that to config the key&cert for SSL
or SSL_CTX
.
https://www.openssl.org/docs/manmaster/man3/SSL_use_certificate_file.html
the SSL
is generated from SSL_CTX
.
srs/trunk/src/app/srs_app_conn.cpp
Lines 743 to 754 in 5eb802d
In general, a SSL map to a tcp connection. So each tcp connection can custom its SSL certificate, that's what the SRS did.
srs/trunk/src/app/srs_app_conn.cpp
Lines 775 to 779 in 5eb802d
But it's overkill. the tcp connections shared same listen port at server side, have same SSL key&Cert, that's the usual case.
So the more general solution is the config Key&Cert for a SSL_CTX
, by api SSL_CTX_use_certificate_chain_file
& SSL_CTX_use_PrivateKey_file
, and shared this SSL_CTX
for all the SrsTcpConnection
s generated from the same SrsTcpListener
.