Configure how Liberator handles direct client connections

This page describes how to configure Liberator’s interface for direct (RTTP over TCP/IP) connections from StreamLink clients.

To configure Liberator’s interface for StreamLink connections that are encapsulated in HTTP, HTTPS, and WebSocket protocols, see Configure how Liberator handles HTTP connections and Configure how Liberator handles HTTPS connections.

Direct connections are supported by all StreamLink libraries except for StreamLink JS. For more information on connection types, see StreamLink connection types.

Direct connections can also use TLS to provide greater security. The instructions below on setting up secure direct connections apply to Liberator 6.2 release and later, deployed using the Caplin Platform Deployment Framework release 6.2 and later.

Contents:

Configuring Liberator’s direct port and interface
Enabling secure (SSL) direct connections
Liberator’s TLS implementation
Configuring the direct SSL port number
Configuring the direct SSL network interface
Installing a TLS key and certificate
Configuring supported TLS protocol versions
Configuring supported TLS ciphers
Example Direct SSL configuration
TLS vulnerability testing
Generating a Diffie-Hellman parameters file for DHE ciphers
Seeding the OpenSSL random number generator
Configuring OpenSSL
Improving the security of direct connections
Further reading on TLS

Configuring Liberator’s direct port and interface

When you install Liberator to run under the Caplin Platform Deployment Framework, it’s automatically configured to use direct connections through a built-in Config blade called DirectConnection. The Liberator listens for direct connections on all available network interfaces, on port 14001.

This type of connection isn’t secure. In a production installation, use direct connections over SSL instead - see Enabling secure connections (SSL) below.

Configuring the direct port

By default, Liberator’s direct RTTP port is 14001. To change the direct port, redefine the LIBERATOR${THIS_LEG}_DIRECTPORT configuration variable in the Deployment Framework’s global_config/environment.conf file:

Setting Liberator’s direct RTTP port to 14051

define LIBERATOR${THIS_LEG}_DIRECTPORT 14051

Do not set the value of the configuration item direct-port directly. Redefine the LIBERATOR${THIS_LEG}_DIRECTPORT configuration variable instead.

Configuring the direct network interface

By default, Liberator’s direct and direct SSL server sockets are bound to all network interfaces on Liberator’s host. To bind Liberator’s direct server sockets to one or more network interfaces, redefine the LIBERATOR${THIS_LEG}_DIRECTINTERFACE configuration variable in the Deployment Framework’s global_config/environment.conf file:

Binding Liberator’s direct sockets to two network addresses

define LIBERATOR${THIS_LEG}_DIRECTINTERFACE 203.0.113.1 198.51.100.11

The configuration variable supports IPv6 addresses from version 7 of Liberator. To listen for connections on both the IPv4 and IPv6 address of a dual-stack network interface, assign both IP addresses to the macro.

Despite the name of the LIBERATOR${THIS_LEG}_DIRECTINTERFACE variable implying that it applies only to the non-SSL direct server socket, the variable applies to both the direct and direct SSL server sockets.

Do not set the value of the configuration item direct-interface directly. Redefine the LIBERATOR${THIS_LEG}_DIRECTINTERFACE configuration variable instead.

Enabling secure (SSL) direct connections

Liberator’s direct RTTP configuration is provided in two feature blades (config blades): DirectConnection and DirectSSLConnection.

The DirectConnection feature blade is activated by default.

To enable secure direct connections, follow the steps below:

Run the commands below to deactivate the DirectConnection blade and activate the DirectSSLConnection blade:
```
./dfw deactivate DirectConnection
./dfw activate DirectSSLConnection
```
Configure the direct SSL port number. See Configuring the direct SSL port number.
Configure the direct SSL network interface. See Configuring the direct SSL network interface.
Install an TLS key, password file, and certificate. See Installing a TLS key and certificate.
Configure TLS protocol support (you should also repeat this task periodically as part of a regular security review). See Configuring supported TLS protocol versions.
Configure TLS cipher support (you should also repeat this task periodically as part of a regular security review). See Configuring supported TLS ciphers.
Generate a Diffie-Hellman (DH) parameters file to allow Liberator to use ephemeral Diffie-Hellman (DHE) ciphers. See Generating a Diffie-Hellman parameters file for DHE ciphers.
If this is a production server, disable Liberator’s built-in administrator website:
```
./dfw deactivate LiberatorWebsite
./dfw activate MinimalLiberatorWebsite
```
If this is a production server, enable Liberator’s HTTPS interface too. See Configure how Liberator handles HTTPS connections for more information.

Liberator’s TLS implementation

Liberator uses OpenSSL to provide its implementation of TLS. The OpenSSL library is built-in to Liberator and is independent of the host system’s installation of OpenSSL.

To determine the version of OpenSSL bundled with a specific release of Liberator, see Liberator’s release notes or run the strings command on the Liberator binary and grep the output:

$ strings rttpd | grep -i '^openssl [0-9]'

Configuring the direct SSL port number

By default, Liberator’s direct SSL port is 14002.To change the port number, redefine the LIBERATOR${THIS_LEG}_DIRECTSSLPORT configuration variable in the <Framework-root>/global_config/environment.conf file:

Setting Liberator’s direct SSL port to 14052

define LIBERATOR${THIS_LEG}_DIRECTSSLPORT 14052

Do not set the value of the directssl-port configuration item directly. Redefine the LIBERATOR${THIS_LEG}_DIRECTSSLPORT configuration variable instead.

Configuring the direct SSL network interface

By default, Liberator’s direct SSL server socket is bound to all network interfaces on Liberator’s host. To bind Liberator’s direct SSL server socket to specific network interfaces, redefine the LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE configuration variable in the <Framework-root>/global_config/environment.conf file:

Binding Liberator’s direct SSL socket to two network interfaces

define LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE 203.0.113.1 198.51.100.11

Do not set the value of the directssl-interface configuration item directly. Redefine the LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE configuration variable instead.

Installing a TLS key and certificate

This section describes how to install a key, key password file, and certificate.

Default key and certificate paths

By default, the Deployment Framework (DFW) expects keys and certificates to be stored in the global_config/ssl directory. For convenience in writing configuration, the Deployment Framework sets a configuration variable SSLCERT_PATH to this directory.

For a full list of Deployment Framework configuration variables, see Configuration macros and items.

Liberator’s direct SSL feature blade configures default key and certificate locations as follows:

Default key, passphrase, and certificate paths
File	Configuration item	Default value
Certificate	`directssl-certificate`	`global_config/ssl/rttpd_https.pem`
Private key	`directssl-privatekey`	`global_config/ssl/rttpd_https.key`
Private-key passphrase	`directssl-passwordfile`	`global_config/ssl/rttpd_https.pwd`

To override the default paths, assign new paths to directssl-certificate, directssl-privatekey, and directssl-passwordfile in the Deployment Framework file global_config/overrides/servers/Liberator/etc/rttpd.conf.

Deprecation of certificates with MD5- and SHA1-based digital signatures

Certificates signed with an MD5 hash with RSA encryption have long been deprecated and some platforms and libraries no longer support them. The digital security industry now recommends using the SHA-2 family of hashing algorithms in digital signatures.

Liberator’s demonstration self-signed SSL certificate was re-issued with a SHA256-based digital signature in versions 6.2.23, 7.0.5, and 7.1.1 of Liberator. Liberator 7.1 continues to support certificates signed with an MD5 hashing algorithm, but support may be dropped in future.

StreamLink.NET 7.1 is compiled with .NET 4.6, which does not support certificates signed with the MD5 hashing algorithm.

To determine the digital signature algorithm used in a certificate, use OpenSSL’s x509 command to read the certificate and then grep the output:

Determining the digital signature algorithm in certificate 'rttpd_https.pem'

$ openssl x509 -in rttpd_https.pem -text -noout | grep -m1 'Signature Algorithm'
    Signature Algorithm: sha256WithRSAEncryption

Digital signature algorithms used in certificates
Algorithm	Status	Notes
md5WithRSAEncryption	Deprecated	Not supported by Caplin’s StreamLink.NET 7.1.
sha1WithRSAEncryption	Deprecated	See SHA1 Deprecation: What you need to know on the Qualys blog.
sha256WithRSAEncryption	Recommended

Installing certificates for development and testing

For the convenience of developers and software testers, Caplin ships a self-signed demonstration certificate with Liberator.

Do not use Caplin’s self-signed certificate in production.

In versions of the Deployment Framework prior to 7.0.2, the Deployment Framework automatically deploys Caplin’s self-signed certificate with Liberator if no keys and certificate exist for Liberator in the global_config/ssl directory.

From version 7.0.2 of the Deployment Framework, the Deployment Framework does not automatically deploy Caplin’s self-signed certificate with Liberator. To manually deploy the self-signed certificate, run the copy-ssl-demo-files Deployment Framework command:

./dfw copy-ssl-demo-files

When you first connect a web browser to a Liberator that presents Caplin’s self-signed certificate, your web browser will prompt you to trust the certificate.

Installing certificates for production use

Follow the instructions below to install a production certificate:

Follow the instructions provided by your chosen certificate authority (CA) to generate a certificate signing request (CSR) for your Liberator host. When generating the CSR, we recommend that you specify a SHA-2 hashing algorithm or stronger. See Deprecation of certificates with MD5- and SHA1-based digital signatures above.
When your CA delivers a signed certificate, rename the certificate, key, and passphrase files to Liberator’s default file names: rttpd_https.pem, rttpd_https.key, and rttpd_https.pwd.

If you don’t want to use Liberator’s default file names, edit <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf, and specify your own file names using the configuration items directssl-certificate, directssl-privatekey, and directssl-passwordfile.
Copy the private key, certificate, and pass phrase file to the <Framework-root>/global_config/ssl/ directory.

If the private key is unencrypted, the password file must be empty.

From Liberator 7.1.9: If the private key is unencrypted and you don’t want to deploy an empty password file, then set the configuration variable HTTPS_PASSWORD_FILE_REQUIRED to NO in the Deployment Framework file global_config/environment.conf.

Configuring supported TLS protocol versions

To specify which TLS protocol versions are supported by Liberator, use the directssl-ssl-options configuration item to disable protocol versions.

For guidance on choosing which TLS protocol versions to support, see Further reading on TLS below.

Default TLS protocol versions

The default TLS configuration is not updated regularly and is for your initial convenience only; it is not a security recommendation.

All protocols supported by the version of OpenSSL included with Liberator are enabled unless explicitly disabled by directssl-ssl-options.

Default TLS protocols
Liberator	SSL 2 ^*	TLS 1.1 ^‡	TLS 1.2	TLS 1.3
7.1.25	-
7.1.5	-
7.1.2	-			-
7.0.1				-
6.2.2				-
6.2.0		-	-	-

- Protocol not available
Protocol disabled (see directssl-ssl-options)
Protocol enabled
* The IETF prohibited SSL 2 in March 2011: RFC 6176
† The IETF deprecated SSL 3 in June 2015: RFC 7568
‡ The IETF deprecated TLS 1.0 and TLS 1.1 in March 2021: RFC 8996

Worked example

The configuration in this example is provided for illustrative purposes only, is not updated regularly, and does not constitute security advice. Review all TLS configuration before deploying to production, and schedule regular reviews thereafter.

Liberator 7.1.24’s TLS implementation supports SSL 3, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. By default, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled on the Direct SSL interface (see Default TLS protocol versions, below).

To configure Liberator 7.1.24 so that only TLS 1.2 and TLS 1.3 are enabled on the Direct SSL interface, set directssl-ssl-options to disable SSL 3, TLS 1.0, and TLS 1.1:

directssl-ssl-options SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1

For a complete configuration example, see Example Direct SSL configuration below.

Configuring supported TLS ciphers

To specify which TLS 1.0, 1.1 and 1.2 ciphers are supported by Liberator, set directssl-cipher-list to an OpenSSL cipher list.

To specify which TLS 1.3 ciphers are supported by Liberator, set directssl-ciphersuites to an OpenSSL cipher list. This is an advanced configuration option and is not required to enable support for TLS 1.3.

For guidance on deciding which TLS ciphers to support, see Further reading on TLS below.

In accordance with the TLS specification, when choosing a cipher for a TLS connection, Liberator chooses the client’s most preferred cipher from among the ciphers they have in common. To reverse this default behaviour, set the SSL_OP_CIPHER_SERVER_PREFERENCE flag in directssl-ssl-options. To define Liberator’s cipher preference, order ciphers in directssl-cipher-list in descending order of preference, most preferred cipher first.

If your cipher list includes ephemeral Diffie-Hellman (DHE) ciphers, then configure the directssl-dhparams configuration item with the location of a valid Diffie-Hellman (DH) parameters file. If you fail to do so, Liberator silently drops DHE ciphers from its list of supported ciphers. See Generating a Diffie-Hellman parameters file for DHE ciphers.

Default cipher list

The default TLS configuration is not updated regularly and is for your initial convenience only; it is not a security recommendation.

Default value of directssl-cipher-list
Liberator	Default https-cipher-list
7.1.25	`TLSv1.2+ECDHE+AESGCM:TLSv1.2+ECDHE+AESCCM:TLSv1.2+ECDHE+CHACHA20:TLSv1.2+DHE+AESGCM:TLSv1.2+DHE+AESCCM:TLSv1.2+DHE+CHACHA20`
7.1.5	`ECDHE:DHE:!SSLv3:!SSLv2:@STRENGTH`
7.0.1	`DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA`
6.0.0	`DEFAULT`

From Liberator 7.1.5, only cipher suites that support forward secrecy (ECDHE and DHE) are enabled by default. DHE ciphers require a Diffie-Hellman parameters file, which is not distributed with Liberator (see Generating a Diffie-Hellman parameters file for DHE ciphers).

Preparing a cipher list

You can preview how Liberator’s OpenSSL will interpret a cipher list by using the openssl ciphers command. For accuracy, use a version of OpenSSL that matches the version of OpenSSL used by your version of Liberator (see Liberator’s TLS implementation).

For example, to expand the cipher list ECDHE+TLSv1.2 DHE+TLSv1.2 to individual cipher names, use the command below:

$ openssl ciphers -v 'ECDHE+TLSv1.2 DHE+TLSv1.2' | column -t

The openssl cipher command’s output uses OpenSSL cipher names, but security literature and vulnerability scanners often use IANA cipher names. To translate between the two naming schemes, refer to the table on Security: Cipher Suites on the Mozilla wiki.

Worked example

A Liberator has been configured to support only TLS versions 1.2 and 1.3:

directssl-ssl-options SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1

In this example, we’ll construct an OpenSSL cipher list of TLS 1.2 ciphers. TLS 1.3 ciphers are automatically included by OpenSSL and do not need to be configured.

The Qualys SSL Labs recommendations at the time of writing (June 2022) state that the following cipher suites must be preferred:

AEAD (Authenticated Encryption with Associated Data) cipher suites: CHACHA20_POLY1305, AES with GCM, and AES with CCM
PFS (Perfect Forward Secrecy) ciphers: ECDHE_RSA, ECDHE_ECDSA, DHE_RSA, DHE_DSS, CECPQ1 and all TLS 1.3 ciphers

We’ll use the following OpenSSL cipher strings to construct our cipher list:

Cipher string Description

Cipher string	Description
`TLSv1.2`	All TLS 1.2 ciphers
`ECHDE`	All ciphers using authenticated ephemeral ECDH key agreement.
`DHE`	All ciphers using authenticated ephemeral DH key agreement.
`AESGCM`	All ciphers that use AES-GCM encryption
`AESCCM`	All ciphers that use AES-CCM encryption
`CHACHA20`	All ciphers that use ChaCha20 encryption

TLSv1.2

All TLS 1.2 ciphers

ECHDE

All ciphers using authenticated ephemeral ECDH key agreement.

DHE

All ciphers using authenticated ephemeral DH key agreement.

AESGCM

All ciphers that use AES-GCM encryption

AESCCM

All ciphers that use AES-CCM encryption

CHACHA20

All ciphers that use ChaCha20 encryption

We use the OpenSSL cipher-string logical AND (+) operator to combine the cipher strings into six subsets:

TLSv1.2+ECDHE+AESGCM
TLSv1.2+ECDHE+AESCCM
TLSv1.2+ECDHE+CHACHA20
TLSv1.2+DHE+AESGCM
TSLv1.2+DHE+AESCCM
TSLv1.2+DHE+CHACHA20

We then assign this list to directssl-ssl-ciphers:

directssl-ssl-ciphers "TLSv1.2+ECDHE+AESGCM TLSv1.2+ECDHE+AESCCM TLSv1.2+ECDHE+CHACHA20 TLSv1.2+DHE+AESGCM TLSv1.2+DHE+AESCCM TLSv1.2+DHE+CHACHA20"

In an OpenSSL cipher list, cipher strings can be separated by spaces or colons (:). We have used spaces for clarity. When separated by spaces, the cipher list must be enclosed in quotes.

For a complete configuration example, see Example Direct SSL configuration below.

Example Direct SSL configuration

The configuration in this section is provided for illustrative purposes only, is not updated regularly, and does not constitute security advice. Review all TLS configuration before deploying to production, and schedule regular reviews thereafter.

This example supports modern direct clients (defined as all clients with support for TLS 1.2 and above).

Features:

TLS protocols: TLS 1.2, TLS 1.3 (Liberator supports TLS 1.3 from Liberator 7.1.5)
TLS 1.3 ciphers: All mandatory ciphers
TLS 1.2 ciphers: Forward-secrecy ciphers (ECDHE, DHE) that implement AES-GCM, AES-CCM, or CHACHA20 encryption.
Diffie-Hellman parameters: 2048-bit

When the equivalent configuration for Liberator’s HTTPS interface was testing on Liberator 7.1.24 using the SSL Labs Server Test on 5 June 2022, the configuration below scored A+. View the SSL Labs report.

While the equivalent configuration for HTTPS achieved an SSL Labs score of A+ on 5 June 2022, ciphers may weaken over time and the configuration may not achieve that score today. Retest and review this configuration before considering deploying it to production.

# OpenSSL options
define SSL_OPTIONS "SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1"

# OpenSSL ciphers to include
define CIPHER_INCLUDES "ECDHE+TLSv1.2+AESGCM ECDHE+TLSv1.2+AESCCM ECDHE+TLSv1.2+CHACHA20 DHE+TLSv1.2+AESGCM DHE+TLSv1.2+AESCCM DHE+TLSv1.2+CHACHA20"

# OpenSSL ciphers to exclude
define CIPHER_EXCLUDES ""

directssl-ssl-options  "${SSL_OPTIONS}"
directssl-cipher-list  "${CIPHER_INCLUDES} ${CIPHER_EXCLUDES}"
directssl-dhparams     "${SSLCERT_PATH}/rttpd-dhparam-2048.pem"

OpenSSL option SSL_OP_NO_TLSv1_1 is supported by directssl-ssl-options from Liberator 7.1.3.

TLS vulnerability testing

Liberator’s DirectSSL interface is a TLS-protected RTTP server, not an HTTPS server. There are known issues when testing Liberator’s DirectSSL interface with TLS vulnerability tests designed for HTTPS servers, such as SSL Labs' SSL Server Test.

Liberator’s DirectSSL interface will fail tests that require the DirectSSL interface to respond to an HTTPS request. For example, the DirectSSL interface will fail tests for HTTP Strict Transport Security (HSTS).

Liberator’s HTTPS and DirectSSL interfaces both use the same built-in OpenSSL TLS stack. When testing TLS protocol and cipher configuration for the DirectSSL interface, we recommend that you test the same configuration on the HTTPS interface for comparison.

Generating a Diffie-Hellman parameters file for DHE ciphers

Ephemeral Diffie-Hellman ciphers (DHE) ciphers are supported by Liberator from version 6.2.14 and 7.0.1, but are not enabled by default.

DHE ciphers require a Diffie-Hellman (DH) parameter file. If you do not configure the directssl-dhparams configuration item with the location of a valid DH parameters file, Liberator silently removes DHE ciphers from its list of supported ciphers.

No DH parameters file is provided with Liberator; you must generate your own.

To generate a Diffie-Hellman (DH) parameters file, follow the steps below:

In the Deployment Framework’s global_config/ssl/ directory, run the command below:
```
$ openssl dhparam -out rttpd-dhparam-2048.pem 2048
```
This command can take a long time to complete.
Assign the location of the DH parameters file to the directssl-dhparams configuration item in the Deployment Framework’s global_config/overrides/servers/Liberator/etc/rttpd.conf file:
```
directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem
```

To test that a Liberator supports DHE ciphers, follow the steps below:

In the file global_config/overrides/servers/Liberator/rttpd.conf, assign a cipher string containing DHE ciphers to the directssl-cipher-list configuration item. For example:
```
directssl-cipher-list ECDHE+TLSv1.2:DHE+TLSv1.2
```
Restart Liberator
Run the command below to test connecting to Liberator using a DHE cipher. The example below tests connecting with the DHE-RSA-AES256-GCM-SHA384 cipher, one of the DHE ciphers included in OpenSSL’s TLS 1.2 cipher suite:
```
$ openssl s_client -cipher DHE-RSA-AES256-GCM-SHA384 -connect host:port
```

Seeding the OpenSSL random number generator

See How can I… Seed the OpenSSL random number generator.

Configuring OpenSSL

Liberator uses the OpenSSL software to implement the security policies for secure direct connections with clients. You can configure OpenSSL using the following DataSource configuration items, which are defined on the page DataSource Secure Sockets Layer (SSL) configuration:

When you change the configuration of OpenSSL, the new settings apply to all of Liberator’s secure (SSL) connections: Direct secure connections to clients, HTTPS connections and secure connections between Liberator and other DataSource applications.

Improving the security of direct connections

To resist attacks on your system, Liberator includes a configuration option called direct-max-line-length that limits the length of an RTTP message sent across a direct connection. If Liberator receives a message longer than that configured, it’ll reject it rather than reading it continuously until memory runs out.

The default setting for this item should be sufficient, but if you experience security problems, set it to a lower value. Add the new setting to the Deployment Framework file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf