Forum Discussion

Visitor

16 years ago

SSL Mutual Authentication of Video Streams

One possible security model for video stream access is to use the same SSL mutual authentication technique that we recommend for accessing feeds. (Other models might be randomized expiring URLs with just server side SSL encryption, or some sort of DRM). This post will cover the SSL mutual authentication technique using Apache along with the details of using openssl to generate some test certificates and use them to configure apache on the server side where your video may be stored. Finally, we will modify the simplevideoplayer example to play this secure video.

1) Create a Self-Signed CA (Certificate Authority) root Certificate
a) Create the CA private key (remember the password chosen):
sudo openssl genrsa -out /opt/openssl/testCA/CA/testCA.KEY
b) Create CA Certificate Request:
sudo openssl req -new -key /opt/openssl/testCA/CA/testCA.KEY -out /opt/openssl/testCA/CA/testCA.CSR
c) Self-sign the CA certificate:
sudo openssl x509 -req -days 3650 -in /opt/openssl/testCA/CA/testCA.CSR -out /opt/openssl/testCA/CA/testCA.CRT -signkey /opt/openssl/testCA/CA/testCA.KEY

2) OpenSSL Server Cert
a) Create the Web Server's key (remember the password chosen):
sudo openssl genrsa -des3 -out /opt/openssl/testCA/server/keys/testWEB.KEY
b) Create the Web Server's Cert Req:
sudo openssl req -new -key /opt/openssl/testCA/server/keys/testWEB.KEY -out /opt/openssl/testCA/server/requests/testWEB.CSR
c) Sign the Web Server's Cert Req with the CA Cert:
sudo openssl ca -in /opt/openssl/testCA/server/requests/testWEB.CSR -cert /opt/openssl/testCA/CA/testCA.CRT -keyfile /opt/openssl/testCA/CA/testCA.KEY \
-out /opt/openssl/testCA/server/certificates/testWEB.CRT

3) Install Cert in Apache
a) sudo mkdir /etc/httpd/certs
b) sudo cp /opt/openssl/testCA/server/certificates/testWEB.CRT /etc/httpd/certs
c) sudo cp /opt/openssl/testCA/server/keys/testWEB.KEY /etc/httpd/certs
d) sudo cp sudo cp /opt/openssl/testCA/CA/testCA.CRT /etc/httpd/certs
e) If you don't want to enter the passwd for testWEB every time Apache starts,
you can remove the passwd from the keyfile:
sudo cp /etc/httpd/certs/testWEB.KEY /etc/httpd/certs/testWEB.KEY.orig
sudo openssl rsa -in /etc/httpd/certs/testWEB.KEY.orig -out /etc/httpd/certs/testWEB.KEY
f) Edit /etc/httpd/conf.d/ssl.conf
# Configure your server cert:
SSLCertificateFile /etc/httpd/certs/testWEB.CRT
SSLCertificateKeyFile /etc/httpd/certs/testWEB.KEY

# Configure client cert authentication:
SSLCACertificateFile /etc/httpd/certs/cacert.pem # from roku sdk
SSLVerifyClient require
SSLVerifyDepth 1

g) Edit /etc/httpd/conf/httpd.conf:
# In <Directory> </Directory> tags where your video resides:
#
# Checking the x-roku-reserved-dev-id header value assures that it is
# your package trying to connect to this directory.
#
# You can find the dev-id of your brightscript package by going to the
# developer page on your Roku box, and selecting "Utilities".
# On the "Utilities" page, select "Choose File", enter the passwd for that pkg, and hit "Inspect"
# Copy the value for the "Dev ID:" parameter and paste it here:
SetEnvIf x-roku-reserved-dev-id 6bb22ba64125f6da56fa4b7d6f2199a970d06672 let_roku_in
SSLRequireSSL
Order Deny,Allow
Deny from all
Allow from env=let_roku_in

h) Restart Apache:
sudo service httpd restart

4) Place your video in your Apache directory configured in step 3.g) above.

5) Modify the simplevideoplayer application to access the secure video:
a) Add the testCA.CRT (The Certificate Authority cert) file to the
implevideoplayer/source directory.
b) In the appMain.brs:displyVideo() function, change the URL and video meta-data
to match the video you put on your server in step 4).
c) Right before the "video.SetContent(videoclip)" line, add the following calls:
video.Addheader("x-roku-reserved-dev-id","")
video.SetCertificatesFile("pkg:/source/testCA.CRT")
video.InitClientCertificates()

6) Test the authentication with and without the code in 5.c) above. If any of the three authentication methods above are ommitted you should get access denied. Note that you cannot successfully access the video until you've built a package, uploaded it to the channel store, and are running that channel via a channel code. A side-loaded developer app does not properly negotiate client certs or send the enforced dev-id value for the x-roku-reserved-dev-id header.

--Kevin

Roku Developer Program

20 Replies

bbefilms
Visitor
16 years ago
Thanks for the very detailed writeup Kevin; much appreciated.
Greg
fortscan
Visitor
16 years ago
Excellent post!

Any plans of adding DRM support? Or a piracy protection mechanism that is widely approved by film distributors so we can create a distribution channel for our clients?
joetesta
Roku Guru
15 years ago
Trying to follow this example but I can't get the streams to play over https even without requiring authentication.
The video plays in a browser just fine (albeit with an untrusted cert warning)
But when I try to connect to the https stream from the roku, it just goes back to the detail screen & nothing appears in the web server logs at all.
This is the debug output from roku:

Button pressed: 1 0
Displaying video:
srt = <UNINITIALIZED>
play failed: An unexpected problem (but not server timeout or HTTP error) has been detected.
Closing video screen

Should the video be able to play over https; does the cert need to be signed by a trusted authority?
thank you in advance,
joe
RokuKevin
Visitor
15 years ago
Your script needs to call SetCertificatesFile() and passed in PEM file needs to include the CA cert that signed the web server cert.

--Kevin
joetesta
Roku Guru
15 years ago
Thanks Kevin, I tried that again, with the same result.

here's what i have in simplevideoplayer now:

video.Addheader("x-roku-reserved-dev-id","")
video.SetCertificatesFile("pkg:/source/cacert.pem")
video.InitClientCertificates()
video.SetContent(videoclip)

For cacert.pem I tried using just my ca.crt and also tried adding my ca.crt to the pre-existing cacert.pem that came with SDK. Both gave the same result: no video and debug says "play failed: An unexpected problem (but not server timeout or HTTP error) has been detected."

I've tried publishing as a private channel and sideloading to see if i can get a video to play over https (in another thread you said it was possible to play sideloaded channels over https, but maybe i'm confused, because I can't get it to work). no luck.

joetesta

Roku Guru

15 years ago

Thanks very much Kevin.
When I issue the command:

openssl s_client -showcerts -connect 'yourServer.com:443'

I see in the response:

CONNECTED(00000003)
depth=1 /C=US/ST=California/L=MyCity/O=MyCo/CN=roku.mydomain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
-snip-
Verify return code: 19 (self signed certificate in certificate chain)

Would this be the problem? I believe I followed the instructions in the original post... Is there something I've done wrong?

RokuKevin
Visitor
15 years ago
Self signed certs are OK with Roku, as long as they are in your PEM file registered with SetCertificatesFile() . After clicking through the warning about "unrecognized CA Cert" of similar warning, are you able to make an SSL connection with your browser?
joetesta
Roku Guru
15 years ago
After clicking through the warning about "unrecognized CA Cert" of similar warning, are you able to make an SSL connection with your browser?

yes, the video plays in a browser just fine (albeit with an untrusted cert warning - ie, in chrome i see "https" with a red line through it and when i click on the lock i see that "Your connection is encrypted with 256-bit encryption" and "The identity of this website has not been verified")

For roku to connect to https, does the common name need to match? in other words my cert might have the CN as 'secure.mydomain.com' but then I access for testing via https://192.168.1.20 In the browser there is a warning but it still allows the connection.
RokuKevin
Visitor
15 years ago
Yes. The common name needs to match.

--Kevin
joetesta
Roku Guru
15 years ago
OK I started from the top, create the self-signed cert and server keys with my common name on a test domain pointed to my LAN ip, test in the browser & the video plays on the https common name link, still with the same warning "The identity of this website has not been verified".

I followed everything exactly through step 3f and left the "VerifyClient require" & "VerifyDepth" commented out of my conf file.

When I try to access the video hosted on the common name link with the simplevideoplayer app I got the same result from roku:
"play failed: An unexpected problem (but not server timeout or HTTP error) has been detected."

EDIT: I forgot to update my package 'video.SetCertificatesFile()' with the new keys from this new time around - i did that and it worked this time!

So (theoretically at least) it was failing the first time because of common name mismatch; and the 2nd time I just needed to update the keys - now I need to see if I get the actual security part to work...

Thanks very much for your patience helping me with this Kevin!

Forum Discussion

SSL Mutual Authentication of Video Streams

20 Replies

Recent Discussions

Developer Rev Share column in Sales Activity Report

Roku App Crashes Not Showing Stacktrace or Logs in VSC (Possibly After Recent Update)

AppDialogInitiate and AppDialogComplete help needed

Is pixel-level writing supported?

Mask image is not scaling on FHD resolution.