SSL-related technical assistance beyond this article, including the configuration of keys, certificates and other security infrastructure on your Orchid server is not covered by standard Orchid technical support. Please contact your IPConfigure Sales representative to inquire about IPConfigure professional services related to SSL deployment.
Enabling HTTPS and RTSPS
HTTPS (HTTP over SSL/TLS) and RTSPS (RTSP over SSL/TLS/SRTP) is available in Orchid versions 1.8.0 and later. By default, Orchid's web server uses the HTTP and RTSP protocol. To change this to the secure mode, you will need to edit your Orchid server's properties file and then restart Orchid:
- On Linux systems this file is typically located at /etc/opt/orchid_server.properties. For more information, see How to Edit a Configuration File in Linux and How to Restart Orchid in Linux.
- On Windows systems, this file is typically located at C:\Program Files\Orchid\bin\orchid_server.properties. For more information, see How to Edit a Configuration File in Windows and How to Restart Orchid in Windows.
Add (or modify) the following required configuration lines in your server's properties file:
- webserver.protocol = https You can change this value back to "http" to disable SSL.
- webserver.port = 443 This configures Orchid to use the standard HTTPS protocol port. You can use a number other than 443 if you would like to use a non-standard HTTPS port.
- rtsp.protocol = rtsps You can change this value back to "rtsp" to disable RTSPS.
- tls.key = {private key path} Filesystem path that points to your server's private key encoded in PEM format. This file is typically generated using OpenSSL and must not be encrypted.
- tls.certificate = {certificate path} Filesystem path that points to your server's certificate (or certificate chain) encoded in PEM format. This file is typically generated by a bonafide Certificate Authority and may need to be prepended with the Authority's relevant intermediate certificates.
IMPORTANT: Windows file system paths using backslashes must be escaped with an extra backslash. For instance, the path to a TLS key must be specified similar to: C:\\path\\to\\my\\tls.key.
Advanced Configuration
The following SSL-related properties are optional and need not be specified in most installations:
- webserver.ssl.ciphers = HIGH:!SHA1:!SSLv3:!ADH:!LOW:!EXP:!MD5:@STRENGTH The value of this property specifies the supported ciphers in OpenSSL notation.
- webserver.ssl.session_timeout = 60 Sets the timeout (in seconds) of cached sessions on the server. A cached session will be removed from the cache if it has not been used for the given number of seconds.
- webserver.ssl.extended_verification = false Enable or disable the automatic post-connection extended certificate verification.
- webserver.ssl.log_file = {log file path} If set, all OpenSSL errors are appended to the file at the specified filesystem path.
Self-Signed Certificates
Self-signed certificates may be used with the Orchid HTTPS server, but they are NOT compatible with Orchid's RTSPS server. If you are using a self-signed certificate to enable HTTPS in Orchid, you must leave the RTSP server in RTSP (not RTSPS) mode. Additionally, while the provisioning of self-signed certificates is not within the scope of regular Orchid technical support, the following guide may be helpful if you are provisioning your own self-signed certificates: https://help.ubuntu.com/lts/serverguide/certificates-and-security.html#generating-a-csr.
Comments
0 comments
Please sign in to leave a comment.