sergey-dryabzhinsky · mannyamorim · Feb 28, 2022 · Mar 4, 2022 · Mar 11, 2022 · Mar 27, 2022
diff --git a/doc/directives.md b/doc/directives.md
@@ -69,6 +69,13 @@ Table of Contents
  * [push](#push)
  * [push_reconnect](#push_reconnect)
  * [session_relay](#session_relay)
+ * [rtmp_relay_ssl_protocols](#rtmp_relay_ssl_protocols)
+ * [rtmp_relay_ssl_ciphers](#rtmp_relay_ssl_ciphers)
+ * [rtmp_relay_ssl_server_name](#rtmp_relay_ssl_server_name)
+ * [rtmp_relay_ssl_verify](#rtmp_relay_ssl_verify)
+ * [rtmp_relay_ssl_verify_depth](#rtmp_relay_ssl_verify_depth)
+ * [rtmp_relay_ssl_trusted_certificate](#rtmp_relay_ssl_trusted_certificate)
+ * [rtmp_relay_ssl_crl](#rtmp_relay_ssl_crl)
 * [Notify](#notify)
  * [on_connect](#on_connect)
  * [on_play](#on_play)
@@ -913,6 +920,8 @@ all local streams within application are pulled
 * start - start time in seconds
 * stop - stop time in seconds
 * static - makes pull static, such pull is created at nginx start
+* ssl_server_name - overrides rtmp_relay_ssl_server_name directive, values: on, off
+* ssl_verify - overrides rtmp_relay_ssl_verify directive, values: on, off
 
 If a value for a parameter contains spaces then you should use quotes around
 the **WHOLE** key=value pair like this : `'pageUrl=FAKE PAGE URL'`.
@@ -950,6 +959,71 @@ could possibly be created later. Default is off.
 session_relay on;
 ```
 
+#### rtmp_relay_ssl_protocols 
+Syntax: `rtmp_relay_ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];` 
+Context: rtmp, server, application 
+
+Enables the specified protocols for streams pushed/pulled to/from the RTMPS server. Default is TLSv1 TLSv1.1 TLSv1.2.
+```sh
+rtmp_relay_ssl_protocols TLSv1.2 TLSv1.3;
+```
+
+#### rtmp_relay_ssl_ciphers 
+Syntax: `rtmp_relay_ssl_ciphers ciphers;` 
+Context: rtmp, server, application 
+
+Specifies the enabled ciphers for for streams pushed/pulled to/from the RTMPS server. The ciphers are specified in the format understood by the OpenSSL library. Default is openssl `DEFAULT`. 
+
+The full list can be viewed using the `openssl ciphers` command. 
+```sh
+rtmp_relay_ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+```
+
+#### rtmp_relay_ssl_server_name 
+Syntax: `rtmp_relay_ssl_server_name on | off;` 
+Context: rtmp, server, application 
+
+Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the RTMPS server. Default is on. 
+```sh
+rtmp_relay_ssl_server_name on;
+```
+
+#### rtmp_relay_ssl_verify 
+Syntax: `rtmp_relay_ssl_verify on | off;` 
+Context: rtmp, server, application 
+
+Enables or disables verification of the RTMPS server certificate. Note you must set the rtmp_relay_ssl_trusted_certificate. Default is on. 
+```sh
+rtmp_relay_ssl_verify on;
+```
+
+#### rtmp_relay_ssl_verify_depth 
+Syntax: `rtmp_relay_ssl_verify_depth number;` 
+Context: rtmp, server, application 
+
+Sets the verification depth in the RTMPS server certificates chain. Default is 1. 
+```sh
+rtmp_relay_ssl_verify_depth 1;
+```
+
+#### rtmp_relay_ssl_trusted_certificate 
+Syntax: `rtmp_relay_ssl_trusted_certificate file;` 
+Context: rtmp, server, application 
+
+Specifies a file with trusted CA certificates in the PEM format used to verify the certificate of the RTMPS server. No default set. 
+```sh
+rtmp_relay_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+```
+
+#### rtmp_relay_ssl_crl 
+Syntax: `rtmp_relay_ssl_crl file;` 
+Context: rtmp, server, application 
+
+Specifies a file with revoked certificates (CRL) in the PEM format used to verify the certificate of the RTMPS server. No default set. 
+```sh
+rtmp_relay_ssl_crl /etc/ssl/certs/crl.crt;
+```
+
 ## Notify
 
 #### on_connect

diff --git a/ngx_rtmp.h b/ngx_rtmp.h
@@ -338,6 +338,8 @@ typedef struct ngx_rtmp_core_srv_conf_s {
 typedef struct {
  ngx_array_t applications; /* ngx_rtmp_core_app_conf_t */
  ngx_str_t name;
+ ngx_resolver_t *resolver;
+ ngx_msec_t resolver_timeout;
  void **app_conf;
 } ngx_rtmp_core_app_conf_t;
 
@@ -365,6 +367,7 @@ typedef struct {
 } ngx_rtmp_module_t;
 
 #define NGX_RTMP_MODULE 0x504D5452 /* "RTMP" */
+#define NGX_RTMP_SSL NGX_OPENSSL
 
 #define NGX_RTMP_MAIN_CONF 0x02000000
 #define NGX_RTMP_SRV_CONF 0x04000000

diff --git a/ngx_rtmp_core_module.c b/ngx_rtmp_core_module.c
@@ -24,6 +24,8 @@ static char *ngx_rtmp_core_listen(ngx_conf_t *cf, ngx_command_t *cmd,
  void *conf);
 static char *ngx_rtmp_core_application(ngx_conf_t *cf, ngx_command_t *cmd,
  void *conf);
+static char *ngx_rtmp_core_resolver(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
 
 
 ngx_rtmp_core_main_conf_t *ngx_rtmp_core_main_conf;
@@ -157,6 +159,20 @@ static ngx_command_t ngx_rtmp_core_commands[] = {
  offsetof(ngx_rtmp_core_srv_conf_t, buflen),
  NULL },
 
+ { ngx_string("resolver"),
+ NGX_RTMP_MAIN_CONF|NGX_RTMP_SRV_CONF|NGX_RTMP_APP_CONF|NGX_CONF_1MORE,
+ ngx_rtmp_core_resolver,
+ NGX_RTMP_APP_CONF_OFFSET,
+ 0,
+ NULL },
+
+ { ngx_string("resolver_timeout"),
+ NGX_RTMP_MAIN_CONF|NGX_RTMP_SRV_CONF|NGX_RTMP_APP_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_msec_slot,
+ NGX_RTMP_APP_CONF_OFFSET,
+ offsetof(ngx_rtmp_core_app_conf_t, resolver_timeout),
+ NULL },
+
  ngx_null_command
 };
 
@@ -308,6 +324,8 @@ ngx_rtmp_core_create_app_conf(ngx_conf_t *cf)
  return NULL;
  }
 
+ conf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
  return conf;
 }
 
@@ -318,8 +336,26 @@ ngx_rtmp_core_merge_app_conf(ngx_conf_t *cf, void *parent, void *child)
  ngx_rtmp_core_app_conf_t *prev = parent;
  ngx_rtmp_core_app_conf_t *conf = child;
 
- (void)prev;
- (void)conf;
+ ngx_conf_merge_msec_value(conf->resolver_timeout,
+ prev->resolver_timeout, 30000);
+
+ if (conf->resolver == NULL) {
+
+ if (prev->resolver == NULL) {
+
+ /*
+ * create dummy resolver in rtmp {} context
+ * to inherit it in all servers
+ */
+
+ prev->resolver = ngx_resolver_create(cf, NULL, 0);
+ if (prev->resolver == NULL) {
+ return NGX_CONF_ERROR;
+ }
+ }
+
+ conf->resolver = prev->resolver;
+ }
 
  return NGX_CONF_OK;
 }
@@ -743,3 +779,25 @@ ngx_rtmp_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
  return NGX_CONF_OK;
 }
+
+
+static char *
+ngx_rtmp_core_resolver(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_rtmp_core_app_conf_t *cacf = conf;
+
+ ngx_str_t *value;
+
+ if (cacf->resolver) {
+ return "is duplicate";
+ }
+
+ value = cf->args->elts;
+
+ cacf->resolver = ngx_resolver_create(cf, &value[1], cf->args->nelts - 1);
+ if (cacf->resolver == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
diff --git a/ngx_rtmp_init.c b/ngx_rtmp_init.c
@@ -257,6 +257,15 @@ ngx_rtmp_close_connection(ngx_connection_t *c)
 
  ngx_log_debug0(NGX_LOG_DEBUG_RTMP, c->log, 0, "close connection");
 
+#if (NGX_RTMP_SSL)
+
+ if (c->ssl) {
+ c->ssl->no_wait_shutdown = 1;
+ (void) ngx_ssl_shutdown(c);
+ }
+
+#endif
+
 #if (NGX_STAT_STUB)
  (void) ngx_atomic_fetch_add(ngx_stat_active, -1);
 #endif