Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 51858200CEC for ; Mon, 21 Aug 2017 08:51:25 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4E0D51616CA; Mon, 21 Aug 2017 06:51:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 4D1CF1640E9 for ; Mon, 21 Aug 2017 08:51:23 +0200 (CEST) Received: (qmail 35136 invoked by uid 500); 21 Aug 2017 06:51:22 -0000 Mailing-List: contact user-help@openmeetings.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@openmeetings.apache.org Delivered-To: mailing list user@openmeetings.apache.org Received: (qmail 35126 invoked by uid 99); 21 Aug 2017 06:51:22 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2017 06:51:22 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 872651806C0 for ; Mon, 21 Aug 2017 06:51:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.05 X-Spam-Level: * X-Spam-Status: No, score=1.05 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2, KAM_LINEPADDING=1.2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id PnEA17lLrrTM for ; Mon, 21 Aug 2017 06:51:15 +0000 (UTC) Received: from mail-io0-f178.google.com (mail-io0-f178.google.com [209.85.223.178]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 194E65FB9F for ; Mon, 21 Aug 2017 06:51:15 +0000 (UTC) Received: by mail-io0-f178.google.com with SMTP id o196so3311682ioe.0 for ; Sun, 20 Aug 2017 23:51:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JV+ObY49n56M/YgEnzhlvBT/KTirIsR6RiRAgiP7j9w=; b=E5f+FyEmF4xrxFW3WPcg8BSAdQoaw32Vww+k8BhNO0NlmtrXTGC1GOeUm4ZVphW8oI r8bGt6qyLMgx6isAr+RquN+p9vbEbBsJRNHj1+ftfpN/nbY1YsxSgq4hZXR7kJmvGoq5 tYxkHXgGEXCvSkG5V0gMGpip6r3h55AfGWmxkQgn0eqkyZHQ+4ruTJUf4tIzNT+okVbz CK3VJ2Wn8lk0laBkuWxmmaS+6eRBG+vMniwdJZEqiNMzPEjE/0uAl05jRt+MgbkpBxUY NrYJd1XdtT817rQ6Dl6rV1awxcIj37njLm8A3atBnyCgixDqThNtzKsAVqBaeknWfeiS h6dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JV+ObY49n56M/YgEnzhlvBT/KTirIsR6RiRAgiP7j9w=; b=BFby7oL35oHz/so8N1f4C0MOfcxFGqmpWPWohHY0GSCYoc2UXIw0CvObPkkhvP06Y3 Fpuzk6WXB/2hHpN6SgbNXTIAytpHla/i56w7+gKAZjwUGIygRwmHUu//N8Lq9+htZDZM p2vkvGmSQrCoH5XvGWgz5lBVQPUHT7ubC+ZIzZ6KVXd5SVq/SjF6PaWuzMIoauMeXarH PL9FLcU1nAHs0h8Si8qBGPRU+KcjUN+NHPXvooP7eaeGuyYyr8U2VYcoTs8iQCLuHnmo fAo6TczoZU5UNrBelXmqOCC1o5Sz9ViY6NYa+FQfqd/tvAQQhZ2Gb02EALLkGfdmKuFC Mgsg== X-Gm-Message-State: AHYfb5gZ5HyWIdvwMWzfDzll6xuo8DEkF/HAJzKMWXMFvRfvtDag2rap geIp9mIhN4ks69lHsfFVRMQh3wGMYPPY X-Received: by 10.107.153.141 with SMTP id b135mr14996096ioe.247.1503298274151; Sun, 20 Aug 2017 23:51:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.87.137 with HTTP; Sun, 20 Aug 2017 23:51:13 -0700 (PDT) In-Reply-To: <003a01d31a48$f0638da0$d12aa8e0$@krvostok.ru> References: <4327214.CRe71NXBeN@wst-andreas> <00c601d3168f$d4493be0$7cdbb3a0$@krvostok.ru> <1543699.HM0uJCJvM2@wst-andreas> <00ca01d31693$d6fc2a10$84f47e30$@krvostok.ru> <00d401d31721$588a88f0$099f9ad0$@krvostok.ru> <011101d317ea$7c0031d0$74009570$@krvostok.ru> <001801d318a2$9e0877c0$da196740$@krvostok.ru> <002301d318ab$33e646c0$9bb2d440$@krvostok.ru> <000601d31966$bc5ce700$3516b500$@krvostok.ru> <000601d31a39$280cc560$78265020$@krvostok.ru> <003a01d31a48$f0638da0$d12aa8e0$@krvostok.ru> From: Maxim Solodovnik Date: Mon, 21 Aug 2017 13:51:13 +0700 Message-ID: Subject: Re: [ANNOUNCE] HTTPS is now required To: Openmeetings user-list Content-Type: multipart/alternative; boundary="001a11459d429f51ec05573de7f6" archived-at: Mon, 21 Aug 2017 06:51:25 -0000 --001a11459d429f51ec05573de7f6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Works for me What were your steps? BTW no need to add site certificate to trusted certs in case you are having Root CA. Verified Root CA will successfully validate site cert On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. wrote: > No, > > It did not help. > > The client machine is Windows, the CA root certificate (crt) and the > client self-signed certificate (p12) have been added into java via jav= a > control panel->security->manage certificates. > > > > The full error log is : > > > > ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > at sun.security.validator.PKIXValidator.doBuild(Unknown > Source) > > at sun.security.validator.PKIXValidator.engineValidate(Un= known > Source) > > at sun.security.validator.Validator.validate(Unknown > Source) > > at sun.security.ssl.X509TrustManagerImpl.validate(Unknown > Source) > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unk= nown > Source) > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrust= ed(Unknown > Source) > > at sun.security.ssl.ClientHandshaker.serverCertificate(Un= known > Source) > > at sun.security.ssl.ClientHandshaker.processMessage(Unkno= wn > Source) > > at sun.security.ssl.Handshaker.processLoop(Unknown Source= ) > > at sun.security.ssl.Handshaker.process_record(Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.performInitialHandshake= (Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > > at org.apache.http.conn.ssl.SSLConnectionSocketFactory. > createLayeredSocket(SSLConnectionSocketFactory.java:396) > > at org.apache.http.conn.ssl.SSLConnectionSocketFactory. > connectSocket(SSLConnectionSocketFactory.java:355) > > at org.apache.http.impl.conn. > DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOp= e > rator.java:142) > > at org.apache.http.impl.conn. > PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionMan > ager.java:359) > > at org.apache.http.impl.execchain.MainClientExec. > establishRoute(MainClientExec.java:381) > > at org.apache.http.impl.execchain.MainClientExec. > execute(MainClientExec.java:237) > > at org.apache.http.impl.execchain.ProtocolExec. > execute(ProtocolExec.java:185) > > at org.apache.http.impl.execchain.RetryExec.execute( > RetryExec.java:89) > > at org.apache.http.impl.client. > InternalHttpClient.doExecute(InternalHttpClient.java:185) > > at org.apache.http.impl.client. > CloseableHttpClient.execute(CloseableHttpClient.java:118) > > at org.apache.http.impl.client. > CloseableHttpClient.execute(CloseableHttpClient.java:56) > > at org.red5.client.net.rtmps.RTMPTSClientConnector. > openConnection(RTMPTSClientConnector.java:139) > > at org.red5.client.net.rtmps.RTMPTSClientConnector.run( > RTMPTSClientConnector.java:64) > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at sun.security.provider.certpath.SunCertPathBuilder.buil= d(Unknown > Source) > > at sun.security.provider.certpath.SunCertPathBuilder.engi= neBuild(Unknown > Source) > > at java.security.cert.CertPathBuilder.build(Unknown > Source) > > ... 27 common frames omitted > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > No context named default was found!! > > > > *From:* Maxim Solodovnik [mailto:solomax666@gmail.com] > *Sent:* Monday, August 21, 2017 8:45 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > You can fix it by adding self-signed CA to the java/cacerts at the > "client" machine (The machine Screen-sharing web-app is started) > > > > On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. > wrote: > > Tunneling RTMPS > > > > *From:* Maxim Solodovnik [mailto:solomax666@gmail.com] > *Sent:* Monday, August 21, 2017 5:56 AM > > > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > What type of SSL are you checking? "native" of "tunneled" ? > > > > On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. > wrote: > > Hi Maxim, > > Screensharing with SSL does not work. > > > > Java outputs the next errors: > > ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > > > Where can be place the datastore for screensharing and what its file name= ? > > /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? > > Where should be assigned the password for this keystore? > > > > The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties > files contain the following parameters: > > > > key=3D"keystoreFile" value=3D...... > > key=3D"keystorePass" value=3D...... > > key=3D"truststoreFile" value=3D...... > > key=3D"truststorePass" value=3D...... > > > > rtmps.keystorepass=3Dxxxxx > > rtmps.keystorefile=3Dconf/keystore.jks > > rtmps.truststorepass=3Dxxxxx > > rtmps.truststorefile=3Dconf/truststore.jks > > > > But for screensharing I could not find relevant information. > > > > Best regards, > > Nik > > > > *From:* Yakovlev N. [mailto:yakovlev_nd@krvostok.ru] > *Sent:* Saturday, August 19, 2017 8:23 AM > *To:* user@openmeetings.apache.org > *Subject:* RE: [ANNOUNCE] HTTPS is now required > > > > Hi Maxim, > > SSL is working fine. > > I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html > manual: > > All keytool commands must have the filename keystore.jks but none > keystore without extension. J > > This also applies to the filename truststore: it should be truststore.jk= s. > > > > Otherwise the names of kestore and truststore should be changed in > /opt/red5/conf/red5.properties. > > > > Nik > > > > *From:* Maxim Solodovnik [mailto:solomax666@gmail.com > ] > *Sent:* Saturday, August 19, 2017 7:23 AM > *To:* Openmeetings user-list > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > I'll try to check steps with self-signed cert and will report back > > > > On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. > wrote: > > Hello Ramon, > > All the hope of Maxim=E2=80=A6.:) > > > > Nik > > > > *From:* Ram=C3=B3n Z=C3=A1rate Moedano [mailto:horco1@gmail.com] > *Sent:* Saturday, August 19, 2017 2:22 AM > > > *To:* user@openmeetings.apache.org > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Hello everyone ... > > > > i just cannot install SSL (from namecheap) ... this is beyond my skills. > > > > Is there someone who can help me with the installation in exchange for > some money???? > > > > Thanks in advance. > > > > > > > > 2017-08-18 1:23 GMT-05:00 Yakovlev N. : > > Hi Maxim, > > Thanks for reply. > > I've reinstalled two times certificates but ssl does not work. > > 1. Both certificates root-CA and client one were added into > /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) with > commands: > > keytool -import -keystore cacerts -file red5.crt -alias red5 > > keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root > > 2. As you recommend OM was started with red5-debug + option > "-Djavax.net.debug=3Dall" > > Logs have nothing while a ssl session was established. > > To exclude the impact of browsers, I tried to start up a session using > telnet. > > Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 > did not. > > In this case, the netstat command shows ESTABLISHED status to port 5443. > > Firewall is off. > > According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two config > files have to be changed: > > 1. Edit red5/conf/jee-container.xml file: > > Comment Tomcat without SSL enabled section > > UNComment Tomcat with SSL enabled section > > 2. Edit red5/webapps/openmeetings/public/config.xml and set > > https > > 5443 > > Are these changes enough or need more? > > > > Best regards, > > Nik > > > > *From:* Maxim Solodovnik [mailto:solomax666@gmail.com] > *Sent:* Thursday, August 17, 2017 10:28 AM > *To:* Openmeetings user-list > > > *Subject:* Re: [ANNOUNCE] HTTPS is now required > > > > Here is useful link > > I'm using these scripts (with some modifications) Chrome shows green icon > :) > > https://stackoverflow.com/questions/7580508/getting- > chrome-to-accept-self-signed-localhost-certificate/43666288#43666288 > > > > On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik > wrote: > > The steps on the site are for the "real" certificates ... > > 1) add certificate to trusted certs of Java > > > > means Java need to know about your certificate I'm using self-signed CA > for testing and I'm adding it to > > /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts > > > > Additionally I would recommend to run red5 using red5-debug and modify it > by adding "*-Djavax.net.debug=3Dall*" to see all SSL messages > > > > On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. > wrote: > > Hello Maxim, > Don't worry that my question was missed because we all understand how muc= h > work you do. > Your message made me return to the question of HTTPS for OM. > > So... > > 1) add certificate to trusted certs of Java > > Lets see an output of command keytool: > > cd /opt/red5/conf > keytool -list -keystore keystore > Enter keystore password: > xxxxx > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries > > vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, > Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: > 99:67:D5:1C:B8:25:1A:D9:88:0F > root, Aug 16, 2017, trustedCertEntry, > Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: > 6E:2F:1F:9A:83:F9:B0:1F:E1:45 > > Is it OK? > > 2) add certificate to trusted certs of browser (icon should be green) > Done > > 3) correctly create red5 keystore/truststore > Done according to the reference http://openmeetings.apache. > org/RTMPSAndHTTPS.html > truststore is a copy of keystore > OK? > > Maxim, I would like to draw on one detail. > A simple way to test of a SSL-connection is to use the next command: > openssl s_client -connect FQDN:port > For example, > openssl s_client -connect www.mail.ru:443, > openssl s_client -connect www.ya.ru:443 > and so on. > This way does not use browsers and allows to test ssl-connections at a > lower level than using browsers. > This command does not work and hangs for my OM as I wrote before and I > think that the question is not in the types of certificates (trusted or > selfsigned ones). > But where is the problem? I don't now yet... > > Nik > > -----Original Message----- > From: Maxim Solodovnik [mailto:solomax666@gmail.com] > > Sent: Wednesday, August 16, 2017 5:51 PM > To: Openmeetings user-list > Subject: Re: [ANNOUNCE] HTTPS is now required > > Hello Nik, > > I'm trying to answer all emails, sorry if I missed yours :( To make > self-signed certificate work with red5 you MUST > 1) add certificate to trusted certs of Java > 2) add certificate to trusted certs of browser (icon should be green) > 3) correctly create red5 keystore/truststore > > to provide thurther help I need you detailed steps > > On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. > wrote: > > Hi Andreas, > > OK, your opinion is your opinion and I respect it. > > We speak about an internal OM service but not about the world one... > > I understand the trusted certificates are more preferable but in my cas= e > unnecessary I think. > > I'm not sure blacklists are my cases... > > > > Nik > > > > -----Original Message----- > > From: df8oe@gmx.de [mailto:df8oe@gmx.de] > > Sent: Wednesday, August 16, 2017 4:18 PM > > To: user@openmeetings.apache.org > > Subject: Re: [ANNOUNCE] HTTPS is now required > > > > Hi Nik, > > > > sorry - I cannot agree to your "I cannot agree". Most email client > programs do check certificates and deny connections if certificate is not > trusted. May be 5% will work - but 95% will not (and tomorrow percentage = is > higher than today). I can not recommend to use any self-signed certificat= e > (except for internal tasks). Additionally maybe you are added to blacklis= ts > if you are "on the air" using a self-signed certificate. > > > > Best regards > > Andreas > > > > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: > >> I don't agree. > >> I use selfsigned certiticates on other corporate services successfully > (mail, cloud and so on). > >> Yes, browsers ask questions but this is no problem. In this case such > certificates must be added as trusted ones. > >> > >> Nik > >> > >> -----Original Message----- > >> From: df8oe@gmx.de [mailto:df8oe@gmx.de] > >> Sent: Wednesday, August 16, 2017 3:44 PM > >> To: user@openmeetings.apache.org > >> Subject: Re: [ANNOUNCE] HTTPS is now required > >> > >> Self-signed will not be accepted by most browsers and will not work. > The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... > >> > >> Try certificates from lets encrypt - they are free ;) > >> > >> Best regards > >> Andreas > >> > >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: > >> > Hi, Maxim! > >> > I have some problems with SSL and no ideas to solve them. > >> > Five months ago I asked community how to install SSL on OM but > nobody answered. > >> > (http://mail-archives.apache.org/mod_mbox/openmeetings- > user/201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 > 08:30:40 GMT ) > >> > The manual listed on page http://openmeetings.apache. > org/RTMPSAndHTTPS.html did not help me. > >> > No any errors in logs, browser hangs and shows an empty page. > >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on > the left bottom side. > >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command > hangs also and outputs only one line: CONNECTED(00000003). > >> > Firewall is off, tcp-5443 port is listening on the OM host. > >> > > >> > Is there any roadmap of using selfsigned serfificates for OM? > >> > > >> > Best regards > >> > Nik > >> > > >> > -----Original Message----- > >> > From: Maxim Solodovnik [mailto:solomax666@gmail.com] > >> > Sent: Wednesday, August 16, 2017 7:23 AM > >> > To: Openmeetings user-list > >> > Subject: [ANNOUNCE] HTTPS is now required > >> > > >> > Hello All, > >> > > >> > Google developers are trying to move WWW to HTTPS To force this > transition they restrict features available to HTTP sites in > Chrome/Chromium Latest restriction is: Camera and microphone will not be > available to JS/Flash code for HTTP sites: proof: > >> > > >> > "Microphone and Camera access no longer works on insecure origins. T= o > use this feature, you should consider switching your application to a > secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details.= " > >> > > >> > So please set up HTTPS for your OM site to prevent camera/microphone > issues. > >> > > >> > -- > >> > WBR > >> > Maxim aka solomax > >> > > >> > > >> > >> > >> > > > > > > > > -- > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > --=20 WBR Maxim aka solomax --001a11459d429f51ec05573de7f6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Works for me

What were your steps?

BTW no need to add site certificate to trusted certs i= n case you are having Root CA. Verified Root CA will successfully validate = site cert

On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <yakovlev_nd@krvost= ok.ru> wrote:

= No,

It did not help.

The client machine is Wind= ows, the CA root certificate (crt) and the client self-signed certificate (= p12) =C2=A0have been added into java =C2=A0via =C2=A0java control panel->= ;security->manage certificates.

=C2=A0

The f= ull error log is=C2=A0 :

=C2=A0

ERROR 08-21 09:= 39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {}

sun.s= ecurity.validator.ValidatorException: PKIX path building failed: sun.s= ecurity.provider.certpath.SunCertPathBuilderException: unable to = find valid certification path to requested target

<= p class=3D"MsoNormal">=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 at sun.security.validator.PKIXValidator.doBuild(Unknown Source)=

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.validator.PKIXValida= tor.engineValidate(Unknown Source)

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at su= n.security.validator.Validator.validate(Unknown Source)<= /span>

= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.ssl.X= 509TrustManagerImpl.checkTrusted(Unknown Source)<= /p>

=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 at sun.security.ssl.X509TrustManagerImpl.checkServerTru= sted(Unknown Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)

=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 at sun.security.ssl.ClientHandshaker.processMessage(= Unknown Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.ssl.Handsh= aker.processLoop(Unknown Source)

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at su= n.security.ssl.Handshaker.process_record(Unknown Source)=

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 at sun.security.ssl.SSLSocketImpl.readRecord(U= nknown Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.ssl.SSLS= ocketImpl.performInitialHandshake(Unknown Source)

= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 at sun.security.ssl.SSLSocketImpl.startHandshake(= Unknown Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.ssl.S= SLSocketImpl.startHandshake(Unknown Source)

=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.create= LayeredSocket(SSLConnectionSocketFactory.java:396)<= /span>

= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 at org.apache.http.conn.ssl.SSLConnectionSocketFactory= .connectSocket(SSLConnectionSocketFactory.java:355)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 at org.apache.http.impl.conn.DefaultHttpClientCo= nnectionOperator.connect(DefaultHttpClientConnectionOperator= .java:142)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientCon= nectionManager.java:359)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.= http.impl.execchain.MainClientExec.establishRoute(MainClientExec.= java:381)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.http.impl.= execchain.MainClientExec.execute(MainClientExec.java:237)<= u>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.http.impl.execchain.ProtocolExe= c.execute(ProtocolExec.java:185)

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at or= g.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)=

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.apache.http.impl.client.Inter= nalHttpClient.doExecute(InternalHttpClient.java:185)

=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 at org.apache.http.impl.client.CloseableHttpClient.execut= e(CloseableHttpClient.java:118)

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.a= pache.http.impl.client.CloseableHttpClient.execute(CloseableHttpC= lient.java:56)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.red5.client.net.rtmps.= RTMPTSClientConnector.openConnection(RTMPTSClientConnector.j= ava:139)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at org.red5.client.net.rtmps.= RTMPTSClientConnector.run(RTMPTSClientConnector.java:64)

Caused by: sun.security.provider.certpath.SunCertPathBuilde= rException: unable to find valid certification path to requested target<= /u>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 at sun.security.provider.certpath.SunCertP= athBuilder.build(Unknown Source)

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at su= n.security.provider.certpath.SunCertPathBuilder.engineBuild(Unkno= wn Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at java.security.cert.CertP= athBuilder.build(Unknown Source)

=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ... 27 comm= on frames omitted

sun.security.validator.ValidatorExcept= ion: PKIX path building failed: sun.security.provider.certpath.Su= nCertPathBuilderException: unable to find valid certification path to reque= sted target

No context named default was found!!

From= : Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent:= Monday, August 21, 2017 8:45 AM
To: Openmeetings user-list
Subject: Re: [ANNOUNCE] HTTPS is now required

=

=C2=A0

= You can fix it by adding self-signed CA to the=C2=A0java/cacerts at the &qu= ot;client" machine (The machine Screen-sharing web-app is started)<= /u>

=C2=A0

On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <= yakovlev_nd@kr= vostok.ru> wrote:

= Tunneling RTMPS

=C2=A0

From: Maxim Solo= dovnik [mailto:so= lomax666@gmail.com]
Sent: Monday, August 21, 2017 5:56 AM


To: Openm= eetings user-list
Subject: Re: [ANNOUNCE] HTTPS is now required

=C2=A0<= u>

What type of SSL are you checking? &q= uot;native" of "tunneled" ?

=C2=A0

On S= un, Aug 20, 2017 at 10:45 AM, Yakovlev N. <yakovlev_nd@krvostok.ru> wrote:

Hi Maxim,

Screensharing with SSL does not work.<= /span>

=C2=A0

Java outputs the next errors:

ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {= }

sun.security.validator.ValidatorException: PKIX path b= uilding failed: sun.security.provider.certpath.SunCertPathBuilder= Exception: unable to find valid certification path to requested target

=C2=A0

Where can be place the datastore for screen= sharing and what its file name?

/opt/red5/conf/keystore.= screen.jks or /opt/red5/conf/keystore.screen ?

Where should b= e assigned =C2=A0the password for this keystore?

=C2=A0

The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.= properties files contain the following parameters:

=

=C2=A0

key=3D"keystoreFile" value=3D......

key= =3D"keystorePass" value=3D......

key=3D"trusts= toreFile" value=3D......

key=3D"truststorePass"= ; value=3D......

=C2=A0

rtmps.keystorepass=3Dx= xxxx

rtmps.keystorefile=3Dconf/keystore.jks

rtmps.truststorefile=3Dconf/truststore.jks

=C2=A0

But for screensharing = I could not find relevant information.

=C2=A0

Best regards,

Nik=

= =C2=A0

From: Yakovlev N. [mailto:yakovlev_nd@krvostok.ru= ]
Sent: Saturday, August 19, 2017 8:23 AM
To: user@openmeeting= s.apache.org
Subject: RE: [ANNOUNCE] HTTPS is now required

=C2=A0

Hi M= axim,

SSL is working fine.

I found a mistake = in =C2=A0http://openmeetings.apache.org/RTMPSAndHTTPS.html ma= nual:

All=C2=A0 keytool commands must have the filename =C2= =A0=C2=A0keystore.jks =C2=A0=C2=A0=C2=A0but none keystore without extension= . =C2=A0J

This also applies to the filename t= ruststore:=C2=A0 it should be truststore.jks.

=C2=A0

Otherwise the names of kestore and truststore should be changed in /o= pt/red5/conf/red5.properties.

=C2=A0

Nik

=C2=A0

From: Maxim Sol= odovnik [mailto:solomax666@gmail.com]
Sent: Saturday, August 19, 2017 = 7:23 AM
To: Openmeetings user-list
Subject: Re: [ANNOUN= CE] HTTPS is now required

=C2=A0

I'll try to check steps with self-signed cert and will report back

=C2=A0

<= div>

On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. &l= t;yakovlev_nd@= krvostok.ru> wrote:

Hello Ramon,

All = the hope of Maxim=E2=80=A6.:)

=C2=A0

=

Nik=

=C2=A0

From: Ram=C3=B3n Z=C3=A1rate Moedano [mailto:horco1@gmail.com]
= Sent: Saturday, August 19, 2017 2:22 AM


To: user@openmeetings.apache.org
S= ubject: Re: [ANNOUNCE] HTTPS is now required

=C2=A0

Hello everyone ...

=C2=A0

i just cannot= install SSL (from namecheap) ... this is beyond my skills.

=C2=A0

Is there someone who can help me with the installat= ion in exchange for some money????

=C2=A0

Thanks= in advance.

=C2= =A0

=C2=A0=

=C2=A0

2017-08-18 1:23 GMT-05:00 Yakovlev N. <yakovlev_nd@krvostok.ru>:

Hi Maxim,

Thanks for reply.=

I've reinstalled two times certificates but ssl does not work.

1. Both certificates root-CA and client one were added into /etc= /pki/ca-trust/extracted/java/cacerts (this place is for Centos) with c= ommands:

keytool -import -keystore cacerts -file red5.crt -al= ias red5

keytool -import -keystore cacerts -trustcacerts -fil= e ca.crt -alias root

2. As you recommend OM was started with = red5-debug + option "-Djavax.net.debug=3Dall"=C2=A0

To e= xclude the impact of browsers, I tried to start up a session using telnet.<= /span>

Session to port 5080 (none ssl) were fixed in loggs but ses= sions to 5443 did not.

In this case, the netstat command show= s ESTABLISHED status to port 5443.

Firewall is off.=

According to http://openmeetings.apache.org/RTMPSAndHTTPS.ht= ml two config files have to be changed:

1. Edit red5/conf= /jee-container.xml file:

=C2=A0=C2=A0 Comment Tomcat without = SSL enabled section

=C2=A0=C2=A0 UNComment Tomcat with SSL en= abled section

2. Edit red5/webapps/openmeetings/public/= config.xml and set

=C2=A0=C2=A0 <protocol>https</pro= tocol>

=C2=A0=C2=A0 <red5httpport>5443</red5= httpport>

Are these changes enough or need more?=

=C2=A0

Best regards,

Nik<= /u>

=C2= =A0

From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Thur= sday, August 17, 2017 10:28 AM
To: Openmeetings user-list<= u>


Subject: Re: [= ANNOUNCE] HTTPS is now required

=C2=A0

Here is useful link

I&#= 39;m using these scripts (with some modifications) Chrome shows green icon = :)

https://stackoverflow.com= /questions/7580508/getting-chrome-to-accept-self-signed-loca= lhost-certificate/43666288#43666288

=C2=A0

On= Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <solomax666@gmail.com> wrote:

The steps on the site are for the = "real" certificates ...

1) add certificate to tru= sted certs of Java

=C2=A0

means Java need= to know about your certificate I'm using self-signed CA for testing an= d I'm adding it to=C2=A0

/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts=

=C2=A0

Additionally I would recommend to run red5 using red5-= debug and modify it by adding "-Djavax.net.debug=3Dall<= /span>" =C2=A0to see all SSL messages

=

=C2=A0

On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <yakovlev_nd@krvosto= k.ru> wrote:

Hello Maxim,Don't worry that my question was missed because we all understand how = much work you do.
Your message made me return to the question of HTTPS f= or OM.

So...

1) add certificate to trusted certs of Java
<= br>Lets see an output of command keytool:

cd /opt/red5/conf
keyto= ol -list -keystore keystore
Enter keystore password:
xxxxx
Keystor= e type: JKS
Keystore provider: SUN

Your keystore contains 2 entri= es

vkc.krvostok= .ru, Aug 16, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): = 7D:39:11:AA:76:5F:BF:D1:E5:57:99:67:D5:1C:B8:25:1A:D9:88:0F
root, A= ug 16, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): FF:2B:E0:= 44:3C:0F:83:36:6F:F0:6E:2F:1F:9A:83:F9:B0:1F:E1:45

Is it OK?
2) add certificate to trusted certs of browser (icon should be green)<= br>Done

3) correctly create red5 keystore/truststore
Done accordi= ng to the reference http://openmeetings.apache.org/RTMPSAndHTTPS.= html
truststore is a copy of keystore
OK?

Maxim, I would l= ike to draw on one detail.
A simple way to test of a SSL-connection is t= o use the next command:
openssl s_client -connect FQDN:port
For examp= le,
openssl s_client -connect www.mail.ru:443,
openssl s_client -connect www.ya.ru:443
and so on.
Th= is way does not use browsers and allows to test ssl-connections at a lower = level than using browsers.
This command does not work and hangs for my O= M as I wrote before and I think that the question is not in the types of ce= rtificates (trusted or selfsigned ones).
But where is the problem? I don= 't now yet...

Nik

-----Original Message-----
From: Maxim Solodovnik [m= ailto:solomax666@= gmail.com]

Sent: Wednesday, August 16, 2017 5:51 PM
To:= Openmeetings user-list
Subject: Re: [ANNOUNCE] HTTPS is now required
Hello Nik,

I'm trying to answer all emails, sorry if I miss= ed yours :( To make self-signed certificate work with red5 you MUST
1) a= dd certificate to trusted certs of Java
2) add certificate to trusted ce= rts of browser (icon should be green)
3) correctly create red5 keystore/= truststore

to provide thurther help I need you detailed steps
On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <yakovlev_nd@krvostok.ru> wrote:<= br>> Hi Andreas,
> OK, your opinion is your opinion and I respect = it.
> We speak about an internal OM service but not about the world o= ne...
> I understand the trusted certificates are more preferable but= in my case unnecessary I think.
> I'm not sure blacklists are my= cases...
>
> Nik
>
> -----Original Message-----> From: df8oe@gmx.de<= /a> [mailto:df8oe@gmx.de<= /a>]
> Sent: Wednesday, August 16, 2017 4:18 PM
> To: user@openmeeting= s.apache.org
> Subject: Re: [ANNOUNCE] HTTPS is now required
&= gt;
> Hi Nik,
>
> sorry - I cannot agree to your "I = cannot agree". Most email client programs do check certificates and de= ny connections if certificate is not trusted. May be 5% will work - but 95%= will not (and tomorrow percentage is higher than today). I can not recomme= nd to use any self-signed certificate (except for internal tasks). Addition= ally maybe you are added to blacklists if you are "on the air" us= ing a self-signed certificate.
>
> Best regards
> Andreas=
>
> Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovl= ev N.:
>> I don't agree.
>> I use selfsigned certitic= ates on other corporate services successfully (mail, cloud and so on).
&= gt;> Yes, browsers ask questions but this is no problem. In this case su= ch certificates must be added as trusted ones.
>>
>> Nik<= br>>>
>> -----Original Message-----
>> From: df8oe@gmx.de [mailto:df8oe@gmx.de]
>> S= ent: Wednesday, August 16, 2017 3:44 PM
>> To: user@openmeetings.apache.org=
>> Subject: Re: [ANNOUNCE] HTTPS is now required
>><= br>>> Self-signed will not be accepted by most browsers and will not = work. The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER= *...
>>
>> Try certificates from lets encrypt - they are = free ;)
>>
>> Best regards
>> Andreas
>>= ;
>> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev = N.:
>> > Hi, Maxim!
>> > I have some problems with = SSL and no ideas to solve them.
>> > Five months ago=C2=A0 I as= ked community how to install SSL on OM but nobody answered.
>> >= ; (http://mail-archives.apache.org/m= od_mbox/openmeetings-user/201703.mbox/browser=C2=A0 =C2=A0 Subject= : SSL with OM=C2=A0 =C2=A0Date Mon, 20 Mar 2017 08:30:40 GMT=C2=A0 )
>= ;> > The manual listed on page http://openmeetings.apache.o= rg/RTMPSAndHTTPS.html did not help me.
>> > No any errors i= n logs, browser hangs and shows an empty page.
>> > Firefox out= puts "Executing TLS-handshaking with vkc.krvostok.ru" on the left bottom side.
&= gt;> > The "openssl=C2=A0 =C2=A0s_client=C2=A0 =C2=A0-connect=C2= =A0 =C2=A0vkc.krv= ostok.ru:5443" command hangs also and outputs only one line: CONNE= CTED(00000003).
>> > Firewall is off, tcp-5443 port is listenin= g on the OM host.
>> >
>> > Is there any roadmap of= using selfsigned serfificates for OM?
>> >
>> > Be= st regards
>> > Nik
>> >
>> > -----Orig= inal Message-----
>> > From: Maxim Solodovnik [mailto:solomax666@gmail.com= ]
>> > Sent: Wednesday, August 16, 2017 7:23 AM
>> >= ; To: Openmeetings user-list
>> > Subject: [ANNOUNCE] HTTPS is = now required
>> >
>> > Hello All,
>> ><= br>>> > Google developers are trying to move WWW to HTTPS To force= this transition they restrict features available to HTTP sites in Chrome/C= hromium Latest restriction is: Camera and microphone will not be available = to JS/Flash code for HTTP sites: proof:
>> >
>> > &= quot;Microphone and Camera access no longer works on insecure origins. To u= se this feature, you should consider switching your application to a secure= origin, such as HTTPS. See https://goo.gl/rStTGz for more details."
>> >
= >> > So please set up HTTPS for your OM site to prevent camera/mic= rophone issues.
>> >
>> > --
>> > WBR>> > Maxim aka solomax
>> >
>> >
>= >
>>
>>
>
>



--
WBR
Ma= xim aka solomax

<= br>

=C2=A0

--

WBR
Maxim aka solomax



=

=C2=A0

--

WBR
Maxim aka= solomax

=C2=A0



=C2=A0

--

WBR
Maxim aka solomax=



=C2=A0

--

WBR
Maxim aka solomax

=



=C2=A0

--

WBR
Maxim a= ka solomax


=

--
WBR
Maxim aka solomax
--001a11459d429f51ec05573de7f6--