Openmeetings SSL構築 いまやGoogle Chromeがシェア70%だという、  Chromeはセキュリティが強く使いずらい、  位置情報やカメラ、マイクをブラウザで使う場合SSL化されたサーバーでないと認識させない仕様となってしまった! FireFoxやPale Moon、Sea Monkeyはまだ認識するがそのうちChromeと同じようになるだろう、 nogiriya.comサーバーもSSL化しましたのでそれに伴いWeb会議でカメラやマイクも使うOpenmeetingsをSSL化してみました、 以下、備忘録として、Openmeetings v3.0.6。 Openmeetings SSL化は以下の2サイトを参考にしました。  Using OpenMeetings with RTMPS and HTTPS  http://www.refogar.com/plataformacacumen/apache_openmeetings/webapps/openmeetings/docs/RTMPSAndHTTPS.html  https://openmeetings.apache.org/RTMPSAndHTTPS.html 上記サイト文を引用しています。 C:\WINDOWS\system32> cd\ C:\> cd red5 C:\red5> cd conf C:\red5\conf> c:\Apache\bin\openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 -name red5 -certfile root.crt -certfile intermediate.crt Enter Export Password: Verifying - Enter Export Password: C:\red5\conf> cd\ C:\> keytool -importkeystore -srcstorepass 私のパスワード -srckeystore red5/conf/red5.p12 -srcstoretype PKCS12 -deststorepass 私のパスワード -destkeystore red5/conf/keystore.jks -alias red5 キーストアred5/conf/red5.p12をred5/conf/keystore.jksにインポートしています... Warning: JKSキーストアは独自の形式を使用しています。"keytool -importkeystore -srckeystore red5/conf/keystore.jks -destkeystore red5/conf/keystore.jks -deststoretype pkcs12"を使用する業界標準の形式であるPKCS12に移行することをお薦めします。 C:\> keytool -importkeystore -srckeystore red5/conf/keystore.jks -destkeystore red5/conf/keystore.jks -deststoretype pkcs12 ソース・キーストアのパスワードを入力してください: 別名red5のエントリのインポートに成功しました。 インポート・コマンドが完了しました: 1件のエントリのインポートが成功しました。0件のエントリのインポートが失敗したか取り消されました Warning: "red5/conf/keystore.jks"がNon JKS/JCEKSに移行されました。JKSキーストアは"red5/conf/keystore.jks.old"としてバックアップされます。 C:\> keytool -import -alias intermed -keystore red5/conf/keystore.jks -trustcacerts -file red5/conf/intermediate.crt キーストアのパスワードを入力してください: 証明書は、別名のキーストアにすでに存在します 追加しますか。[いいえ]: y 証明書がキーストアに追加されました C:\> cd red5 C:\red5> cd conf C:\red5\conf> c:\apache\bin/openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 -name red5 -certfile ca.crt Enter Export Password: Verifying - Enter Export Password: C:\red5\conf> keytool -importkeystore -srcstorepass 私のパスワード -srckeystore red5.p12 -srcstoretype PKCS12 -deststorepass 私のパスワード -destkeystore /red5/conf/keystore.jks -alias red5 キーストアred5.p12を/red5/conf/keystore.jksにインポートしています... 既存のエントリの別名red5が存在しています。上書きしますか。[いいえ]: y C:\red5\conf> keytool -import -alias root -keystore /red5/conf/keystore.jks -keypass 私のパスワード -trustcacerts -file ca.crt キーストアのパスワードを入力してください: 証明書は、別名のキーストアにすでに存在します 追加しますか。[いいえ]: y 証明書がキーストアに追加されました C:\red5\conf> cp /red5/conf/keystore.jks /red5/conf/truststore.jks C:\red5\conf> Edit red5/webapps/openmeetings/public/config.xml and set 5443 , yes and none nogiriya.comのconfig.xmlはこんな感じ、御参考まで。 ここから↓ nogiriya.com nogiriya.com 1935 5443 yes 5443 https none Apache OpenMeetings http://openmeetings.apache.org https://issues.apache.org/jira/browse/OPENMEETINGS 0 openmeetings /openmeetings/ n hidden 0 h263 30 16384 0 85 90 22 128 true 2400 1200 userModerate roomModerate flexibleConferenceRoom restrictedConferenceRoom interviewConferenceRoom ここまで↑ In webapps/openmeetings/WEB-INF/conf/axis2.xml add (below the existing http transportReceiver (around line 225)) 443 nogiriya.comのaxis2.xmlはこんな感じ、御参考まで。 ここから↓ 443 ここまで↑ Change passwords in /red5/conf/red5.properties rtmps.keystorepass=私のパスワード rtmps.truststorepass=私のパスワード jmx.keystorepass=私のパスワード Set up SSL according SSL for the web interface section. Set up RTMPS according Tunneling RTMPS or Native RTMPS sections. Restart OM service or whole OM server. Now OM server is ready to accept SSL-connections. Steps for client machines Windows specific steps are marked with (**) (**)Add the ca.crt certificate as trusted into the CA's list on all windows PC at the system level (certmgr.msc applet) Add the ca.crt certificate as trusted into Chrome/Firefox if it used Add the ca.crt certificate into ${JAVA_HOME}/lib/security/cacerts with keytool utility on a PC that organizes screensharing (**) For example, Java Version 8 Update 144 has been installed on Windows machine by default location path. Copy ca.crt to a folder : c:\ca.crt Start command line interface as administrator: runas /user:AdminAccount cmd.exe Enter admin password Enter to bin directory of java: cd "c:\Program Files\Java\jre1.8.0_144\bin" Import ca.crt into keystore: keytool -import -alias root -keypass ..\lib\security\cacerts -file c:\ca.crt Enter the password to keystore: changeit SSL for the web interface Please perform following steps if you want to use SSL for the web interface. This is mainly to secure the server against MITM attacks, additionally some other features like file uploads also use a plain HTTP connection if this is not done. The following instructions assume that you have already set up RTMPS successfully. Edit red5/conf/jee-container.xml file: Comment Tomcat without SSL enabled section UNComment Tomcat with SSL enabled section Restart red5 and try to connect to https://your.server:5443 - you should be redirected to the OpenMeetings app and all access should be via HTTPS and/or RTMPS (close port 5080 to be sure). Set up RTMPS Tunneling RTMPS HTTPS need to be enabled otherwise tunneling will not work (it can be set up using frontend nginx/apache as well) In Administration->Configuration set flash.secure = true flash.secure.proxy = none Restart red5 and try to connect - your connection should now be made via RTMPS (close port 1935 to be sure) Native RTMPS Default RTMPS port is 8443, you can change it by editing red5/conf/red5.properties and change the port here: rtmps.port=8443 Please set rtmps.keystorepass=password and rtmps.truststorepass=password (password = password you set on your new keystore(s)) Additionally you need to set rtmps.screen.keystorepass=screenpassword (screenpassword = password you set on your keystore for screen-sharing application) nogiriya.comのred5.propertiesはこんな感じ、御参考まで。 ここから↓ # Socket policy policy.host=0.0.0.0 policy.port=843 # HTTP http.host=0.0.0.0 http.port=5080 https.port=5443 http.URIEncoding=UTF-8 http.max_keep_alive_requests=-1 http.max_threads=20 http.acceptor_thread_count=10 http.processor_cache=20 # RTMP rtmp.host=0.0.0.0 rtmp.port=1935 rtmp.io_threads=16 rtmp.send_buffer_size=65536 rtmp.receive_buffer_size=65536 rtmp.ping_interval=1000 rtmp.max_inactivity=60000 rtmp.max_handshake_time=5000 rtmp.tcp_nodelay=true rtmp.tcp_keepalive=false rtmp.default_server_bandwidth=10000000 rtmp.default_client_bandwidth=10000000 rtmp.client_bandwidth_limit_type=2 rtmp.bandwidth_detection=false rtmp.encoder_base_tolerance=5000 rtmp.encoder_drop_live_future=false # traffic optimization hinting. to disable set traffic class set to -1 # low delay + high throughput == 24 (0x18) rtmp.traffic_class=-1 # requested maximum length of the queue of incoming connections rtmp.backlog=32 # the interval (seconds) between each throughput calculation rtmp.thoughput_calc_interval=15 # enable use of the default mina acceptor rtmp.default_acceptor=true # socket i/o pool sizes used when default acceptor is disabled rtmp.initial_pool_size=0 rtmp.max_pool_size=2 rtmp.max_processor_pool_size=16 rtmp.executor_keepalive_time=60000 mina.logfilter.enable=false # scheduler configs (per connection) rtmp.scheduler.pool_size=2 # adjust this as needed if you get tasks rejected rtmp.executor.queue_capacity=32 # maximum amount of time allotted to process a single rtmp message / packet in milliseconds rtmp.max_handling_time=2000 # RTMPS rtmps.host=0.0.0.0 rtmps.port=443 rtmps.ping_interval=5000 rtmps.max_inactivity=60000 rtmps.max_keep_alive_requests=-1 rtmps.max_threads=20 rtmps.acceptor_thread_count=2 rtmps.processor_cache=20 # RTMPS Key and Trust store parameters rtmps.keystorepass=私のパスワード rtmps.keystorefile=conf/keystore.jks rtmps.truststorepass=私のパスワード rtmps.truststorefile=conf/truststore.jks # RTMPT rtmpt.host=0.0.0.0 rtmpt.port=8088 rtmpt.ping_interval=5000 rtmpt.max_inactivity=60000 rtmpt.max_handshake_time=5000 rtmpt.max_keep_alive_requests=-1 rtmpt.max_threads=20 rtmpt.acceptor_thread_count=2 rtmpt.processor_cache=20 rtmpt.encoder_base_tolerance=5000 rtmpt.encoder_drop_live_future=true # better setting for streaming media rtmpt.target_reponse_size=32768 # best setting for small messages or shared objects #rtmpt.target_reponse_size=8192 # max incoming messages to process at a time. the most that FP appears to send is 166 rtmpt.max_in_msg_process=166 # max time in millis that we will wait when offering data to the in or out queue rtmpt.max_queue_offer_time=125 # max offer attempts rtmpt.max_queue_offer_attempts=4 # Debug proxy (needs to be activated in red5-core.xml) proxy.source_host=127.0.0.1 proxy.source_port=1936 proxy.destination_host=127.0.0.1 proxy.destination_port=1935 # JMX jmx.rmi.host=localhost ## jmx.rmi.port=9999 このポートはNework Camera が使用なので9997 へ変更 jmx.rmi.port=9997 jmx.rmi.sport=9998 jmx.rmi.port.remoteobjects= jmx.keystorepass=私のパスワード jmx.mina.monitor.enable=false jmx.mina.poll.interval=1000 jmx.registry.create=true jmx.reuse.existing.server=true # Server properties # max events to send in a single update so.max.events.per.update=64 so.scheduler.pool_size=4 keyframe.cache.entry.max=500 war.deploy.server.check.interval=600000 fileconsumer.delayed.write=true fileconsumer.queue.size=21 subscriberstream.buffer.check.interval=5000 subscriberstream.underrun.trigger=100 broadcaststream.auto.record=false ここまで↑ Edit red5/conf/red5-core.xml file: UNComment RTMPS section In Administration->Configuration set flash.secure = true flash.secure.proxy = best nogiriya.comのred5-core.xmlはこんな感じ、御参考まで。 ここから↓ ${rtmp.host}:${rtmp.port} ${rtmps.host}:${rtmps.port} ここまで↑ C:\Program Files\Java\jdk\bin>keytool -import -alias root -keypass ../lib/security/cacerts -file c:/red5/conf/ca.crt キーストアのパスワードを入力してください: 新規パスワードを再入力してください: 所有者: OU=Apache xxxxx Distribution Test Certificate, O=Apache xxxxx Distribution Test Certificate, ST=Some-State, C=DE 発行者: OU=Apache xxxxx Distribution Test Certificate, O=Apache xxxxx Distribution Test Certificate, ST=Some-State, C=DE シリアル番号: abxxxxxxxxxxxx91 有効期間の開始日: Fri Apr 06 09:21:34 JST 2012 終了日: Sat Apr 04 09:21:34 JST 2020 証明書のフィンガプリント: MD5: 0B:C1:xx:19:xx:E6:xx:4E:xx:71:xx:B6:xx:0E:xx:CE SHA1: 55:xx:B1:xx:8A:xx:9D:xx:CA:xx:82:xx:88:xx:F3:xx:AC:xx:21:3A SHA256: 22:63:xx:D4:41:xx:E4:93:xx:8E:EE:xx:0D:2F:xx:7A:EB:xx:6C:9C:xx:EE:60:xx:E7:BB:xx:24:23:xx:47:EE 署名アルゴリズム名: SHA1withRSA サブジェクト公開鍵アルゴリズム: 1024ビットRSA鍵 バージョン: 1 この証明書を信頼しますか。 [いいえ]: y 証明書がキーストアに追加されました C:\Program Files\Java\jdk\bin> Restart red5 and try to connect - your connection should now be made via RTMPS (close port 1935 to be sure) ちなみに Windows 10 でのポート解放とブロックの設定。 コントロールパネル ↓ セキュリティとメンテナンス  「セキュリティ」をクリック→ネットワーク ファイアウォール→「Windows セキュリティの表示」をクリック ↓ ファイアウォールとネットワーク保護→「詳細設定」をクリック  Womdows 7ではWindows ファイアウォール→ ↓ 「受信の規則」および「送信の規則」をクリック→右側の「新しい規則」をクリック ↓ 規則の種類が出るので適宜ポート開放かブロックかを設定する、OpenmeetingsのSSL化ではポート 5080と1935をブロックすること ↓ OK Setting up different set of allowed cithers In case you would like to specify different set of allowed cithers you need to Open conf/jee-container.xml using your favorite text editor Go to "Tomcat with SSL enabled" -> "tomcat.server" -> "connectors" -> "httpsConnector" -> "connectionProperties" Add following entry nogiriya.comのjee-container.xmlはこんな感じ、御参考まで。 ここから↓ localhost:8081 ここまで↑ Please check this JIRA issue for more information Credits Thanks to Nexus, Holger Rabbach and Yakovlev Nick for their help and contribution to configuration and documentation! なお、nogiriya.comサーバーはApache v2.4.37でOpenSSL v1.1.1aを使用しています、 SSL化は多くのサイト様が構築ページをアップされてますのでそちらを参考にしてください。 ちなみにnogiriya.comのApache\conf\httpd.conf は以下の通り。 # Define SRVROOT "/Apache" ServerRoot "${SRVROOT}" Define ENABLE_TLS13 "Yes" Listen 80 #LoadModule access_compat_module modules/mod_access_compat.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule allowmethods_module modules/mod_allowmethods.so LoadModule asis_module modules/mod_asis.so LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule auth_form_module modules/mod_auth_form.so #LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_core_module modules/mod_authn_core.so #LoadModule authn_dbd_module modules/mod_authn_dbd.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authn_socache_module modules/mod_authn_socache.so #LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule authz_core_module modules/mod_authz_core.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so #LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_user_module modules/mod_authz_user.so #LoadModule autoindex_module modules/mod_autoindex.so #LoadModule buffer_module modules/mod_buffer.so #LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so #LoadModule cache_socache_module modules/mod_cache_socache.so #LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule cgi_module modules/mod_cgi.so #LoadModule charset_lite_module modules/mod_charset_lite.so #LoadModule data_module modules/mod_data.so #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule dav_lock_module modules/mod_dav_lock.so #LoadModule dbd_module modules/mod_dbd.so #LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so #LoadModule dumpio_module modules/mod_dumpio.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so #LoadModule ext_filter_module modules/mod_ext_filter.so #LoadModule file_cache_module modules/mod_file_cache.so #LoadModule filter_module modules/mod_filter.so #LoadModule headers_module modules/mod_headers.so #LoadModule heartbeat_module modules/mod_heartbeat.so #LoadModule heartmonitor_module modules/mod_heartmonitor.so #LoadModule http2_module modules/mod_http2.so #LoadModule ident_module modules/mod_ident.so #LoadModule imagemap_module modules/mod_imagemap.so LoadModule include_module modules/mod_include.so LoadModule info_module modules/mod_info.so LoadModule isapi_module modules/mod_isapi.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so #LoadModule ldap_module modules/mod_ldap.so #LoadModule logio_module modules/mod_logio.so LoadModule log_config_module modules/mod_log_config.so #LoadModule log_debug_module modules/mod_log_debug.so #LoadModule log_forensic_module modules/mod_log_forensic.so #LoadModule lua_module modules/mod_lua.so #LoadModule macro_module modules/mod_macro.so #LoadModule md_module modules/mod_md.so LoadModule mime_module modules/mod_mime.so #LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_http2_module modules/mod_proxy_http2.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so #LoadModule ratelimit_module modules/mod_ratelimit.so #LoadModule reflector_module modules/mod_reflector.so #LoadModule remoteip_module modules/mod_remoteip.so #LoadModule request_module modules/mod_request.so #LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule rewrite_module modules/mod_rewrite.so #LoadModule sed_module modules/mod_sed.so #LoadModule session_module modules/mod_session.so #LoadModule session_cookie_module modules/mod_session_cookie.so #LoadModule session_crypto_module modules/mod_session_crypto.so #LoadModule session_dbd_module modules/mod_session_dbd.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so #LoadModule socache_memcache_module modules/mod_socache_memcache.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #LoadModule speling_module modules/mod_speling.so LoadModule ssl_module modules/mod_ssl.so LoadModule status_module modules/mod_status.so #LoadModule substitute_module modules/mod_substitute.so #LoadModule unique_id_module modules/mod_unique_id.so LoadModule userdir_module modules/mod_userdir.so #LoadModule usertrack_module modules/mod_usertrack.so #LoadModule version_module modules/mod_version.so LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule watchdog_module modules/mod_watchdog.so #LoadModule xml2enc_module modules/mod_xml2enc.so User daemon Group daemon ServerAdmin xxxx@nogiriya.com ServerName nogiriya.com:80 AllowOverride none Require all denied DocumentRoot "z:/yyyyy/xxxxx" Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error.log" LogLevel warn # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common # You need to enable mod_logio.c to use %I and %O LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio CustomLog "logs/access.log" common #CustomLog "logs/access.log" combined ScriptAlias /www/ "z:/yyyyy/xxxxx/" #Scriptsock logs/cgisock AllowOverride None Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews Require all granted TypesConfig conf/mime.types #AddType application/x-gzip .tgz #AddEncoding x-compress .Z #AddEncoding x-gzip .gz .tgz AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddHandler cgi-script .cgi .pl #AddHandler type-map var #AddType text/html .shtml #AddOutputFilter INCLUDES .shtml #MIMEMagicFile conf/magic #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html #MaxRanges unlimited # Defaults: EnableMMAP On, EnableSendfile Off # #EnableMMAP off #EnableSendfile on #AcceptFilter http none #AcceptFilter https none # Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration Include conf/extra/httpd-info.conf # Virtual hosts Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 Include conf/extra/httpd-proxy-html.conf # Secure (SSL/TLS) connections # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # #Include conf/extra/httpd-ssl.conf Include conf/extra/httpd-**ssl.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin ProtocolsHonorOrder On Protocols h2 h2c http/1.1 ここまで↑ Apache\conf\extra\httpd-**ssl.conf ここから↓ Listen 443 https SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 SSLProtocol -all +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS SSLProxyCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS SSLHonorCipherOrder On SSLPassPhraseDialog builtin #SSLSessionCache "dbm:${SRVROOT}/logs/ssl_scache" SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "${SRVROOT}/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=HTTPS ## ## SSL Virtual Host Context ## SSLEngine on ServerName localhost:443 SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt" SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key" DocumentRoot "z:/yyyyy/xxxxx" CustomLog "${SRVROOT}/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride AuthConfig Limit FileInfo Require all granted SSLEngine on ServerName nogiriya.com:443 SSLCertificateFile "${SRVROOT}/conf/ssl/red5.crt" SSLCertificateKeyFile "${SRVROOT}/conf/ssl/red5.key" DocumentRoot "z:/yyyyy/xxxxx" CustomLog "${SRVROOT}/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride AuthConfig Limit FileInfo Require all granted ここまで↑ Apache\conf\extra\httpd-vhosts.conf ここから↓ # # Virtual Hosts # ServerName nogiriya.com ServerAdmin xxxx@nogiriya.com DocumentRoot "z:/yyyyy/xxxxx" Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride None Require all granted ProxyPreserveHost on RewriteEngine on ### RewriteCond %{HTTP:Upgrade} !=websocket [NC] ### RewriteRule /(.*) http://nogiriya.com:5080/$1 [P,L] RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] ProxyPassReverse / http://nogiriya.com:5080/ ProxyPassReverse /openmeetings/wicket/ ws://nogiriya.com:5080/openmeetings/wicket/ ErrorLog "logs/openmeetings-error.log" CustomLog "logs/openmeetings-access.log" combined SSLEngine on ServerName nogiriya.com:443 SSLCertificateFile "${SRVROOT}/conf/ssl/red5.crt" SSLCertificateKeyFile "${SRVROOT}/conf/ssl/red5.key" DocumentRoot "z:/yyyyy/xxxxx" CustomLog "${SRVROOT}/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride AuthConfig Limit FileInfo Require all granted ここまで↑ Openmeetings SSL化にあたり下記サイト様が非常に参考になりました、ありがとう御座居ました。 参考サイト様:ろっひー https://ameblo.jp/yoshihirow/entry-12344533766.html 以下4部作 ・OpenmeetingsインストールからProxy設定(3.0.5〜3.2.1近辺) ・OpenmeetingsをSSLで動作させる設定(3.3.0以降) ・OpenmeetingsをそれでもProxyで動作させる(危険) ・Openmeetingsのアップグレード & ChromiumとFlash 現時点でほかに日本語でのSSL構築ページは見つかりませんでした。