December 25, 2014

SSL support for HLS, MPEG-DASH, Icecast, MPEG-TS and SLDP

Secure streaming is required in several scenarios in our customers' environments. This is why we are working on implementing security feature set. One of the high-demand features is SSL streaming for HLS, MPEG-DASH, MPEG-TS, Icecast, progressive download and SLDP via Nimble Streamer. In this case streams are available via HTTPS protocols stack.

Nimble Streamer team has implemented this feature.

To set up HTTPS streaming, you need to generate SSL certificate first. This is done separately and you can read articles here to see an example of such activity. Usually SSL certificates are purchased by some provider like GoDaddy and these companies provide plenty of information about this process.

In this article we assume:
  • you already have a certificate for further setup,
  • your certificate and its key are located at your server and 
  • they are ready for further usage.
You will need to make changes to Nimble Streamer settings to make it work for your media streaming. These settings are stored in /etc/nimble/nimble.conf file.

Add the following parameters:

  • ssl_port - this is port number for SSL connections;
  • ssl_certificate - full path to certificate located at your server;
  • ssl_certificate_key - full path to certificate key located at your server;
  • ssl_certificate_key_pass - if you use encryption for your certificate key, you need to specify a password here. This is optional parameter, so if you don't use encryption, just don't add it into the config;
  • ssl_protocols - specifies what SSL protocols are used.
ssl_protocols requires list of protocols separated by spaces, e.g.
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
Full list is: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, default protocols are TLSv1, TLSv1.1 and TLSv1.2.

By default, Nimble Streamer handles connections via the port specified in config at "port" parameter. Usually it's port 8081. If you need Nimble Streamer to handle connections via SSL only, please set this parameter to 0, like this:
port = 0

If it has some other value, Nimble still handles streaming connections through 2 ports via both HTTP and HTTPS. If you remove "port" parameter, Nimble will use default value "8081"

Here's an example of SSL config parameters:
ssl_port = 443
ssl_certificate = /etc/nimble/
ssl_certificate_key = /etc/nimble/

To apply config changes please re-start Nimble by running:
sudo service nimble restart

You can read more about Nimble Streamer parameters in this reference article.

With these settings you can stream SLDP, MPEG-DASH, HLS, Icecast, MPEG-TS and progressive download via HTTPS.

If you need more sophisticated protection for HLS, please consider using HLS AES-128 DRM encryption supported by Nimble.


Some browsers or client software may fail to recognize your certificate even though it's valid. In this case you may need to get SSL certificate chain (root and intermediate certificates) combined into a single .crt file and use that file with Nimble Streamer. If you use Linux, you can do that by concatenating both files using this command:
cat your_site_certificate.crt root_certificate.crt > your_site_chained_certificate.crt

Please feel free to install Nimble Streamer to try this and other security-related features in action. Contact us in case of any questions.

Related documentation

Nimble StreamerHotlink protection for Nimble StreamerPaywall for Nimble Streamer, Live streaming, VOD streamingSLDP low latency streaming

No comments:

Post a Comment