SSL Setup

1 post / 0 new
Michael
SSL Setup

VirtualHere supports Secure Sockets Layer (SSL) for Client/Server communications. This is useful when sharing USB devices over the Internet to provide better protection against eavesdropping. Both Server Certificates and optionally Client SSL Certificates are supported.

Important:

  • Make sure you are running the latest VirtualHere Server and VirtualHere Client as the settings below are applicable to the latest versions
  • If there are SSL configuration problems, errors will be displayed in syslog on the server, and System Messages on the client
  • SSL support requires the server be purchased
  • VirtualHere runs SSL on port 7574
  • SSL can also run over EasyFind

Prerequisites (using OpenSSL)

Generate a self-signed CA (skip this if you are using a commercial CA)
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl x509 -in ca.crt -out ca.pem -outform PEM

Generate the self-signed server certificate (or purchase one from a Certificate Authority)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
cat server.key server.crt > server.pem

For the VirtualHere USB Server For Linux/Windows/OSX

  • Make sure the VirtualHere Server is not running
  • Edit the server config.ini file
  • Add the setting sslCert and set it to the full path of server.pem generated above
  • Save the config.ini file and start the VirtualHere Server

If you are using the VirtualHere Android Server

  • Copy the server.pem file to the SD card storage on your Android device, or to for example Google Drive.
  • In the VirtualHere App, click on the Menu -> SSL...-> Load Cert-> Select the server.pem from the location you saved the file to in the previous step

On the client: Save the server certificate CA file (ca.pem above) on the client computer and Right click USB Hubs->Advanced Settings->SSL->Certificate Authority File and put the location there. That Certificate Authority will be added to the client trusted list. If you do not add this parameter, then the server certificate cannot be verified, and the SSL connection will not continue and there will be messages in the System Log on the client telling you to do this.

When the Server starts, the VirtualHere client will automatically connect to the VirtualHere Server using TLSv1.2 over the default SSL port of 7574. If you are not using "Auto-Find" you need to enter the server details in the "Specify Hubs.." menu item with a port of 7574.

Note: when running the client as a service you cannot use any SSL pem file that requires a password

SSL over EasyFind

SSL over EasyFind requires no special setup and will work identically to the normal SSL configuration as described above. Just make sure that the EasyFind client has the ca.pem set as described above (e.g email the ca.pem to the remote user for them to configure their client)

If you want to use client certificates

Generate a self-signed client certificate (or obtain one from a CA)
Generate the client private key:
With passphrase : openssl genrsa -des3 -out client.key 2048 or without passphrase openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
cat client.key client.crt > client.pem
Edit the VirtualHere Client configuration file
Specify the full path to the Client certificate file generated above, by using SSLClientCert=c:/path/to/client.pem in the [General] section
Save the Client configuration file and start the client

Stop the server and edit the config.ini and add the settings
SSLUseClientCerts=1
SSLCAFile=/path/to/ca.pem
Start the server

Note: If you want to use specific client certificates for particular connections then you need to qualify the client certificate path with the server hostname colon port and the pipe symbol. If a path name is not qualified it will be used for all other connections. Use a comma to separate entries, for example:

SSLClientCert=c:/path/to/general/client.pem,ubuntu-2.local.:7575|c:/path/to/ubuntu2/specific/cert.pem,ubuntu-3.local.:7575|c:/path/to/ubuntu3/specific/cert.pem

Revoking Client Certificates

There is support in the server to revoke client certificates using CRL's. To do this, add the parameter SSLUseCRL=1 in the server config.ini. When a client certificate requires revoking, append its CRL in PEM format to the ca.pem file specified in the SSLCAFile parameter. When updating the ca.pem file you do not need to stop the server, it will pick up the revocation automatically when the file changes.