SSL Setup

1 post / 0 new
Michael
SSL Setup

VirtualHere supports Secure Sockets Layer (SSL) for Client/Server communications. This is useful when sharing USB devices over the Internet to provide better protection against eavesdropping. Both Server Certificates and optionally Client SSL Certificates are supported.

Important:

  • Make sure you are running the latest VirtualHere Server and VirtualHere Client as the settings below are applicable to the latest versions
  • If there are SSL configuration problems, errors will be displayed in syslog on the server, and System Messages on the client
  • SSL support requires the server be purchased
  • VirtualHere runs SSL on port 7574 (send email to mail@virtualhere.com if you need to use a different port)

Prerequisites (using OpenSSL)

1. Generate a self-signed CA (skip this if you are using a commercial CA)
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl x509 -in ca.crt -out ca.pem -outform PEM

For the VirtualHere USB Server

Generate the self-signed server certificate (or purchase one from a Certificate Authority)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
cat server.key server.crt > server.pem

  • Make sure the VirtualHere Server is not running
  • Edit the server config.ini file
  • Add the setting sslCert and set it to the full path of server.pem generated above
  • Save the config.ini file and start the VirtualHere Server

When the Server starts, the VirtualHere client will automatically connect to the VirtualHere Server using SSLv3 over the default SSL port of 7574. If you are not using "Auto-Find" you need to enter the server details in the "Specify Hubs.." menu item with a port of 7574.

If you want the client to verify the server certificate

Save the server certificate CA file on the client computer and add the parameter SSLCAFile=/path/to/ca.pem under the [General] section of the client vhui.ini configuration file. That Certificate Authority will be added to the client trusted list. If you do not add this parameter, then the server certificate will not be verified, but the SSL connection will continue

If you want to use client certificates

Generate a self-signed client certificate (or obtain one from a CA)
Generate the client private key:
With passphrase : openssl genrsa -des3 -out client.key 1024 or without passphrase openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
cat client.key client.crt > client.pem
Edit the VirtualHere Client configuration file
Specify the full path to the Client certificate file generated above, by using SSLClientCert=c:/path/to/client.pem in the [General] section

Save the Client configuration file and start the client

Stop the server and edit the config.ini and add the settings
SSLUseClientCerts=1
SSLCAFile=/path/to/ca.pem
Start the server

Revoking Client Certificates

There is support in the server to revoke client certificates using CRL's. To do this, add the parameter SSLUseCRL=1 in the server config.ini. When a client certificate requires revoking, append its CRL in PEM format to the ca.pem file specified in the SSLCAFile parameter. When updating the ca.pem file you do not need to stop the server, it will pick up the revocation automatically when the file changes.