VirtualHere supports Secure Sockets Layer (SSL) for Client/Server communications. This is useful when sharing USB devices over the Internet to provide better protection against eavesdropping. Both Server Certificates and optionally Client SSL Certificates are supported.
Important:
- Make sure you are running the latest VirtualHere Server and VirtualHere Client as the settings below are applicable to the latest versions
- If there are SSL configuration problems, errors will be displayed in syslog on the server, and System Messages on the client
- SSL support requires the server be purchased
- VirtualHere runs SSL on port 7574
- SSL can also run over EasyFind
Prerequisites (using OpenSSL)
Generate a self-signed CA (skip this if you are using a commercial CA)
openssl genrsa -out ca.key 2048
openssl req -new -sha256 -x509 -days 3650 -key ca.key -out ca.crt
openssl x509 -in ca.crt -out ca.pem -outform PEM
Generate the self-signed server certificate (or purchase one from a Certificate Authority)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
cat server.key server.crt > server.pem
For the VirtualHere USB Server For Linux/Windows/OSX
- Make sure the VirtualHere Server is not running
- Edit the server
config.inifile - Add the setting
sslCertserver.pem - Save the
config.inifile and start the VirtualHere Server
If you are using the VirtualHere Android Server
- Copy the
server.pem - In the VirtualHere App, click on the Menu -> SSL...-> Load Cert-> Select the
server.pem
On the client: Save the server certificate CA file (ca.pem
When the Server starts, the VirtualHere client will automatically connect to the VirtualHere Server using TLSv1.2 over the default SSL port of 7574. If you are not using "Auto-Find" you need to enter the server details in the "Specify Hubs.." menu item with a port of 7574.
Note: when running the client as a service you cannot use any SSL pem file that requires a password
SSL over EasyFind
SSL over EasyFind requires no special setup and will work identically to the normal SSL configuration as described above. Just make sure that the EasyFind client has the ca.pem set as described above (e.g email the ca.pem to the remote user for them to configure their client)
If you want to use client certificates
Generate a self-signed client certificate (or obtain one from a CA)
Generate the client private key:
With passphrase : openssl genrsa -des3 -out client.key 2048 or without passphrase openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
cat client.key client.crt > client.pem
Edit the VirtualHere Client configuration file
Specify the full path to the Client certificate file generated above, by using SSLClientCert=c:/path/to/client.pem in the [General] section
Save the Client configuration file and start the client
Stop the server and edit the config.ini and add the settings
SSLUseClientCerts=1
SSLCAFile=/path/to/ca.pem
Start the server
Note: If you want to use specific client certificates for particular connections then you need to qualify the client certificate path with the server hostname colon port and the pipe symbol. If a path name is not qualified it will be used for all other connections. Use a comma to separate entries, for example:
Revoking Client Certificates
There is support in the server to revoke client certificates using CRL's. To do this, add the parameter SSLUseCRL=1 in the server config.ini. When a client certificate requires revoking, append its CRL in PEM format to the ca.pem file specified in the SSLCAFile parameter. When updating the ca.pem file you do not need to stop the server, it will pick up the revocation automatically when the file changes.