Contains tips for configurators working with Aware IM
#33472 by eagles9999
Tue Jun 30, 2015 2:56 am
Just a quick note on SSL certificates....

This black art is mighty confusing if you have never done it before.

A myriad of different types on SSL certificates for a wide range of platforms and pricing.

It will do you head in trying to work it all out.

There are some free certificates out there that might suit your need so hunt around.

However, my situation was I have 3 Aware IM servers (2 EC2 instances with AWS and 1 Win Server with Mochahost).
Each server has more than one domain hosted on it.

I originally bought a wildcard SSL certificate from RapidSSL and that worked fine for a single domain. It will also work for sub domains.
However, it falls over when you want more than one root domain on the same server (ip address)

To do that you need a different type of certificate. I was led to believe I needed a Comodo multi domain cert and did a lot of hunting.

Was in the process of buying one of those from StartSSL. They are basically hopeless. Very unhelpful and the authorisation process is nothing
short of a "shoot me now" experience..... Stay away from them.

Then I stumbled across DigiCert.com....

Wow! Great products. Reasonable prices and the service is to die for.

I ended up buying a SANS UCC Certificate (Unified Communications Certificate) which allows you to have up to 25 domains (you get 4 in the intial base price and then buy more as you go) and you can have them on unlimited servers.

The support is awesome. The instructions are clear and understandable. The Tools simplify the entire process.

Additionally, as your domain requirements change, you can add, delete domains as your wish.

I am seriously impressed.
#33477 by hpl123
Tue Jun 30, 2015 7:45 pm
Nice share/info Mark. Thanks
#33512 by BenHayat
Fri Jul 03, 2015 9:36 pm
Thank you Mark, for sharing these great resources. You're great! :)
#33661 by eagles9999
Wed Jul 22, 2015 12:36 am
As a follow up to my previous post regarding securing your site with an SSL certificate.....

In my server.xml file I originally had this....
<Connector port="443" maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
maxThreads="150" SSLEnabled="true" keyAlias="server"
keystoreFile="c:/AwareIM/Tomcat/bin/certs/mycerificate.jks"
keystorePass="mycertpassword"
clientAuth="false"
sslProtocol="TLS"
/>

This seemed to all work so I was pretty happy. Ignorance is Bliss!

Then I found https://www.ssllabs.com/

This site provides some testing to see if your site is open to any vulnerabilities. So I tested my site....and this was the result.

Fail.png
SSLLab Result
Fail.png (67.54 KiB) Viewed 10823 times


I was shocked. What to do?

So I went digging. There is heaps of info regarding DH and Poodle issues but much of it is conflicting, confusing or downright wrong. Also the info is different for different versions of Tomcat.
The main problem is to do with the parameters sslProtocol(s) and sslEnableProtocols.

Please note that your might see some documentation that talks about particular JSSE files that are needed for java to handle the ciphers. Ignore it as the required files are already part of the Aware IM installation.

Anyway...in the hope that it might save others from the merry-go-round of hunting and gathering.....here is the drill.

Change the Connector Tag above to look like this......

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="c:/AwareIM/Tomcat/bin/certs/mycerificate.jks"
keystorePass="mycertpassword"
clientAuth="false" sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_ECDHE_RSA_WITH_AES_128_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA,
TLS_ECDHE_RSA_WITH_AES_256_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_128_SHA,
TLS_DHE_DSS_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_256_SHA256,
TLS_DHE_DSS_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_256_SHA"
/>

You will see some docs state that the sslProtocols should be either.... sslProtocol="TLSv1,TLSv1.1,TLSv1.2" or sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

I don't know the reason why but I have tried both and both fail. I assume it is to do with the version of Tomcat we have but from my testing the only combination that works is....

sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

Note that you MUST have both of these lines.

Ok. Save your server.xml file and restart Aware IM / Tomcat

Ta Daa!!!

Pass.png
Much Better....
Pass.png (38.09 KiB) Viewed 10823 times


Hope this helps....

Enjoy.
#33662 by BenHayat
Wed Jul 22, 2015 1:26 am
You're 'D' man Mark...
Is there anything that Awaresoft can do in their next version to smooth out this procedure?
#33663 by eagles9999
Wed Jul 22, 2015 1:34 am
Hi Ben,

I don't think it is AwareSoft's responsibility as this has to do with SSL certificates and everyone needs to acquire different certificates to meet their specific needs. Hence, the out of the box installation of Aware does not deal with SSL at all.... and it shouldn't in my view.

Adding SSL security to your site is pretty simple so these tips are really just to help the process.
#40057 by tford
Tue Aug 23, 2016 7:41 pm
Since SSL will be required by Apple to implement push notifications to Apple devices, SSL is now on my radar to implement.

Is this a comprehensive list of steps to take after purchasing a SSL certificate?
#40058 by BenHayat
Tue Aug 23, 2016 7:52 pm
We really need a certified list/document (especially with 7.1 64-bit version) how to implement SSL in Aware, so everyone follows one system.
@Support, could you please provide a document how to do an SSL implementation that you verify it's the correct way?

Thanks!
#53843 by Jaymer
Mon May 04, 2020 3:24 am
Just posting an update.
Apparently, ciphers and cipher-cracking has changed in the past 5 years.
Using the list from Mark above, I got a C.
The Report tells you which cyphers in the list are WEAK.
I just removed them from the list in Tomcat's server.xml and rebooted Aware.
Had to do this 3 times.
I found a list here: https://weakdh.org/sysadmin.html
and even that had a WEAK one, so I eliminated it, restart & eventually got my A rating:
Screen Shot 2020-05-03 at 11.13.07 PM.png
Screen Shot 2020-05-03 at 11.13.07 PM.png (71.15 KiB) Viewed 2023 times
#53844 by Jaymer
Mon May 04, 2020 3:27 am
Code: Select all   <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

    <Connector port="443"
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
            maxThreads="150"
            scheme="https" secure="true" SSLEnabled="true"
            keystoreFile="C:\Certificates\tomcat.keystore" keystorePass="xxxxx"
            clientAuth="false" sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA,
TLS_ECDHE_RSA_WITH_AES_256_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_128_SHA,
TLS_DHE_DSS_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_256_SHA256,
TLS_DHE_DSS_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_256_SHA"

/>

Who is online

Users browsing this forum: No registered users and 0 guests