SSL Certificates

customaware

Just a quick note on SSL certificates....

This black art is mighty confusing if you have never done it before.

A myriad of different types on SSL certificates for a wide range of platforms and pricing.

It will do you head in trying to work it all out.

There are some free certificates out there that might suit your need so hunt around.

However, my situation was I have 3 Aware IM servers (2 EC2 instances with AWS and 1 Win Server with Mochahost).
Each server has more than one domain hosted on it.

I originally bought a wildcard SSL certificate from RapidSSL and that worked fine for a single domain. It will also work for sub domains.
However, it falls over when you want more than one root domain on the same server (ip address)

To do that you need a different type of certificate. I was led to believe I needed a Comodo multi domain cert and did a lot of hunting.

Was in the process of buying one of those from StartSSL. They are basically hopeless. Very unhelpful and the authorisation process is nothing
short of a "shoot me now" experience..... Stay away from them.

Then I stumbled across DigiCert.com....

Wow! Great products. Reasonable prices and the service is to die for.

I ended up buying a SANS UCC Certificate (Unified Communications Certificate) which allows you to have up to 25 domains (you get 4 in the intial base price and then buy more as you go) and you can have them on unlimited servers.

The support is awesome. The instructions are clear and understandable. The Tools simplify the entire process.

Additionally, as your domain requirements change, you can add, delete domains as your wish.

I am seriously impressed.

hpl123

Nice share/info Mark. Thanks

Powerm

Thanks, nice share 🙂 I know SSL is a nightmare....

BenHayat

Thank you Mark, for sharing these great resources. You're great! 🙂

customaware

As a follow up to my previous post regarding securing your site with an SSL certificate.....

In my server.xml file I originally had this....
<Connector port="443" maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
maxThreads="150" SSLEnabled="true" keyAlias="server"
keystoreFile="c:/AwareIM/Tomcat/bin/certs/mycerificate.jks"
keystorePass="mycertpassword"
clientAuth="false"
sslProtocol="TLS"
/>

This seemed to all work so I was pretty happy. Ignorance is Bliss!

Then I found https://www.ssllabs.com/

This site provides some testing to see if your site is open to any vulnerabilities. So I tested my site....and this was the result.

I was shocked. What to do?

So I went digging. There is heaps of info regarding DH and Poodle issues but much of it is conflicting, confusing or downright wrong. Also the info is different for different versions of Tomcat.
The main problem is to do with the parameters sslProtocol(s) and sslEnableProtocols.

Please note that your might see some documentation that talks about particular JSSE files that are needed for java to handle the ciphers. Ignore it as the required files are already part of the Aware IM installation.

Anyway...in the hope that it might save others from the merry-go-round of hunting and gathering.....here is the drill.

Change the Connector Tag above to look like this......

You will see some docs state that the sslProtocols should be either.... sslProtocol="TLSv1,TLSv1.1,TLSv1.2" or sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

I don't know the reason why but I have tried both and both fail. I assume it is to do with the version of Tomcat we have but from my testing the only combination that works is....

sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

Note that you MUST have both of these lines.

Ok. Save your server.xml file and restart Aware IM / Tomcat

Ta Daa!!!

Hope this helps....

Enjoy.

BenHayat

You're 'D' man Mark...
Is there anything that Awaresoft can do in their next version to smooth out this procedure?

customaware

Hi Ben,

I don't think it is AwareSoft's responsibility as this has to do with SSL certificates and everyone needs to acquire different certificates to meet their specific needs. Hence, the out of the box installation of Aware does not deal with SSL at all.... and it shouldn't in my view.

Adding SSL security to your site is pretty simple so these tips are really just to help the process.

tford

Since SSL will be required by Apple to implement push notifications to Apple devices, SSL is now on my radar to implement.

Is this a comprehensive list of steps to take after purchasing a SSL certificate?

BenHayat

We really need a certified list/document (especially with 7.1 64-bit version) how to implement SSL in Aware, so everyone follows one system.
@Support, could you please provide a document how to do an SSL implementation that you verify it's the correct way?

Thanks!

Jaymer

Just posting an update.
Apparently, ciphers and cipher-cracking has changed in the past 5 years.
Using the list from Mark above, I got a C.
The Report tells you which cyphers in the list are WEAK.
I just removed them from the list in Tomcat's server.xml and rebooted Aware.
Had to do this 3 times.
I found a list here: https://weakdh.org/sysadmin.html
and even that had a WEAK one, so I eliminated it, restart & eventually got my A rating:
Screen Shot 2020-05-03 at 11.13.07 PM.png

Jaymer

	<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

<Connector port="443" 
			protocol="org.apache.coyote.http11.Http11NioProtocol"
			sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
			maxThreads="150"
			scheme="https" secure="true" SSLEnabled="true"
			keystoreFile="C:\Certificates\tomcat.keystore" keystorePass="xxxxx"
			clientAuth="false" sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA,
TLS_ECDHE_RSA_WITH_AES_256_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_128_SHA,
TLS_DHE_DSS_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_256_SHA256,
TLS_DHE_DSS_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_256_SHA"

/>