SSL Certificates

Contains tips for configurators working with Aware IM
Post Reply
customaware
Posts: 2391
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

SSL Certificates

Post by customaware »

Just a quick note on SSL certificates....

This black art is mighty confusing if you have never done it before.

A myriad of different types on SSL certificates for a wide range of platforms and pricing.

It will do you head in trying to work it all out.

There are some free certificates out there that might suit your need so hunt around.

However, my situation was I have 3 Aware IM servers (2 EC2 instances with AWS and 1 Win Server with Mochahost).
Each server has more than one domain hosted on it.

I originally bought a wildcard SSL certificate from RapidSSL and that worked fine for a single domain. It will also work for sub domains.
However, it falls over when you want more than one root domain on the same server (ip address)

To do that you need a different type of certificate. I was led to believe I needed a Comodo multi domain cert and did a lot of hunting.

Was in the process of buying one of those from StartSSL. They are basically hopeless. Very unhelpful and the authorisation process is nothing
short of a "shoot me now" experience..... Stay away from them.

Then I stumbled across DigiCert.com....

Wow! Great products. Reasonable prices and the service is to die for.

I ended up buying a SANS UCC Certificate (Unified Communications Certificate) which allows you to have up to 25 domains (you get 4 in the intial base price and then buy more as you go) and you can have them on unlimited servers.

The support is awesome. The instructions are clear and understandable. The Tools simplify the entire process.

Additionally, as your domain requirements change, you can add, delete domains as your wish.

I am seriously impressed.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Image
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: SSL Certificates

Post by hpl123 »

Nice share/info Mark. Thanks
Henrik (V8 Developer Ed. - Windows)
Powerm
Posts: 473
Joined: Mon Feb 01, 2010 9:44 pm
Contact:

Re: SSL Certificates

Post by Powerm »

Thanks, nice share :) I know SSL is a nightmare....
Independent Developer
www.atwing.com
BenHayat
Posts: 2749
Joined: Thu Dec 23, 2010 5:48 am
Location: Fla, USA
Contact:

Re: SSL Certificates

Post by BenHayat »

Thank you Mark, for sharing these great resources. You're great! :)
customaware
Posts: 2391
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

Re: SSL Certificates

Post by customaware »

As a follow up to my previous post regarding securing your site with an SSL certificate.....

In my server.xml file I originally had this....
<Connector port="443" maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
maxThreads="150" SSLEnabled="true" keyAlias="server"
keystoreFile="c:/AwareIM/Tomcat/bin/certs/mycerificate.jks"
keystorePass="mycertpassword"
clientAuth="false"
sslProtocol="TLS"
/>

This seemed to all work so I was pretty happy. Ignorance is Bliss!

Then I found https://www.ssllabs.com/

This site provides some testing to see if your site is open to any vulnerabilities. So I tested my site....and this was the result.
SSLLab Result
SSLLab Result
Fail.png (67.54 KiB) Viewed 25068 times
I was shocked. What to do?

So I went digging. There is heaps of info regarding DH and Poodle issues but much of it is conflicting, confusing or downright wrong. Also the info is different for different versions of Tomcat.
The main problem is to do with the parameters sslProtocol(s) and sslEnableProtocols.

Please note that your might see some documentation that talks about particular JSSE files that are needed for java to handle the ciphers. Ignore it as the required files are already part of the Aware IM installation.

Anyway...in the hope that it might save others from the merry-go-round of hunting and gathering.....here is the drill.

Change the Connector Tag above to look like this......

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="c:/AwareIM/Tomcat/bin/certs/mycerificate.jks"
keystorePass="mycertpassword"
clientAuth="false" sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_ECDHE_RSA_WITH_AES_128_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA,
TLS_ECDHE_RSA_WITH_AES_256_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_128_SHA,
TLS_DHE_DSS_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_256_SHA256,
TLS_DHE_DSS_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_256_SHA"
/>

You will see some docs state that the sslProtocols should be either.... sslProtocol="TLSv1,TLSv1.1,TLSv1.2" or sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

I don't know the reason why but I have tried both and both fail. I assume it is to do with the version of Tomcat we have but from my testing the only combination that works is....

sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

Note that you MUST have both of these lines.

Ok. Save your server.xml file and restart Aware IM / Tomcat

Ta Daa!!!
Much Better....
Much Better....
Pass.png (38.09 KiB) Viewed 25068 times
Hope this helps....

Enjoy.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Image
BenHayat
Posts: 2749
Joined: Thu Dec 23, 2010 5:48 am
Location: Fla, USA
Contact:

Re: SSL Certificates

Post by BenHayat »

You're 'D' man Mark...
Is there anything that Awaresoft can do in their next version to smooth out this procedure?
customaware
Posts: 2391
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

Re: SSL Certificates

Post by customaware »

Hi Ben,

I don't think it is AwareSoft's responsibility as this has to do with SSL certificates and everyone needs to acquire different certificates to meet their specific needs. Hence, the out of the box installation of Aware does not deal with SSL at all.... and it shouldn't in my view.

Adding SSL security to your site is pretty simple so these tips are really just to help the process.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Image
tford
Posts: 4238
Joined: Sat Mar 10, 2007 6:44 pm

Re: SSL Certificates

Post by tford »

Since SSL will be required by Apple to implement push notifications to Apple devices, SSL is now on my radar to implement.

Is this a comprehensive list of steps to take after purchasing a SSL certificate?
Tom - V8.8 build 3137 - MySql / PostGres
BenHayat
Posts: 2749
Joined: Thu Dec 23, 2010 5:48 am
Location: Fla, USA
Contact:

Re: SSL Certificates

Post by BenHayat »

We really need a certified list/document (especially with 7.1 64-bit version) how to implement SSL in Aware, so everyone follows one system.
@Support, could you please provide a document how to do an SSL implementation that you verify it's the correct way?

Thanks!
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: SSL Certificates

Post by Jaymer »

Just posting an update.
Apparently, ciphers and cipher-cracking has changed in the past 5 years.
Using the list from Mark above, I got a C.
The Report tells you which cyphers in the list are WEAK.
I just removed them from the list in Tomcat's server.xml and rebooted Aware.
Had to do this 3 times.
I found a list here: https://weakdh.org/sysadmin.html
and even that had a WEAK one, so I eliminated it, restart & eventually got my A rating:
Screen Shot 2020-05-03 at 11.13.07 PM.png
Screen Shot 2020-05-03 at 11.13.07 PM.png (71.15 KiB) Viewed 16268 times
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

My Tomcat Server.xml section

Post by Jaymer »

Code: Select all

	<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

    <Connector port="443" 
				protocol="org.apache.coyote.http11.Http11NioProtocol"
				sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
				maxThreads="150"
				scheme="https" secure="true" SSLEnabled="true"
				keystoreFile="C:\Certificates\tomcat.keystore" keystorePass="xxxxx"
				clientAuth="false" sslProtocols="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA,
TLS_ECDHE_RSA_WITH_AES_256_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_128_SHA,
TLS_DHE_DSS_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_256_SHA256,
TLS_DHE_DSS_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_256_SHA"

/>
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Post Reply