Encrypted SSL

[Arif Butt]

Hi there

Our client which is a financial institute asked for a possibility to install an encrypted SSL on their WCS Server.. we have tried to do the same but got an error, kindly assist us on how to implement that to get this security vulnerablity addressed, or any other option to make the communication secure.

Thanks
AB

 

[Max]

Hello

We have raised internal ticket to support encrypted SSL certificates.
WCS-3920

Please note

1) If you import encrypted SSL files, WCS server ask for decrypt password each launch.
This means when you start server ./webcallserver start
The command line will prompt with asking password. And somebody must enter valid password for the encrypted files.

2) We do not provide any ETA for this ticket. Will inform through this thread about progress.

 

[Arif Butt]

Currently it is giving NULL alert when uploading the encrypted PEM file

Can you assist on how to give password when loading the encrypted SSL?

Thnx

 

[Max]

Importing of encrypted SSL via web interface is not supported.

You can import such certificate via command line and keytool

Websocket SSL - Web Call Server 5.2 - EN - Flashphoner Documentation

docs.flashphoner.com

Anyway you have to pass decryption password during import via keytool.

 

[Arif Butt]

Hi there,

While trying to follow the documentation when executing the following it is asking for the keystore password, when entering a root password it is giving an error, kindly let us know what to enter here? currently there is a default selfsigned certificate installed.

[root@apps /]# keytool -delete -alias selfsigned -keystore /usr/local/Flashphone rWebCallServer/conf/wss.jks
Enter keystore password:
Keystore password is too short - must be at least 6 characters


Thanks
AB

 

[Max]

Hello

Websocket SSL - Web Call Server 5.1 - EN - Flashphoner Documentation

docs.flashphoner.com

Default: password

 

[Arif Butt]

Hi there,

is there any update on this issue, internal ticket WCS-3920

Customer is asking for the same, kindly share any tentative timeline

Thnx
AB

 

[Max]

Hello

No updates for now.
Will be scheduled by internal priorities.

 

[Arif Butt]

Hi there

We have tried to follow the instructions provided by you for the manual installation of the encrypted SSL and successfully generated the P12 file and the installed the ssl by following the above steps, we received the following warning while installation

The driver is started successfully but it did not ask for the ssl password as we were assuming it.

After installation we are unable to access the site with https and the following is shown as the domain: 1

kindly assist further as the customer (financial institute is keep asking for the compliance)

we appreciate you help

Regards
AB

 

[Max]

The driver is started successfully but it did not ask for the ssl password as we were assuming it.

Seems like keytool also can't import an encrypted SSL certificate. Perhaps you should decrypt it manually before importing. Please ask the certificate provider about decryption instructions.

 

[Arif Butt]

Customer does not want the decrypted SSL, they want encrypted SSL, please advise

AB

 

[Max]

You can use Nginx or Apache as a reverse proxy supporting encrypted private keys

Spoiler: Nginx config example

server {
        listen 443 ssl;
        ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt;
        ssl_certificate_key /etc/pki/tls/yourdomain/your-encrypted-domain.key;
        server_name wcs.yourdomain.com;
        server_tokens off;
        client_max_body_size 500m;
        proxy_read_timeout 10m;

        include /etc/nginx/default.d/*.conf;

        location / {
        }

        location /wss {
            if ($http_connection !~* "upgrade") {
                return 403;
            }
            if ($http_upgrade !~* "websocket") {
                return 403;
            }
            proxy_set_header Host $host;
            proxy_pass http://localhost:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
      
    }

How it works:

1. You start Nginx (systemctl start nginx).
2. It prompts decryption password each launch. Decryption password is applied to your encrypted private key file /etc/pki/tls/yourdomain/your-encrypted-domain.key
3. Nginx is listening port 443 (any port may be configured) for websocket secure connections.
4. Application connects to wss://wcs.yourdomain.com:443
5. Nginx proxies this connection to ws://localhost:8081

As a result, you are using encrypted private key as your customer requires.

 

[Arif Butt]

Thanks

Let us try and see if we can configure accordingly, otherwise I will request the queries.

Regards
AB

 

[Arif Butt]

Hi there

We are getting this error when starting ngix,
Port 80 is also free

Pls assist

 

[Max]

Please share your full nginx config.

See also:

Full nginx configuration file example:

Websocket traffic proxying for WebRTC publishing/playing - Web Call Server 5.2 - EN - Flashphoner Documentation

docs.flashphoner.com

Listen directive is not allowed here (error message):

nginx: [emerg] "server" directive is not allowed here

I have reconfigured nginx but I can't get it to restart using the following configuration: server { listen 80; server_name www.example.com; return 301 $scheme://example.com$request_uri;...

stackoverflow.com

 

[Arif Butt]

Pls see the following config file, pls assist further...


# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

#server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

error_page 404 /404.html;
location = /404.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.

server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/BAHL/rdamedia.crt;
ssl_certificate_key /etc/pki/tls/BAHL/rdamedia.key;
server_name wcs.rdamedia.bankalhabib.com;
server_tokens off;
client_max_body_size 500m;
proxy_read_timeout 10m;

include /etc/nginx/default.d/*.conf;

location / {
}

location /wss {
if ($http_connection !~* "upgrade") {
return 403;
}
if ($http_upgrade !~* "websocket") {
return 403;
}
proxy_set_header Host $host;
proxy_pass http://192.168.0.152:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}

 

[Max]

#server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

error_page 404 /404.html;
location = /404.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

You have commented server in the head of this block, but left the block uncommented.
Either uncomment server or comment all this block.

 

[Arif Butt]

After uncomment server tag given below error is occurred and nginx service is not start.



2024/03/05 01:49:28 [emerg] 12519#12519: "server" directive is not allowed here in /etc/nginx/nginx.conf:57

It is possible to check this on remote with our test server?

 

[Max]

Please copy the full nginx configuration example from this page: Reverse proxy setup with basic authentication for Websocket

Replace the content of nginx.conf file, then change SSL certificate and key paths, domain and WCS IP address in proxy_pass directive.
If nginx still does not start, please provide SSH access to the server using this form.

 

[Arif Butt]

Hi there,
nginx has started now but when running the command on browser it is giving this error
wss://systemuser:systempassword@apps.zrg.com:443/wss

This site can’t be reached
The webpage at wss://systemuser:systempassword@apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

The access information is given in the above form, please check and update