Encrypted SSL

Arif Butt

Member
Hi there

Our client which is a financial institute asked for a possibility to install an encrypted SSL on their WCS Server.. we have tried to do the same but got an error, kindly assist us on how to implement that to get this security vulnerablity addressed, or any other option to make the communication secure.

Thanks
AB
 

Max

Administrator
Staff member
Hello

We have raised internal ticket to support encrypted SSL certificates.
WCS-3920

Please note

1) If you import encrypted SSL files, WCS server ask for decrypt password each launch.
This means when you start server ./webcallserver start
The command line will prompt with asking password. And somebody must enter valid password for the encrypted files.

2) We do not provide any ETA for this ticket. Will inform through this thread about progress.
 

Arif Butt

Member
Currently it is giving NULL alert when uploading the encrypted PEM file

Can you assist on how to give password when loading the encrypted SSL?

Thnx
 

Arif Butt

Member
Hi there,

While trying to follow the documentation when executing the following it is asking for the keystore password, when entering a root password it is giving an error, kindly let us know what to enter here? currently there is a default selfsigned certificate installed.

[root@apps /]# keytool -delete -alias selfsigned -keystore /usr/local/Flashphone rWebCallServer/conf/wss.jks
Enter keystore password:
Keystore password is too short - must be at least 6 characters


Thanks
AB
 

Arif Butt

Member
Hi there,

is there any update on this issue, internal ticket WCS-3920

Customer is asking for the same, kindly share any tentative timeline

Thnx
AB
 

Max

Administrator
Staff member
Hello

No updates for now.
Will be scheduled by internal priorities.
 

Arif Butt

Member
Hi there

We have tried to follow the instructions provided by you for the manual installation of the encrypted SSL and successfully generated the P12 file and the installed the ssl by following the above steps, we received the following warning while installation

1708435426649.png


The driver is started successfully but it did not ask for the ssl password as we were assuming it.

After installation we are unable to access the site with https and the following is shown as the domain: 1

1708435497371.png


kindly assist further as the customer (financial institute is keep asking for the compliance)

we appreciate you help

Regards
AB
 

Max

Administrator
Staff member
The driver is started successfully but it did not ask for the ssl password as we were assuming it.
Seems like keytool also can't import an encrypted SSL certificate. Perhaps you should decrypt it manually before importing. Please ask the certificate provider about decryption instructions.
 

Max

Administrator
Staff member
You can use Nginx or Apache as a reverse proxy supporting encrypted private keys

Code:
server {
        listen 443 ssl;
        ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt;
        ssl_certificate_key /etc/pki/tls/yourdomain/your-encrypted-domain.key;
        server_name wcs.yourdomain.com;
        server_tokens off;
        client_max_body_size 500m;
        proxy_read_timeout 10m;

        include /etc/nginx/default.d/*.conf;

        location / {
        }

        location /wss {
            if ($http_connection !~* "upgrade") {
                return 403;
            }
            if ($http_upgrade !~* "websocket") {
                return 403;
            }
            proxy_set_header Host $host;
            proxy_pass http://localhost:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
      
    }

How it works:

1. You start Nginx (systemctl start nginx).
2. It prompts decryption password each launch. Decryption password is applied to your encrypted private key file /etc/pki/tls/yourdomain/your-encrypted-domain.key
3. Nginx is listening port 443 (any port may be configured) for websocket secure connections.
4. Application connects to wss://wcs.yourdomain.com:443
5. Nginx proxies this connection to ws://localhost:8081

As a result, you are using encrypted private key as your customer requires.
 
Top