Encrypted SSL

Arif Butt

Member
Hi there

Our client which is a financial institute asked for a possibility to install an encrypted SSL on their WCS Server.. we have tried to do the same but got an error, kindly assist us on how to implement that to get this security vulnerablity addressed, or any other option to make the communication secure.

Thanks
AB
 

Max

Administrator
Staff member
Hello

We have raised internal ticket to support encrypted SSL certificates.
WCS-3920

Please note

1) If you import encrypted SSL files, WCS server ask for decrypt password each launch.
This means when you start server ./webcallserver start
The command line will prompt with asking password. And somebody must enter valid password for the encrypted files.

2) We do not provide any ETA for this ticket. Will inform through this thread about progress.
 

Arif Butt

Member
Currently it is giving NULL alert when uploading the encrypted PEM file

Can you assist on how to give password when loading the encrypted SSL?

Thnx
 

Arif Butt

Member
Hi there,

While trying to follow the documentation when executing the following it is asking for the keystore password, when entering a root password it is giving an error, kindly let us know what to enter here? currently there is a default selfsigned certificate installed.

[root@apps /]# keytool -delete -alias selfsigned -keystore /usr/local/Flashphone rWebCallServer/conf/wss.jks
Enter keystore password:
Keystore password is too short - must be at least 6 characters


Thanks
AB
 

Arif Butt

Member
Hi there,

is there any update on this issue, internal ticket WCS-3920

Customer is asking for the same, kindly share any tentative timeline

Thnx
AB
 

Max

Administrator
Staff member
Hello

No updates for now.
Will be scheduled by internal priorities.
 

Arif Butt

Member
Hi there

We have tried to follow the instructions provided by you for the manual installation of the encrypted SSL and successfully generated the P12 file and the installed the ssl by following the above steps, we received the following warning while installation

1708435426649.png


The driver is started successfully but it did not ask for the ssl password as we were assuming it.

After installation we are unable to access the site with https and the following is shown as the domain: 1

1708435497371.png


kindly assist further as the customer (financial institute is keep asking for the compliance)

we appreciate you help

Regards
AB
 

Max

Administrator
Staff member
The driver is started successfully but it did not ask for the ssl password as we were assuming it.
Seems like keytool also can't import an encrypted SSL certificate. Perhaps you should decrypt it manually before importing. Please ask the certificate provider about decryption instructions.
 

Max

Administrator
Staff member
You can use Nginx or Apache as a reverse proxy supporting encrypted private keys

Code:
server {
        listen 443 ssl;
        ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt;
        ssl_certificate_key /etc/pki/tls/yourdomain/your-encrypted-domain.key;
        server_name wcs.yourdomain.com;
        server_tokens off;
        client_max_body_size 500m;
        proxy_read_timeout 10m;

        include /etc/nginx/default.d/*.conf;

        location / {
        }

        location /wss {
            if ($http_connection !~* "upgrade") {
                return 403;
            }
            if ($http_upgrade !~* "websocket") {
                return 403;
            }
            proxy_set_header Host $host;
            proxy_pass http://localhost:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
      
    }

How it works:

1. You start Nginx (systemctl start nginx).
2. It prompts decryption password each launch. Decryption password is applied to your encrypted private key file /etc/pki/tls/yourdomain/your-encrypted-domain.key
3. Nginx is listening port 443 (any port may be configured) for websocket secure connections.
4. Application connects to wss://wcs.yourdomain.com:443
5. Nginx proxies this connection to ws://localhost:8081

As a result, you are using encrypted private key as your customer requires.
 

Max

Administrator
Staff member
Please share your full nginx config.

See also:

Full nginx configuration file example:

Listen directive is not allowed here (error message):
 

Arif Butt

Member
Pls see the following config file, pls assist further...


# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

#server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

error_page 404 /404.html;
location = /404.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.

server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/BAHL/rdamedia.crt;
ssl_certificate_key /etc/pki/tls/BAHL/rdamedia.key;
server_name wcs.rdamedia.bankalhabib.com;
server_tokens off;
client_max_body_size 500m;
proxy_read_timeout 10m;

include /etc/nginx/default.d/*.conf;

location / {
}

location /wss {
if ($http_connection !~* "upgrade") {
return 403;
}
if ($http_upgrade !~* "websocket") {
return 403;
}
proxy_set_header Host $host;
proxy_pass http://192.168.0.152:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}
 

Max

Administrator
Staff member
#server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

error_page 404 /404.html;
location = /404.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
You have commented server in the head of this block, but left the block uncommented.
Either uncomment server or comment all this block.
 

Arif Butt

Member
After uncomment server tag given below error is occurred and nginx service is not start.



2024/03/05 01:49:28 [emerg] 12519#12519: "server" directive is not allowed here in /etc/nginx/nginx.conf:57

It is possible to check this on remote with our test server?
 

Arif Butt

Member
Hi there,
nginx has started now but when running the command on browser it is giving this error
wss://systemuser:systempassword@apps.zrg.com:443/wss

This site can’t be reached
The webpage at wss://systemuser:systempassword@apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

The access information is given in the above form, please check and update
 
Top