SSL + reverse TCP

12 posts / 0 new
Last post
apple_python_pi
SSL + reverse TCP

I'm attempting to connect a purchased pi linux server in a private network with a windows 2019 server VM on wide area network. I can connect no problem without SSL but the device doesn't show up when attempting to user SSL. I'm not sure what I'm doing wrong. I followed the instructions on the SSL page. Any help is greatly appreciated!

Pi server config.ini :
```
It=
EasyFindId=
EasyFindPin=
License=
SSLCert=/home/pi/ssl/server.pem
ReverseClients=:7572
SSLPort=7572
SSLUseClientCerts=0
```

Windows client:

"Enable Reverse SSL Connections" checked
Firewall: TCP local port 7572 open, with all remote ports enabled

Interestingly, if I comment out all the SSL parameters on the server config.ini, and attempt to connect via 7572, the Pi's WAN IP shows up in the VirtualHere client. But of course, since its attempting to connect on the SSL port, it drops a the connection with: "Reverse SSL Error -0x6800 during SSL handshake when connecting to ". So perhaps this has something to do with my pi server's SSL configuration parameters?

apple_python_pi
SSL + reverse TCP

the filtered HTML removed my brackets, here is the configuration I used that is causing problems:

Pi server config.ini :

It=
EasyFindId=
EasyFindPin=
License=
SSLCert=/home/pi/ssl/server.pem
ReverseClients=:7572
SSLPort=7572
SSLUseClientCerts=0

Michael
.

Stop the server, remove the SSLPort=7272 entry from the server config.ini file and start the server

In the client right click USB Hubs->Specify Hubs->Advanced -> Check Enable Reverse SSL

And on the client side right click USB Hubs->Advanced Settings...->SSL->Set the certificate authority file of the server i.e the ca.pem file

And it should work.

apple_python_pi
SSL + reverse TCP

I tried your suggestion however I'm still having the same issue, perhaps my logs and configuration files would help find the issue?

windows client:

2020-07-28 17:21:15 INFO :VirtualHere Client 5.0.7 starting (Compiled: Jul 27 2020 12:10:38)
2020-07-28 17:21:15 INFO :Client OS is Windows Server 2016 (build 14393), 64-bit edition
2020-07-28 17:21:15 INFO :Using config at C:\Users\user\AppData\Roaming\vhui.ini
2020-07-28 17:21:15 INFO :IPC available at \\.\pipe\vhclient
2020-07-28 17:21:15 INFO :Using SSL CA File C:\Users\user\Desktop\ca.pem
2020-07-28 17:21:15 INFO :Auto-find (Bonjour) on
2020-07-28 17:21:15 INFO :Auto-find (Bonjour SSL) on
2020-07-28 17:21:15 INFO :SSLReverseLookupService listening on port 7572 (IPv6 dual-stack)

windows client vhui.ini:

[Transport]
EasyFindId="id"
EasyFindPin="pin"
PingInterval=3
PingTimeout=10
CompressionLimit=384
[General]
MainFrameWidth=400
MainFrameHeight=250
SSLReverseLookup=1
SSLClientCert=
SSLCAFile=C:\\Users\\user\\Desktop\\ca.pem
QualifyByName=0
QualifyByInterface=0
AutoUseDelaySec=0
RetryAutoUseDelaySec=2
AutoRefreshLookupPeriod=30
BonjourLookupTimeout=4
BonjourResolverTimeout=2
Language=EN-US

linux server syslog:

Jul 28 17:18:07 raspberrypi systemd[1]: Stopped VirtualHere USB Sharing.
Jul 28 17:18:34 raspberrypi systemd[1]: Started VirtualHere USB Sharing.
Jul 28 17:18:34 raspberrypi root: VirtualHere settling...
Jul 28 17:18:35 raspberrypi root: VirtualHere settled
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: >>> Starting VirtualHere USB Server v4.2.0 (Built: Jul 27 2020, 11:37:47)<<<
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: Using configuration /usr/sbin/config.ini
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: Using SSL Server certificate at /home/pi/ssl/server.pem
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: Server licensed to=xxxxxxxxxxxxxxxx max_devices=unlimited
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: Using large URB's
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: Listening on all network interfaces at TCP SSL port 7574 (IPv6 dual-stack)
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: Found High speed device [0957:0718] "Agilent Technologies, Inc." at address 114
Jul 28 17:18:35 raspberrypi vhusbdarmpi4[14686]: VirtualHere USB Server is running...press CTRL-C to stop

linux server config.ini:

It="it"
EasyFindId="id"
EasyFindPin="pin"
License="license"
SSLCert=/home/pi/ssl/server.pem
ReverseClients="windows-ip-address":7572
SSLUseClientCerts=0

Michael
.

I did a quick setup of the reverse ssl on my test server and client and it worked fine. so im wondering if its possible that port7572 is blocked on the client side with a firewall? Here are the relevant parts of my server config.ini and client vhui.ini

config.ini
-----------

sslCert=/home/debian/server.pem
SSLReverseClients=192.168.1.125:7572

vhui.ini
----------

[General]
SSLClientCert=
SSLCAFile=E:\\virtualhere\\cert\\test\\ca.pem
SSLReverseLookup=1
apple_python_pi
.

Hmm yeah I did explicitly make a rule that opened port 7572. Perhaps something else I'm not thinking of is blocking it. I'm going to try with a linux VM and see if I can get it working there

apple_python_pi
.

yup i am stupid, I thought I had typed out SSLReverseClients when in fact I had only written ReverseClients. Thank you for your help Michael!

Michael
.

Ah ok :) I missed that in your ini files you posted too

apple_python_pi
This time using client certificates

Hi Michael,

I decided to test out using client-based certificates in my setup (raspi server, ubuntu vm). Using server side certificates works great but I'm having trouble with client side certificates. I followed the self-generated certificates instructions on the SSL instructions page. It looks like everything is working correctly on the client side but on the server side it doesn't mention that it is running TCP SSL: Listening on all network interfaces at TCP port 7575. When using server-based certificates this would say Listening on all network interfaces at TCP SSL port 7574 (IPv6 dual-stack). Any suggestions on how to fix this?

Here are my config files:

# config.ini


SSLReverseClients=xxx.xxx.xxx.xxx
License=license
SSLUseClientCerts=1
SSLCAFile=/home/pi/ca.pem

# .vhui


[General]
SSLClientCert=c:/home/user/ssl/client.pem
SSLCAFile=
SSLReverseLookup=1

Server side syslog output:

Aug 17 21:20:08 pi vhusbdarmpi4[3409]: >>> Starting VirtualHere USB Server v4.2.0 (Built: Jul 27 2020, 11:37:47)<<<
Aug 17 21:20:08 pi vhusbdarmpi4[3409]: Using configuration /usr/sbin/config.ini
Aug 17 21:20:08 pi vhusbdarmpi4[3409]: Server licensed to=xxxxxxxxxxxxxxxx max_devices=unlimited
Aug 17 21:20:08 pi vhusbdarmpi4[3409]: Using large URB's
Aug 17 21:20:08 pi vhusbdarmpi4[3409]: Listening on all network interfaces at TCP port 7575

Client side syslog output:

Aug 17 20:59:48 ubuntu-VM VirtualHere Client: VirtualHere Client 5.0.7 starting (Compiled: Jul 27 2020 12:15:36)
Aug 17 20:59:48 ubuntu-VM VirtualHere Client: Client OS is Linux 5.4.0-42-generic x86_64
Aug 17 20:59:48 ubuntu-VM VirtualHere Client: Using config at /home/user/.vhui
Aug 17 20:59:48 ubuntu-VM VirtualHere Client: IPC available at /tmp/vhclient
Aug 17 20:59:48 ubuntu-VM VirtualHere Client: Auto-find using Bonjour - on
Aug 17 20:59:48 ubuntu-VM VirtualHere Client: Auto-find using Bonjour SSL - on
Aug 17 20:59:48 ubuntu-VM VirtualHere Client: SSLReverseLookupService listening on port 7572

apple_python_pi
further info

So I found out that on the server side, it seems to only recognize the CA file when I include SSLCert=. In the output below, I'm obviously getting a read/write error because the SSLCert= is not specified but I want the server to recognize the CA file when SSLCert= is commented out. I've also tested this without using reverse SSL in my local network and using client certificates are still not working for me :/


# config.ini
License=license
SSLUseClientCerts=1
SSLCAFile=/home/pi/ca.pem
SSLCert=

Aug 18 19:08:27 pi vhusbdarmpi4[5248]: >>> Starting VirtualHere USB Server v4.2.0 (Built: Jul 27 2020, 11:37:47)<<<
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Using configuration /usr/sbin/config.ini
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Using SSL Server certificate at
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Using SSL CA at /home/pi/ca.pem
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Clients are required to use SSL Client certificates
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Server licensed to=xxxxxxxxxxxxxxx max_devices=unlimited
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Using large URB's
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Error -0xffffc200 loading SSL Certificate file , PK - Read/write of file failed
Aug 18 19:08:27 pi vhusbdarmpi4[5248]: Error starting server

Michael
.

Sorry forgot to respond to your post yesterday.

I followed the instructions on https://www.virtualhere.com/ssl_setup and it works so i looked at my settings for the client and server and it has the following:

config.ini (Server side)

RemoteAdmin=1
RemoteAdminPassword=cloudhub66
It=1582837653
EasyFindId=YNhhPEyzsTnBW3UobZUF6p
EasyFindPin=5zXsur
ServerName=CloudHub_GLMT300NV2
License=ch9483c400c662,0,MCECDlHADqEtBlLmfgFHy7GqAg8Aq3ThBYRNNlZbriB2iuo=
SSLUseCLientCerts=1
SSLCAFile=/root/ca.pem
SSLCert=/root/server.pem
SSLReverseClients=192.168.1.125:7572

vhui.ini (Client side)
--------------

[Transport]
EasyFindId=3VjRofFCDoexNcXPBg2bjv
EasyFindPin=2Sq4u9
PingInterval=3
PingTimeout=10
CompressionLimit=384
[General]
MainFrameWidth=766
MainFrameHeight=548
SSLClientCert=E:\\virtualhere\\cert\\test\\client.pem
SSLCAFile=E:\\virtualhere\\cert\\test\\ca.pem
QualifyByName=0
QualifyByInterface=0
AutoUseDelaySec=0
RetryAutoUseDelaySec=2
AutoRefreshLookupPeriod=30
BonjourLookupTimeout=4
BonjourResolverTimeout=2
Language=EN-US
SSLReverseLookup=1
AutoFind=0
[AutoShare]
ch9483c400c662.24577.1027=0
ch9483c400c662.24577.1027.21=0
ch9483c400c662.21=0
chdca63200298f.8457.21325=0
chdca63200298f.8457.21325.114=0
chdca63200298f.114=0
apple_python_pi
.

It works! Thanks Michael, your settings work for me!

Log in or register to post comments