SSL/TLS and Certificates

SSL/TLS Overview

SSL/TLS, secure socket layer and transport layer security, provides encryption of TCP/IP data being sent over the internet, and also allows client and server to confirm the identity of the other party with X509 SSL/TLS certificates.  Secure Socket Layer (SSL) comprised old protocols that are no longer considered secure, SSLv2 and SSLv3, and have been replaced by newer Transport Layer Protocols TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.   Technically SSL is no longer used, but the name is so common we generally use SSL/TLS now instead of TLS alone.  ComCap has a security feature that restricts which SSL/TLS protocols can be used, as of January 2020, it is recommended by Google and others that only TLSv1.2 and TLSv1.3 are now used, all earlier protocols are considered weak, but ComCap still supports them for compatibility with older hardware.  

SSL/TLS is not supported for UDP in ComCap.

There is no automatic SSL/TLS negotiation, both ends of the connection need to support SSL/TLS (or not) for a connection to work, if one end does not support SSL/TLS, the connection will fail without any real error.

SSL/TLS TCP Client

TCP/IP Client is easy to set-up, really just a tick box, does not need a certificate, unless the server specifically want to check the identity of client.which ComCap does not yet support.  ComCap may optionally verify the remote server certificate to ensure it is talking to the correct server, but this increases the time for a connection to made while certificates are transmitted and checked, potentially causing the connection to fail.  Also, ComCap needs the trusted root certificate used to sign the server's certificate, which is how the chain of trust is proved.  ComCap can check certificates against an included PEM Bundle File with a few hundred root certificates:

C:\ProgramData\Magenta-Systems\ComCap5\Certificates\RootCaCertsBundle.pem

This file name is setup in Common Settings, Network Options. Or certificates may be checked using the Windows Certificate Store that is used by Internet Explorer and other applications. This is periodically updated through Windows Update, and there are Windows tools to view and add certificates.  For the store only, certificate revocation can be checked, beware this requires internet access and can take several seconds, or longer.

The checked SSL/TLS certificate chain may be logged similarly to:

Server: Issued to (CN): test6.comcap.co.uk

Alt Domains (SAN): test6.comcap.co.uk

Issued by (CN): Let's Encrypt Authority X3, (O): Let's Encrypt

Expires: 26/04/2020 15:41:55, Signature: sha256WithRSAEncryption

Valid From: 27/01/2020 15:41:55, Serial Number: 03d53ed8c2dd0503bbbf2ea1e846cb4b9c5d

Fingerprint (sha256): 1d4c8fade563c640899483b9295fd2ee7dad71f4f8b557050edb5f51901309aa

Public Key: RSA Key Encryption 2048 bits, 112 security bits

Intermediate: Issued to (CN): Let's Encrypt Authority X3, (O): Let's Encrypt

Issued by (CN): DST Root CA X3, (O): Digital Signature Trust Co.

Expires: 17/03/2021 16:40:46, Signature: sha256WithRSAEncryption

Valid From: 17/03/2016 16:40:46, Serial Number: 0a0141420000015385736a0b85eca708

Fingerprint (sha256): 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d

Public Key: RSA Key Encryption 2048 bits, 112 security bits

Trusted CA: Issued to (CN): DST Root CA X3, (O): Digital Signature Trust Co.

Issuer: Self Signed

Expires: 30/09/2021 14:01:15, Signature: sha1WithRSAEncryption

Valid From: 30/09/2000 21:12:19, Serial Number: 44afb080d6a327ba893039862ef8406b

Fingerprint (sha256): 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739

Public Key: RSA Key Encryption 2048 bits, 112 security bits

which is public certificate signed by an intermediate certificate, signed by a root certificate in the Windows store and PEM file.

It is also possible the certificate may be locally issued and self signed, similarly to:

Server: Issued to (CN): pc20-web4.magenta, (O): Magenta Systems Ltd, (OU): ComCap Self Signed Certificate

Alt Domains (SAN): pc20-web4.magenta

Issuer: Self Signed

Expires: 03/02/2030 16:39:24, Signature: sha256WithRSAEncryption

Valid From: 27/01/2020 16:39:24, Serial Number: 58563b752fdb1be5

Fingerprint (sha256): d75fbfb929fe780920b3f2b7c6da83852ecc4fa0960102a9e4b8ebc01824119c

Public Key: RSA Key Encryption 2048 bits, 112 security bits

This certificate was created by ComCap, by clicking the Create Local SSL Certificate button at Capture Settings, Network Options. .

SSL/TLS TCP Server

For TCP/IP Server SSL/TLS certificates are essential, since they control encryption as well as verification. Although an SSL certificate is generally issued to a domain host name, ComCap will be unaware of this host name, only the IP address can be specified.

There are effectively four classes of SSL/TLS X509 certificates, Domain Validated, Organisation Validated and Extended Validated, in order of cost and benefit, usually with three variations, single domain, multiple domains (SANs), and wildcard. Adding multiple domains to a certificate can ease administration and is cheaper than multiple certificates, wild card means any subdmains usually for the cost of about six single domains.

Local Self Signed Certificates

As mentioned above ComCap will generate a free SSL/TLS certificate by clicking the Create Local SSL Certificate button at Capture Settings, Network Options. This is fine for testing and internal use, but it will not successfully chain validate since it is not signed by a trusted root certificate.

Domain Validated Certificates

Domain Validated certificates prove the server to which you connect  is using the correct domain name.  Issuance is mostly automated so they are cheap (£10 to £25/year) or free from Let's Encrypt.  There are various automated  challenge methods: file validation where the supplier checks for a specific file under the domain, usually http://domain/.well-known/file, domain validation where a special DNS record is created that can be accessed by the supplier, TLS-ALPN SSL SNI (server name indication) validated where an https://domain/ connection is opened passing data using the ALPN extension, with the server returning a special self signed SSL certificate. and email validation where an email is sent to a predefined address at the domain, ie admin@domain, with a supplier link that must be clicked to confirm receipt and domain ownership.

ComCap supports file validation by Let's Encrypt, with most of the settings at Common Settings, Network Options and channel specific settings at Capture Settings, Network Options where there is a button Order Public Certificate Now that will immediately order, download and install a domain validated Let's Encrypt certificate, provided the ComCap channel is available from the public internet by a domain name.  ComCap will automatically renew Let's Encrypt certificates before the three month expiry.

If you buy a domain validated certificate, the server certificate, private key and intermediate file names must be specified at Capture Settings, Network Options, and it will need to be renewed annually.

Organisation and Extended Validated certificates

These certificates are issued against both a domain name and an organisation name, with extended that may may appear in the browser bar, but that is not important to ComCap. Organisation and Extended Validated can be ordered online, but require manual validation that the company or organisation legally exists and is entitled to use the domain name, which may take several days or weeks for extended validation if legal evidence is required. Once approved, the certificate and be downloaded and installed manually in ComCap.