balder

TLS explained

5 posts in this topic

Ok, a couple of people have asked about TLS so i am going to right a small guide.

Before i start please read the following topics

http://forums.apexdc.net/index.php?showtopic=578

http://forums.apexdc.net/index.php?showtopic=322

http://dcpp.net/forum/viewtopic.php?t=19054

http://dcpp.net/forum/viewtopic.php?t=35

these are topics which discuss the caveates of TLS.

Ok, first of all you need to download OpenSSL i use this package for windows.

install this package excepting all defaults

i choose not to overwrite the three files mentioned. this is your choose. both will work but overwriting the files may cause other programs that use ssl to stop working. most uses don have programs that use SSL.

Ok now you need to add the OpenSSL bin directory onto your system path.

right click My Computer -> select properties -> select Environment variables

Under System Variables locate Path and select Edit. ooh it appears that the installer places openssl on the path for you. just incase make sure that C:\OpenSSL\bin is somewhere in this variable. if not place a ';'

at th end of the variable value and add C:\OpenSSL\bin

now that all that is done you should be able to open apex settings go to security and select generate certificate.

you will need to setup port forwarding on the TLS port and this port will need to be different from the TCP and UDP ports

Ok, now you need to learn what TLS is, how it offers security and what it doesn't do.

if you leave all of the other options in place then if either a hub or a client supports TLS you will connect to them over an encrypted channel.

if you untick "allow TLS connections to hubs without trusted certificates" if you want to connect to a hub over an encrypted channel then you need to put the hubs certificate into your trusted certificate folder (C:\Program Files\ApexDC++\Settings\Certificates\)

if you untick "allow TLS connections to clients without trusted certificates" if you want to connect to a client (download) over an encrypted channel then you need to put that users client certificate into your trusted certificate folder (C:\Program Files\ApexDC++\Settings\Certificates\)

with all of that said ADCS is very unstable and unsupported. if any of this doesn't work you should report the errors to DC++ forums

if you have any corrections to this guide please post them below it will be appreciated

here is a link to the ADC protocol draft

Share this post


Link to post
Share on other sites

well, first of all, thx for the instructions.

with ApexDC 1.1.0 it's possible to create the certificates.

with some other clients not - maybe they still have bugs in the TLS section.

but now I have some more questions:

1. is it really true, that, if two clients have generated these certificates in the right folder, an TLS encrypted connection is used automatically between them without exchanging the users client certificate (client.crt) ? Does ApexDC send this 'public key' automatically to the other client?

2. is it really true, that, only if unticking the "allow TLS connections to ..." checkboxes, I need to put the other users certificate into my trusted certificate folder ?

3. how to do that exactly? the other users certificate will have the same filename like my own certificate in the same folder. I guess, I should not overwrite my own certificate with that other users one.

4. if really everything is right and the connection is TLS encrypted, how can I see that? what is the proof for an encrypted connection?

hopefully there is somebody out there, who has experiences already with that.

Share this post


Link to post
Share on other sites

Well, I found some more informations and could answer now some of my questions by myself.

Apparently there are two ways of encrypted transfers - trusted and untrusted.

And it seems that only for trusted encrypted transfers it is necessary to exchange the client (or Hub) certificates.

And an encrypted transfer could be identified by the prefix in the transfer bar:

A at the beginning of the progress bar means it is a trusted encrypted transfer.

A at the beginning of the progress bar means it is an untrusted encrypted transfer.

OK, now just one question is left:

How to place the other users (or hubs) certificate into my own trusted certificate folder without overwriting my own certificates?

Renaming it? - If yes, to which name?

And how Apex is able then to assign that certificate to the right client or hub?

Thx in advance.

Share this post


Link to post
Share on other sites

I guess any name will do and Apex will scan the folder and try to match the cert you copied with the one the peer has, so that Apex really can assign it. Sorry for such an inaccurate answer, but I still have not used TLS. Feel free to check and observe difference, or google it...

Share this post


Link to post
Share on other sites