The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.



Go to last post Go to first unread
#1 Posted : Sunday, July 13, 2014 11:03:40 PM(UTC)

Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11

Thanks: 2 times
Today i was playing with free SSL certificate from startssl.com.

I set my server to listen on port 1443 .. and everything works perfect (i mean connecting from Windows IE, Chrome, Mac Safari and Ipad app.. with firefox, there's actually some troubles with chain certs.. but not important for me)
Unfortunatelly android client doesn't work.
It immediately closes the connection, just when i press 'connect as guest' or 'connect as host' button.

I didn't try to set normal 443 port (no time and the android phone wasn't mine..so..)

#2 Posted : Tuesday, July 15, 2014 4:00:34 PM(UTC)

Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Can you connect to your site via your phone's internet browser normally? If you can login and see your Host page via Chrome or any other android internet browser, joining a session should prompt you to use the ScreenConnect app and approving the message will let the app take over.
ScreenConnect Team
thanks 1 user thanked Scott for this useful post.
candeo on 7/15/2014(UTC)
#3 Posted : Tuesday, July 15, 2014 4:19:32 PM(UTC)

Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11

Thanks: 2 times
Thanks Scott! I'm so dumb.. of course..
I checked it on my son's phone.. and using chrome, it yells about bad quality certificate.. or something... if i accept it and try to join a session.. everything goes fine.

My fault. I'll get better quality (i mean 'paid') ssl certificate soon.
Paul Moore  
#4 Posted : Tuesday, July 15, 2014 5:19:06 PM(UTC)
Paul Moore

Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
There's nothing wrong with StartSSL certs. If you're getting errors, that's down to misconfiguration not the 'quality' of the cert.

You've either put the certs in the wrong order, or you have unnecessary roots/chains which break some browsers.

If you can post the error or the URL, it'll be easier to diagnose.

Cheers :)
ScreenConnect Reporting - Collects live & historical information including session times.
#5 Posted : Monday, July 21, 2014 5:33:56 PM(UTC)

Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11

Thanks: 2 times
Thank you Cresona for your reply.

First of all, here's what i did.
I didn't make any ngnix or apache redirections, nor use any of ScreenConnect SSL scripts, i just simply:
- "bought" a free cert from StartSSL
- decrypted and converted private key related with that cert with pvktool under windows
- changed filenames of cert and key to 1443.cer and 1443.pvk
- created httplistener directory in an appropriate place (/opt/screenconnect/App_Runtime/etc/.mono/httplistener) under my linux server
- ... and put there 1443.cer and 1443.pvk files
- changed WebServerListenUri in web.config (<add key="WebServerListenUri" value="https://+:1443/">
- restarted the SC service

Everything (except Firefox and native SC android app) works like a charm.

Of course, there is a problem with root and intermediate certs, but as long as developers do not resolve this 'Mono does not currently support a certificate chain and will ignore any intermediate certificates' issue, there's not much we can do.

For now, i'm happy, because i can manually trust the site under android native browser, join a session and ScreenConnect Client works.
Also, i can ignore Firefox warning, and everything works.

All other browsers works fine. (well.. i didn't test the exotic ones)

Now i only keep my fingers crossed for great ScreenConnect developers and I believe, they will overcome that mono webserver problem.

Thanks again and have a nice day.

#6 Posted : Wednesday, July 23, 2014 1:59:33 AM(UTC)

Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11

Thanks: 2 times
Originally Posted by: candeo Go to Quoted Post
Now i only keep my fingers crossed for great ScreenConnect developers and I believe, they will overcome that mono webserver problem.

Well, They actually did it, so please ignore my previous post, because now everything (Mozilla, Android app, Safari and iOS apps, Chrome, IE>=7 and Opera) is working correctly.

Now - the question - How?

Below is simple tutorial, how i've enabled fully operational SSL support on Linux.

What you need
  • First of all, you need a certificate with private key connected with it.
    Every certificate authority provides tutorial how to buy cert, so just follow the instruction while ordering a cert, and everything should be ok.
  • You also need openssl package, to get some cert fingerprints, and PVK package to convert your private key into form recognized by mono
  • Last thing - intermediate certificate. After certificate purchasing - check your cert provider homepage for manuals, how to get their intermediate cert file.

Cert formats
  • Make sure, you have all files (certificate, private key, and intermediate cert downloaded later) in PEM format, which look something like this:

    your private key:
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,A479C6593FC9D38754A1822BE7402A45
    -----END RSA PRIVATE KEY-----

    your cert:
    -----END CERTIFICATE-----

    intermediate certificate:
    -----END CERTIFICATE-----

Key conversion
Whether under Linux or Windows, use the PVK tool to convert your key to .pvk format
pvk.exe -topvk -nocrypt -in your_priv_key.pem -out 443.pvk

Intermediate file preparation
You have to rename the intermediate cert file into proper form.
First check fingerprint of the cert

openssl x509 -fingerprint -noout -in intermediate_cert_file.pem | awk -F= '{gsub(":","") ; print $2}'

That will give you something like this:
Now, rename int_cer_file.pem to tbp-F691FC87EFB3135354225A10E127E911D1C7F8CF.cer
Use proper hex string, you got earlier of course.

File structure

  • Create (if does not exist) App_Runtime/etc/.mono/httplistener in your ScreenConnect directory
  • Rename your cert file into 443.cer and put it in httplistener
  • Also, put there 443.pvk file created earlier
  • Thumbprint file (tbp-(40-characters-hex-string).cer) goes to App_Runtime/etc/.mono/certs/CA

As you probably know, you must change WebServerListenUri in web.config file to something like this:
<add key="WebServerListenUri" value="https://+:443/">

Restart ScreenConnect service
and that will do the trick

go to http://www.sslshopper.com/ssl-checker.html and look for errors

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.